Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
3269 Views 6 Replies Latest reply: Mar 4, 2013 4:20 AM by sparky RSS

Currently Being Moderated

site2site vpn between ios - checkpoint

Jan 20, 2012 4:30 AM

sparky 69 posts since
Jan 23, 2009

I am having issues configuring a site-2-site VPN between a cisco IOS router and a checkpoint NRX firewall,

Now i have checked and double checked the IKE proposals and lifetime values, key etc  (although i believe these are option, i like to make sure everything matches ecspecially when going from ove vendor to another)

 

Now this is the debug on our cisco device:

 

 

#ping x.x.x.x sou fa0/0

 

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.224.128.20, timeout is 2 seconds:

Packet sent with a source address of 136.140.191.222

 

 

Jan 20 12:22:14: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 86.12.151.7, remote= 193.182.2.1,

    local_proxy= 136.x.191.x/255.255.255.224/0/0 (type=4),

    remote_proxy= 10.x.128.x/255.255.255.128/0/0 (type=4),

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x784DD929(2018367785), conn_id= 0, keysize= 256, flags= 0x400A

Jan 20 12:22:14: ISAKMP: received ke message (1/1)

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

Jan 20 12:22:14: ISAKMP: Created a peer struct for 193.182.x.x, peer port 500

Jan 20 12:22:14: ISAKMP: New peer created peer = 0x63A48C84 peer_handle = 0x80000006

Jan 20 12:22:14: ISAKMP: Locking peer struct 0x63A48C84, IKE refcount 1 for isakmp_initiator

Jan 20 12:22:14: ISAKMP: local port 500, remote port 500

Jan 20 12:22:14: ISAKMP: set new node 0 to QM_IDLE     

Jan 20 12:22:14: insert sa successfully sa = 63A493F4

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 193.182.2.1

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

 

 

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): sending packet to 193.182.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

Jan 20 12:22:14: ISAKMP (0:0): received packet from 193.182.x.x dport 500 sport 500 Global (I) MM_NO_STATE

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Couldn't find node: message_id 1487415557

Jan 20 12:22:14: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1

 

 

Jan 20 12:22:14: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 193.182.x.x    ..

 

 

I have read alot of articles online that say the supernetting is handled different betwen checkpoint and cisco, but i dont think i am even getting that far in the process ...

 

 

The error shown on the checkpoint side shows "IKE: Main Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit) Reason: Wrong value for: Authentication Method"

Any ideas welcome

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)