Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Unsuccessful VPN from Cisco PIX to FW1 4.1 SP2

To: Firewall One List <[email protected]>
Subject: [FW1] Unsuccessful VPN from Cisco PIX to FW1 4.1 SP2
From: Greg Polanski <[email protected]>
Date: Thu, 05 Oct 2000 09:58:36 -0500
Organization: ADC Telecommunications, Inc.
Sender: [email protected]

I have been unsuccessful in connecting Cisco PIX to
Checkpoint FW1.  

I got thorugh level 1 handshaking, but never through level 2.
The error conedition that is shown by the PIX log is

ISAKMP: reserved not zero on payload 5!

The fix is to switch to checkpoint.

Cisco support spent 8 - 10 hours supporting us. But we did 
not find the magic incantation.  One thing is clear.
Managing the checkpoint FW through a GUI is much much much
easier than the command line interface to the PIX.

FYI, Here is the error state.

This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41716
[VPN + DES + STRONG]


greg





Crypto_isakmp_process_block: src ..xxx.xxx, dest xxx.xxx.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx 
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
       next-payload : 8
       type         : 1
       protocol     : 17
       port         : 500
       length       : 8
ISAKMP (0): Total payload length: 12
Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for xxx.xxx.xxx.xxx
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to xxx.xxx.xxx.xxx. ID = -459157782
(0xe4a1ce ba)modecfg: sa: 812e5898, new mess id= e4a1ceea

Return status is IKMP_NO_ERROR
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
ISAKMP: reserved not zero on payload 5!
Crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest xxx.xxx.xxx.xxx
ISAKMP: reserved not zero on payload 5!IPSEC(ipsec_encap): crypto map
check deny




_______________________________________________________________
Greg Polanski                    mailto:[email protected]
ADC Telecommunications, IncMSFAX
PO Box 1pager
Minneapolis, MN  [email protected]
_______________________________________________________________


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] CP HA clustering breaks Client Authentication services? ??
Next by Date: [FW1] Norton AV for FW
Previous by thread: Re: [FW1] CP HA clustering breaks Client Authentication services? ??
Next by thread: [FW1] Norton AV for FW
Index(es):
- Date
- Thread