[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Weird problem... Cisco 3640 IOS - FW1 - IKE-VPN can't be establis hed
On Fri, Sep 28, 2001 at 10:12:06AM +0300, METE EMINAGAOGLU (IT) wrote: > Hi to all. > > We' ve been struggling with a terrific problem for some time. > > PROBLEM: > > We want to establish a VPN tunnel between a network behind a CISCO3640 IOS > version 12.09 and a network behind CP FW 4.1 SP3 (management), IP650 IPSO > SP3.3.8 (module). Compare with Cisco's idea how to do the same thing... http://www.cisco.com/warp/public/707/cp-r.shtml There's also good debug tips. Be sure to post the solution when you sort it out. alan [..] > > At first sight, it seems trivial and easy. Alas! > > Even though all the conf.s, IP' s, etc. seem to be set correct, (both for > the router and the FW), VPN tunnelling can' t be established! The key > installations between FW and the router seem O.K. in the logs, but when we > try communicating from either any of the network sides to the other, no VPN, > no encryption, and in the FW logs, packets accepted (no drop!!!), BUT in the > info, > > encryption failure: gateway connected to both endpoint scheme: IKE > > What' s more strange, even there' s no other alternative accept rule in the > FW, communication can be established somehow between these two networks, but > without encryption... > > All the conf. in the FW is established just as defined in CP' s manual - AKA > http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/cisco_ios_vpn > .pdf > > Are we missing sthg in the Router's conf. or what??? > > > The Router' s conf. is denoted below: (IP' s, crypto map names, etc. are > abbreviated...) > > Current configuration : 1797 bytes > ! > version 12.1 > service timestamps debug uptime > service timestamps log uptime > service password-encryption > ! > hostname HOSTX > ! > enable password 7 .................. > ! > ! > ! > ! > ! > ip subnet-zero > ! > ip audit notify log > ip audit po max-events 100 > ! > ! > crypto isakmp policy 1 > authentication pre-share > group 2 > lifetime 3600 > crypto isakmp key secret address aa.bb.cc.dd > ! > ! > crypto ipsec transform-set SET1 esp-des esp-sha-hmac > ! > crypto map MAP1 1 ipsec-isakmp > set peer aa.bb.cc.dd > set transform-set SET1 > match address 115 > ! > ! > ! > ! > ! > ! > interface FastEthernet0/0 > ip address ff.ee.tt.hh 255.255.255.0 > no ip route-cache > no ip mroute-cache > speed auto > half-duplex > no cdp enable > ! > interface Serial1/0 > no ip address > shutdown > fair-queue > serial restart-delay 0 > no cdp enable > ! > interface Serial1/1 > ip address ss.ee.rr.ii 255.255.255.0 > no ip route-cache > no ip mroute-cache > serial restart-delay 0 > no cdp enable > crypto map MAP1 > ! > interface Serial1/2 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > interface Serial1/3 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > interface Serial2/0 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > interface Serial2/1 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > interface Serial2/2 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > interface Serial2/3 > no ip address > shutdown > serial restart-delay 0 > no cdp enable > ! > ip classless > ip route 0.0.0.0 0.0.0.0 serial1/1 > ip route vv.pp.nn.xx 255.255.255.0 ss.ee.rr.1 > ip route aa.bb.cc.0 255.255.255.0 ss.ee.rr.1 > no ip http server > ! > access-list 115 permit ip ss.ee.rr.0 0.0.0.255 vv.pp.nn.xx 0.0.0.255 > access-list 115 permit ip vv.pp.nn.xx 0.0.0.255 ss.ee.rr.0 0.0.0.255 > no cdp run > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > exec-timeout 0 0 > password 7 ..........? > login > ! > end > > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|