Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Weird problem... Cisco 3640 IOS - FW1 - IKE-VPN can't be establis hed

To: "METE EMINAGAOGLU (IT)" <[email protected]>
Subject: Re: [FW1] Weird problem... Cisco 3640 IOS - FW1 - IKE-VPN can't be establis hed
From: Alan Strassberg <[email protected]>
Date: Sun, 30 Sep 2001 09:13:07 -0700
Cc: "'[email protected]'" <[email protected]>
In-reply-to: <5F4EFCD3EC1AD41185CE00508B61AD5302CACC23@DPEXH1>; from [email protected] on Fri, Sep 28, 2001 at 10:12:06AM +0300
References: <5F4EFCD3EC1AD41185CE00508B61AD5302CACC23@DPEXH1>
Reply-to: [email protected]
Sender: [email protected]
User-agent: Mutt/1.2.5i

On Fri, Sep 28, 2001 at 10:12:06AM +0300, METE EMINAGAOGLU (IT) wrote:
> Hi to all.
> 
> We' ve been struggling with a terrific problem for some time. 
> 
> PROBLEM:
> 
> We want to establish a VPN tunnel between a network behind a CISCO3640 IOS
> version 12.09 and a network behind CP FW 4.1 SP3 (management), IP650 IPSO
> SP3.3.8 (module).

	Compare with Cisco's idea how to do the same thing...

	http://www.cisco.com/warp/public/707/cp-r.shtml

	There's also good debug tips. Be sure to post the solution
	when you sort it out.

					alan
[..]
> 
> At first sight, it seems trivial and easy. Alas!
> 
> Even though all the conf.s, IP' s, etc. seem to be set correct, (both for
> the router and the FW), VPN tunnelling can' t be established! The key
> installations between FW and the router seem O.K. in the logs, but when we
> try communicating from either any of the network sides to the other, no VPN,
> no encryption, and in the FW logs, packets accepted (no drop!!!), BUT in the
> info,
> 
> encryption failure: gateway connected to both endpoint scheme: IKE
> 
> What' s more strange, even there' s no other alternative accept rule in the
> FW, communication can be established somehow between these two networks, but
> without encryption...
> 
> All the conf. in the FW is established just as defined in CP' s manual - AKA
> http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/cisco_ios_vpn
> .pdf
> 
> Are we missing sthg in the Router's conf. or what???
> 
> 
> The Router' s conf. is denoted below: (IP' s, crypto map names, etc. are
> abbreviated...)
> 
> Current configuration : 1797 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname HOSTX
> !
> enable password 7 ..................
> !
> !
> !
> !
> !
> ip subnet-zero
> !
> ip audit notify log
> ip audit po max-events 100
> !
> !
> crypto isakmp policy 1
>  authentication pre-share
>  group 2
>  lifetime 3600
> crypto isakmp key secret address aa.bb.cc.dd
> !
> !
> crypto ipsec transform-set SET1 esp-des esp-sha-hmac
> !
> crypto map MAP1 1 ipsec-isakmp
>  set peer aa.bb.cc.dd
>  set transform-set SET1
>  match address 115
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
>  ip address ff.ee.tt.hh 255.255.255.0
>  no ip route-cache
>  no ip mroute-cache
>  speed auto
>  half-duplex
>  no cdp enable
> !
> interface Serial1/0
>  no ip address
>  shutdown
>  fair-queue
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial1/1
>  ip address ss.ee.rr.ii 255.255.255.0
>  no ip route-cache
>  no ip mroute-cache
>  serial restart-delay 0
>  no cdp enable
>  crypto map MAP1
> !
> interface Serial1/2
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial1/3
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial2/0
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial2/1
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial2/2
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> interface Serial2/3
>  no ip address
>  shutdown
>  serial restart-delay 0
>  no cdp enable
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 serial1/1
> ip route vv.pp.nn.xx 255.255.255.0 ss.ee.rr.1
> ip route aa.bb.cc.0 255.255.255.0 ss.ee.rr.1
> no ip http server
> !
> access-list 115 permit ip ss.ee.rr.0 0.0.0.255 vv.pp.nn.xx 0.0.0.255
> access-list 115 permit ip vv.pp.nn.xx 0.0.0.255 ss.ee.rr.0 0.0.0.255
> no cdp run
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  exec-timeout 0 0
>  password 7 ..........?
>  login
> !
> end
> 
> 
> 
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Weird problem... Cisco 3640 IOS - FW1 - IKE-VPN can't be establis hed
  - From: "METE EMINAGAOGLU (IT)" <[email protected]>

Prev by Date: Re: [FW1] external.if
Next by Date: Re: [FW1] Firewall-1 and use in Arab countries
Previous by thread: [FW1] Weird problem... Cisco 3640 IOS - FW1 - IKE-VPN can't be establis hed
Next by thread: [FW1] RE: Achtung! Rabenschwarzer Humor
Index(es):
- Date
- Thread