[VPN] Cisco IOS to Checkpoint 4.1 Problem

Siddhartha Jain losttoy2000 at yahoo.co.uk
Mon Nov 11 23:58:40 EST 2002 

Cisco has documented the config here:

http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080094ac4.shtml

Hope this helps.

--- Joel M Snyder <Joel.Snyder at Opus1.COM> wrote: > It
looks like your pre-shared secrets don't match. 
> You get all the way
> through SA setup up to the point where the Cisco
> would expect to get the
> 6th packet of an IKE MM exchange back, and then
> everything falls apart. 
> Another possibility is that there is some NAT
> function in the way,
> breaking the mapping between PSS and IP address.
> 
> I would check the PSS on both ends and try a
> different one, of a
> different length.  You might be running into some
> data-dependent bug somewhere.
> 
> You can get MUCH better IKE debugs out of the CP
> box; that is really
> where you want to watch this.  The initiator is a
> bad place to debug
> IPsec from; the responder always has a better idea
> of why they're not
> sending the right packet.  Or, if you don't control
> the CP box, try to
> get the administrator on that end to at least
> initate to you so that you
> can see why you don't want to play ball.  
> 
> But check the PSS first.
> 
> jms
> 
> 
> 
> Tammy Ruth wrote:
> > 
> >         I have a Cisco router running Version
> 12.2(8)T5 connecting to a Checkpoint
> > v4.1.  The Checkpoint has other connections to
> Cisco routers and PIX.  We
> > are unable to establish a connection the
> Checkpoint - the Cisco debug logs
> > show a "%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet
> from y.y.y.y was not
> > encrypted and it should've been.".  The Checkpoint
> then gets an "invalid
> > payload" error on its end which I see from the
> Cisco debug logs we've set
> > the Invalid Payload type bit.   We have verified
> the settings on both ends
> > and everything appears in order.  I am including
> the logs from the Cisco
> > debug and the error the Checkpoint receives.   The
> Cisco explanation of the
> > error message stats "Contact Remote
> Administrator".  Any clues on what to
> > look for would be appreciated.
> > 
> > thanks,
> > truth
> > 
> > CISCO DEBUG LOG:
> > 
> > 2w2d: IPSEC(sa_request): ,
> >   (key eng. msg.) OUTBOUND local= x.x.x.x, remote=
> y.y.y.y,
> >     local_proxy= a.a.a.a/255.255.255.255/0/0
> (type=1),
> >     remote_proxy= b.b.b.b/255.255.255.255/0/0
> (type=1),
> >     protocol= ESP, transform= esp-3des
> esp-md5-hmac ,
> >     lifedur= 3600s and 4608000kb,
> >     spi= 0xD71D6723(3609028387), conn_id= 0,
> keysize= 0, flags= 0x400C
> > 2w2d: ISAKMP: received ke message (1/1)
> > 2w2d: ISAKMP: local port 500, remote port 500
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> > Old State = IKE_READY  New State = IKE_I_MM1
> > 
> > 2w2d: ISAKMP (0:1): beginning Main Mode exchange
> > 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I)
> MM_NO_STATE
> > 2w2d: ISAKMP (0:1): received packet from y.y.y.y
> (I) MM_NO_STATE
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> > Old State = IKE_I_MM1  New State = IKE_I_MM2
> > 
> > 2w2d: ISAKMP (0:1): processing SA payload. message
> ID = 0
> > 2w2d: ISAKMP (0:1): found peer pre-shared key
> matching y.y.y.y
> > 2w2d: ISAKMP (0:1): Checking ISAKMP transform 1
> against priority 1 policy
> > 2w2d: ISAKMP:      encryption 3DES-CBC
> > 2w2d: ISAKMP:      hash SHA
> > 2w2d: ISAKMP:      default group 2
> > 2w2d: ISAKMP:      auth pre-share
> > 2w2d: ISAKMP:      life type in seconds
> > 2w2d: ISAKMP:      life duration (VPI) of  0x0 0x1
> 0x51 0x80
> > 2w2d: ISAKMP (0:1): atts are acceptable. Next
> payload is 0
> > 2w2d: CryptoEngine0: generate alg parameter
> > 2w2d: CRYPTO_ENGINE: Dh phase 1 status: 0
> > 2w2d: CRYPTO_ENGINE: Dh phase 1 status: 0
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> > Old State = IKE_I_MM2  New State = IKE_I_MM2
> > 
> > 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I)
> MM_SA_SETUP
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> > Old State = IKE_I_MM2  New State = IKE_I_MM3
> > 
> > 2w2d: ISAKMP (0:1): received packet from y.y.y.y 
> (I) MM_SA_SETUP
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> > Old State = IKE_I_MM3  New State = IKE_I_MM4
> > 
> > 2w2d: ISAKMP (0:1): processing KE payload. message
> ID = 0
> > 2w2d: CryptoEngine0: generate alg parameter
> > 2w2d: ISAKMP (0:1): processing NONCE payload.
> message ID = 0
> > 2w2d: ISAKMP (0:1): found peer pre-shared key
> matching y.y.y.y
> > 2w2d: CryptoEngine0: create ISAKMP SKEYID for conn
> id 1
> > 2w2d: ISAKMP (0:1): SKEYID state generated
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> > Old State = IKE_I_MM4  New State = IKE_I_MM4
> > 
> > 2w2d: ISAKMP (0:1): SA is doing pre-shared key
> authentication using id type
> > ID_IPV4_ADDR
> > 2w2d: ISAKMP (1): ID payload
> >         next-payload : 8
> >         type         : 1
> >         protocol     : 17
> >         port         : 500
> >         length       : 8
> > 2w2d: ISAKMP (1): Total payload length: 12
> > 2w2d: CryptoEngine0: generate hmac context for
> conn id 1
> > 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I)
> MM_KEY_EXCH
> > 2w2d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> > Old State = IKE_I_MM4  New State = IKE_I_MM5
> > 
> > 2w2d: ISAKMP (0:1): received packet from y.y.y.y
> (I) MM_KEY_EXCH
> > 2w2d: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet
> from y.y.y.y    was not
> > encrypted and it should've been.
> > 2w2d: ISAKMP (0:1): incrementing error counter on
> sa: reset_retransmission
> > 2w2d: ISAKMP (0:1): retransmitting phase 1
> MM_KEY_EXCH...
> > 2w2d: ISAKMP (0:1): incrementing error counter on
> sa: retransmit phase 1
> > 2w2d: ISAKMP (0:1): retransmitting phase 1
> MM_KEY_EXCH
> > 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I)
> MM_KEY_EXCH
> > 2w2d: ISAKMP (0:1): retransmitting phase 1
> MM_KEY_EXCH...
> > 2w2d: ISAKMP (0:1): incrementing error counter on
> sa: retransmit phase 1
> > 2w2d: ISAKMP (0:1): retransmitting phase 1
> MM_KEY_EXCH
> > 2w2d: ISAKMP (0:1): sending packet to y.y.y.y (I)
> MM_KEY_EXCH
> > 
> > CHECKPOINT ERROR:
> > 
> >
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > fwIsakmp_BuildInfoExc-N p1 (1) peer: 3ffb0abb ~~
> Fri Nov  8 16:57:44 2002
> >
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > debugIsakmpHdr: (Creation)
> >         InitCookie: bf 94 af a2 a7 f3 d9 0c
> >         RspCookie: e3 b8 6d bc 18 aa ad 92
> >         NextPld: 0b (PA_NOTIFY)
> >         MjVer: 01
> >         MnVer: 00
> >         ExcType: 05
> >         ResFlag: 00
> >         CommitFlag: 00
> >         EncFlag: 00
> >         MsgID: 0f f4 f4 2e
> >         Length: 00 00 00 00 (0)
> > debugNotifyPayload: (Creation)
> >         NextPld: 00 (PA_NONE)
> 
=== message truncated ===

> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s
 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

More information about the VPN mailing list