[VPN] IOS Checkpoint VPN

matt mattdu.31 at laposte.net
Wed Apr 20 14:22:06 EDT 2005


hello gurus, 

I try for a week to build a site-to-site VPN between a Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco and checkpoint to do that.
Actually I only see incoming ping requests from the cisco in the FW logs, the error is : "encryption failure: Received a cleartext packet within an encrypted connection" ...
So I ckecked again the cisco configuration (see below) and even with all debugging options I cannot see where the problem is.
Perhaps it's a problem of compatibility? Maybe I should use Easy VPN "module"??
Could anynone help me??


Code: 
! 
version 12.3 
no service pad 
service timestamps debug datetime localtime show-timezone 
service timestamps log datetime localtime show-timezone 
service password-encryption 
! 
hostname RouterESM_PRA 
! 
no logging console 
enable password 7 **************** 
! 

username monitor password 7 1******* 
clock timezone GMT 1 
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00 
no aaa new-model 
ip subnet-zero 
! 
ip dhcp pool CLIENT 
   import all 
! 
! 
no ip bootp server 
ip audit notify log 
ip audit po max-events 100 
vpdn enable 
! 
no ftp-server write-enable 
! 
! 
! 
! 
crypto isakmp policy 1 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
 lifetime 3600 
crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT 
! 
! 
crypto ipsec transform-set ts1 esp-3des esp-md5-hmac 
! 
crypto map EsmMap 10 ipsec-isakmp 
 description specify IPSec policy for ESM 
 set peer PUBLIC_IP_FW_CHECKPOINT 
 set transform-set ts1 
 match address 110 
! 
! 
! 
! 
interface Ethernet0 
 description LAN_PRA 
 ip address 10.3.48.1 255.255.240.0 
 ip nat inside 
 no cdp enable 
 hold-queue 100 out 
! 
interface ATM0 
 no ip address 
 no atm ilmi-keepalive 
 pvc 8/35 
  encapsulation aal5mux ppp dialer 
  dialer pool-member 1 
 ! 
 dsl operating-mode auto 
! 
interface FastEthernet1 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet2 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet3 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet4 
 no ip address 
 duplex auto 
 speed auto 
! 
interface Dialer1 
 description adslpro_wanadoo 
 ip address negotiated 
 no ip redirects 
 no ip unreachables 
 ip nat outside 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 no cdp enable 
 ppp authentication chap pap callin 
 ppp chap hostname **** 
 ppp chap password 7 **** 
 ppp pap sent-username *** password 7 *** 
 crypto map EsmMap 
! 
ip nat inside source route-map nonat4vpn interface Dialer1 overload 
ip classless 
ip route 0.0.0.0 0.0.0.0 Dialer1 
no ip http server 
no ip http secure-server 
! 
access-list 1 permit 10.3.48.0 0.0.15.255 
access-list 110 remark define an ACL for the traffic to be encrypted 
access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
access-list 115 remark traffic between the sites does not get natted 
access-list 115 permit ip 10.3.48.0 0.0.15.255 any 
access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
no cdp run 
route-map nonat4vpn permit 1 
 match ip address 115 
! 
! 
line con 0 
 exec-timeout 120 0 
 no modem enable 
 stopbits 1 
line aux 0 
line vty 0 4 
 access-class 23 in 
 exec-timeout 120 0 
 login local 
 length 0 
! 
scheduler max-task-time 5000 
! 
end 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050420/d2e7c790/attachment.htm 


More information about the VPN mailing list