[VPN] IOS Checkpoint VPN

Vijay RK Paramasivam vparamas at cisco.com
Thu Apr 21 06:41:39 EDT 2005 

Try re-ordering the Acces Control Entries(ACE) in the  ACL 115

Current ACL
=======
access-list 115 permit ip 10.3.48.0 0.0.15.255 any
access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255

Change it to
=======

access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
access-list 115 permit ip 10.3.48.0 0.0.15.255 any

Thanks,
Vijay

matt wrote:

> hello gurus, I try for a week to build a site-to-site VPN between a
> Checkpoint FW-1 and a cisco 837 router. I followed several docs from
> cisco and checkpoint to do that.
> Actually I only see incoming ping requests from the cisco in the FW
> logs, the error is : "encryption failure: Received a cleartext packet
> within an encrypted connection" ...
> So I ckecked again the cisco configuration (see below) and even with
> all debugging options I cannot see where the problem is.
> Perhaps it's a problem of compatibility? Maybe I should use Easy VPN
> "module"??Could anynone help me??
> Code:
> !
> version 12.3
> no service pad
> service timestamps debug datetime localtime show-timezone
> service timestamps log datetime localtime show-timezone
> service password-encryption
> !
> hostname RouterESM_PRA
> !
> no logging console
> enable password 7 ****************
> ! username monitor password 7 1*******
> clock timezone GMT 1
> clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00
> no aaa new-model
> ip subnet-zero
> !
> ip dhcp pool CLIENT
>    import all
> !
> !
> no ip bootp server
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 1
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 3600
> crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT
> !
> !
> crypto ipsec transform-set ts1 esp-3des esp-md5-hmac
> !
> crypto map EsmMap 10 ipsec-isakmp
>  description specify IPSec policy for ESM
>  set peer PUBLIC_IP_FW_CHECKPOINT
>  set transform-set ts1
>  match address 110
> !
> !
> !
> !
> interface Ethernet0
>  description LAN_PRA
>  ip address 10.3.48.1 255.255.240.0
>  ip nat inside
>  no cdp enable
>  hold-queue 100 out
> !
> interface ATM0
>  no ip address
>  no atm ilmi-keepalive
>  pvc 8/35
>   encapsulation aal5mux ppp dialer
>   dialer pool-member 1
>  !
>  dsl operating-mode auto
> !
> interface FastEthernet1
>  no ip address
>  duplex auto
>  speed auto
> !
> interface FastEthernet2
>  no ip address
>  duplex auto
>  speed auto
> !
> interface FastEthernet3
>  no ip address
>  duplex auto
>  speed auto
> !
> interface FastEthernet4
>  no ip address
>  duplex auto
>  speed auto
> !
> interface Dialer1
>  description adslpro_wanadoo
>  ip address negotiated
>  no ip redirects
>  no ip unreachables
>  ip nat outside
>  encapsulation ppp
>  dialer pool 1
>  dialer-group 1
>  no cdp enable
>  ppp authentication chap pap callin
>  ppp chap hostname ****
>  ppp chap password 7 ****
>  ppp pap sent-username *** password 7 ***
>  crypto map EsmMap
> !
> ip nat inside source route-map nonat4vpn interface Dialer1 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> no ip http server
> no ip http secure-server
> !
> access-list 1 permit 10.3.48.0 0.0.15.255
> access-list 110 remark define an ACL for the traffic to be encrypted
> access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
> access-list 115 remark traffic between the sites does not get natted
> access-list 115 permit ip 10.3.48.0 0.0.15.255 any
> access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
> no cdp run
> route-map nonat4vpn permit 1
>  match ip address 115
> !
> !
> line con 0
>  exec-timeout 120 0
>  no modem enable
>  stopbits 1
> line aux 0
> line vty 0 4
>  access-class 23 in
>  exec-timeout 120 0
>  login local
>  length 0
> !
> scheduler max-task-time 5000
> !
> end
>
>
>    ----------------------------------------------------------------
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/d08b92fc/attachment.htm

More information about the VPN mailing list