[VPN] IOS Checkpoint VPN
Vijay RK Paramasivam
vparamas at cisco.com
Thu Apr 21 06:41:39 EDT 2005
Try re-ordering the Acces Control Entries(ACE) in the ACL 115
Current ACL
=======
access-list 115 permit ip 10.3.48.0 0.0.15.255 any
access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
Change it to
=======
access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
access-list 115 permit ip 10.3.48.0 0.0.15.255 any
Thanks,
Vijay
matt wrote:
> hello gurus, I try for a week to build a site-to-site VPN between a
> Checkpoint FW-1 and a cisco 837 router. I followed several docs from
> cisco and checkpoint to do that.
> Actually I only see incoming ping requests from the cisco in the FW
> logs, the error is : "encryption failure: Received a cleartext packet
> within an encrypted connection" ...
> So I ckecked again the cisco configuration (see below) and even with
> all debugging options I cannot see where the problem is.
> Perhaps it's a problem of compatibility? Maybe I should use Easy VPN
> "module"??Could anynone help me??
> Code:
> !
> version 12.3
> no service pad
> service timestamps debug datetime localtime show-timezone
> service timestamps log datetime localtime show-timezone
> service password-encryption
> !
> hostname RouterESM_PRA
> !
> no logging console
> enable password 7 ****************
> ! username monitor password 7 1*******
> clock timezone GMT 1
> clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00
> no aaa new-model
> ip subnet-zero
> !
> ip dhcp pool CLIENT
> import all
> !
> !
> no ip bootp server
> ip audit notify log
> ip audit po max-events 100
> vpdn enable
> !
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT
> !
> !
> crypto ipsec transform-set ts1 esp-3des esp-md5-hmac
> !
> crypto map EsmMap 10 ipsec-isakmp
> description specify IPSec policy for ESM
> set peer PUBLIC_IP_FW_CHECKPOINT
> set transform-set ts1
> match address 110
> !
> !
> !
> !
> interface Ethernet0
> description LAN_PRA
> ip address 10.3.48.1 255.255.240.0
> ip nat inside
> no cdp enable
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> pvc 8/35
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer1
> description adslpro_wanadoo
> ip address negotiated
> no ip redirects
> no ip unreachables
> ip nat outside
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication chap pap callin
> ppp chap hostname ****
> ppp chap password 7 ****
> ppp pap sent-username *** password 7 ***
> crypto map EsmMap
> !
> ip nat inside source route-map nonat4vpn interface Dialer1 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> no ip http server
> no ip http secure-server
> !
> access-list 1 permit 10.3.48.0 0.0.15.255
> access-list 110 remark define an ACL for the traffic to be encrypted
> access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
> access-list 115 remark traffic between the sites does not get natted
> access-list 115 permit ip 10.3.48.0 0.0.15.255 any
> access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
> no cdp run
> route-map nonat4vpn permit 1
> match ip address 115
> !
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> length 0
> !
> scheduler max-task-time 5000
> !
> end
>
>
> ----------------------------------------------------------------
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/d08b92fc/attachment.htm
More information about the VPN
mailing list