[VPN] IOS Checkpoint VPN

Andrew Prince andrew.prince at trinitysecurity.com
Thu Apr 21 13:12:34 EDT 2005

You must tell the Checkpoint rule that traffic from the local & remote
subnets it should be encrypted in the "Via" column of the rule - you should
define your VPN community there (depending on your version of CP) if it is
4.1 or below the action column should be "encrypt"


From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of mattdu.31 at laposte.net
Sent: 21 April 2005 17:32
To: vparamas
Cc: vpn
Subject: Re: [VPN] IOS Checkpoint VPN

Yes thanks my problem was the access-lists!! I removed the "ip nat
inside..." temporary from the configuration, IKE exchange completed
But another problem appeared: "encryption failure: packet was decrypted but
policy says connection should not be decrypted" :((
I have the following rules :
Cisco837 to FW-1 any traffic : accept
LanBehindCisco to LanBehindFW: dns, icmp, http: accept.
The lan located behind the cisco router is "natted" (hide method) behind
Gateway which ip address is the internal address is (I modified
the topology to fix spoofing address pb)
I made several tests but I still don't undertand what's wrong???

>Try re-ordering the Acces Control Entries(ACE) in the  ACL 115 

>Current ACL 
>access-list 115 permit ip any 
>access-list 115 deny   ip 

>Change it to 

>access-list 115 deny   ip 
>access-list 115 permit ip any 


matt wrote: 

hello gurus, I try for a week to build a site-to-site VPN between a
Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco
and checkpoint to do that. 
Actually I only see incoming ping requests from the cisco in the FW logs,
the error is : "encryption failure: Received a cleartext packet within an
encrypted connection" ... 
So I ckecked again the cisco configuration (see below) and even with all
debugging options I cannot see where the problem is. 
Perhaps it's a problem of compatibility? Maybe I should use Easy VPN
"module"??Could anynone help me?? 
version 12.3 
no service pad 
service timestamps debug datetime localtime show-timezone 
service timestamps log datetime localtime show-timezone 
service password-encryption 
hostname RouterESM_PRA 
no logging console 
enable password 7 **************** 
! username monitor password 7 1******* 
clock timezone GMT 1 
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00 
no aaa new-model 
ip subnet-zero 
ip dhcp pool CLIENT 
   import all 
no ip bootp server 
ip audit notify log 
ip audit po max-events 100 
vpdn enable 
no ftp-server write-enable 
crypto isakmp policy 1 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
 lifetime 3600 
crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT 
crypto ipsec transform-set ts1 esp-3des esp-md5-hmac 
crypto map EsmMap 10 ipsec-isakmp 
 description specify IPSec policy for ESM 
 set transform-set ts1 
 match address 110 
interface Ethernet0 
 description LAN_PRA 
 ip address 
 ip nat inside 
 no cdp enable 
 hold-queue 100 out 
interface ATM0 
 no ip address 
 no atm ilmi-keepalive 
 pvc 8/35 
  encapsulation aal5mux ppp dialer 
  dialer pool-member 1 
 dsl operating-mode auto 
interface FastEthernet1 
 no ip address 
 duplex auto 
 speed auto 
interface FastEthernet2 
 no ip address 
 duplex auto 
 speed auto 
interface FastEthernet3 
 no ip address 
 duplex auto 
 speed auto 
interface FastEthernet4 
 no ip address 
 duplex auto 
 speed auto 
interface Dialer1 
 description adslpro_wanadoo 
 ip address negotiated 
 no ip redirects 
 no ip unreachables 
 ip nat outside 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 no cdp enable 
 ppp authentication chap pap callin 
 ppp chap hostname **** 
 ppp chap password 7 **** 
 ppp pap sent-username *** password 7 *** 
 crypto map EsmMap 
ip nat inside source route-map nonat4vpn interface Dialer1 overload 
ip classless 
ip route Dialer1 
no ip http server 
no ip http secure-server 
access-list 1 permit 
access-list 110 remark define an ACL for the traffic to be encrypted 
access-list 110 permit ip 
access-list 115 remark traffic between the sites does not get natted 
access-list 115 permit ip any 
access-list 115 deny   ip 
no cdp run 
route-map nonat4vpn permit 1 
 match ip address 115 
line con 0 
 exec-timeout 120 0 
 no modem enable 
 stopbits 1 
line aux 0 
line vty 0 4 
 access-class 23 in 
 exec-timeout 120 0 
 login local 
 length 0 
scheduler max-task-time 5000 



VPN mailing list

VPN at lists.shmoo.com


Accédez au courrier électronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/b9422870/attachment.htm 

More information about the VPN mailing list