[VPN] IOS Checkpoint VPN

Andrew Prince andrew.prince at trinitysecurity.com
Thu Apr 21 13:12:34 EDT 2005


You must tell the Checkpoint rule that traffic from the local & remote
subnets it should be encrypted in the "Via" column of the rule - you should
define your VPN community there (depending on your version of CP) if it is
4.1 or below the action column should be "encrypt"

  _____  

From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of mattdu.31 at laposte.net
Sent: 21 April 2005 17:32
To: vparamas
Cc: vpn
Subject: Re: [VPN] IOS Checkpoint VPN


Yes thanks my problem was the access-lists!! I removed the "ip nat
inside..." temporary from the configuration, IKE exchange completed
succesfully.
 
But another problem appeared: "encryption failure: packet was decrypted but
policy says connection should not be decrypted" :((
 
I have the following rules :
Cisco837 to FW-1 any traffic : accept
LanBehindCisco to LanBehindFW: dns, icmp, http: accept.
 
The lan located behind the cisco router is "natted" (hide method) behind
Gateway which ip address is the internal address is 10.50.1.110. (I modified
the topology to fix spoofing address pb)
 
I made several tests but I still don't undertand what's wrong???

 
>Try re-ordering the Acces Control Entries(ACE) in the  ACL 115 

>Current ACL 
>======= 
>access-list 115 permit ip 10.3.48.0 0.0.15.255 any 
>access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 


>Change it to 
>======= 


>access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
>access-list 115 permit ip 10.3.48.0 0.0.15.255 any 


>Thanks, 
>Vijay 


matt wrote: 


hello gurus, I try for a week to build a site-to-site VPN between a
Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco
and checkpoint to do that. 
Actually I only see incoming ping requests from the cisco in the FW logs,
the error is : "encryption failure: Received a cleartext packet within an
encrypted connection" ... 
So I ckecked again the cisco configuration (see below) and even with all
debugging options I cannot see where the problem is. 
Perhaps it's a problem of compatibility? Maybe I should use Easy VPN
"module"??Could anynone help me?? 
Code: 
! 
version 12.3 
no service pad 
service timestamps debug datetime localtime show-timezone 
service timestamps log datetime localtime show-timezone 
service password-encryption 
! 
hostname RouterESM_PRA 
! 
no logging console 
enable password 7 **************** 
! username monitor password 7 1******* 
clock timezone GMT 1 
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00 
no aaa new-model 
ip subnet-zero 
! 
ip dhcp pool CLIENT 
   import all 
! 
! 
no ip bootp server 
ip audit notify log 
ip audit po max-events 100 
vpdn enable 
! 
no ftp-server write-enable 
! 
! 
! 
! 
crypto isakmp policy 1 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
 lifetime 3600 
crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT 
! 
! 
crypto ipsec transform-set ts1 esp-3des esp-md5-hmac 
! 
crypto map EsmMap 10 ipsec-isakmp 
 description specify IPSec policy for ESM 
 set peer PUBLIC_IP_FW_CHECKPOINT 
 set transform-set ts1 
 match address 110 
! 
! 
! 
! 
interface Ethernet0 
 description LAN_PRA 
 ip address 10.3.48.1 255.255.240.0 
 ip nat inside 
 no cdp enable 
 hold-queue 100 out 
! 
interface ATM0 
 no ip address 
 no atm ilmi-keepalive 
 pvc 8/35 
  encapsulation aal5mux ppp dialer 
  dialer pool-member 1 
 ! 
 dsl operating-mode auto 
! 
interface FastEthernet1 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet2 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet3 
 no ip address 
 duplex auto 
 speed auto 
! 
interface FastEthernet4 
 no ip address 
 duplex auto 
 speed auto 
! 
interface Dialer1 
 description adslpro_wanadoo 
 ip address negotiated 
 no ip redirects 
 no ip unreachables 
 ip nat outside 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 no cdp enable 
 ppp authentication chap pap callin 
 ppp chap hostname **** 
 ppp chap password 7 **** 
 ppp pap sent-username *** password 7 *** 
 crypto map EsmMap 
! 
ip nat inside source route-map nonat4vpn interface Dialer1 overload 
ip classless 
ip route 0.0.0.0 0.0.0.0 Dialer1 
no ip http server 
no ip http secure-server 
! 
access-list 1 permit 10.3.48.0 0.0.15.255 
access-list 110 remark define an ACL for the traffic to be encrypted 
access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
access-list 115 remark traffic between the sites does not get natted 
access-list 115 permit ip 10.3.48.0 0.0.15.255 any 
access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
no cdp run 
route-map nonat4vpn permit 1 
 match ip address 115 
! 
! 
line con 0 
 exec-timeout 120 0 
 no modem enable 
 stopbits 1 
line aux 0 
line vty 0 4 
 access-class 23 in 
 exec-timeout 120 0 
 login local 
 length 0 
! 
scheduler max-task-time 5000 
! 
end 
  


  _____  

_______________________________________________

VPN mailing list

VPN at lists.shmoo.com

http://lists.shmoo.com/mailman/listinfo/vpn



Accédez au courrier électronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/b9422870/attachment.htm 


More information about the VPN mailing list