[VPN] IOS Checkpoint VPN

matt mattdu.31 at laposte.net
Thu Apr 21 16:15:24 EDT 2005

Sorry, I don't understand what you mean.
I use CP NG55 and don't have any "via" column in the rules (I saw "encrypt" action related to previous CP version in several doc). I have already define a meshed site-to-site community and checked that I have the same parameters (shared-secret, 3des, md5,..) that those which are defined on the cisco.

----- Original Message ----- 
  From: Andrew Prince 
  To: mattdu.31 at laposte.net ; 'vparamas' 
  Cc: 'vpn' 
  Sent: Thursday, April 21, 2005 7:12 PM
  Subject: RE: [VPN] IOS Checkpoint VPN

  You must tell the Checkpoint rule that traffic from the local & remote subnets it should be encrypted in the "Via" column of the rule - you should define your VPN community there (depending on your version of CP) if it is 4.1 or below the action column should be "encrypt"

  From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of mattdu.31 at laposte.net
  Sent: 21 April 2005 17:32
  To: vparamas
  Cc: vpn
  Subject: Re: [VPN] IOS Checkpoint VPN

  Yes thanks my problem was the access-lists!! I removed the "ip nat inside..." temporary from the configuration, IKE exchange completed succesfully.

  But another problem appeared: "encryption failure: packet was decrypted but policy says connection should not be decrypted" :((

  I have the following rules :
  Cisco837 to FW-1 any traffic : accept
  LanBehindCisco to LanBehindFW: dns, icmp, http: accept.

  The lan located behind the cisco router is "natted" (hide method) behind Gateway which ip address is the internal address is (I modified the topology to fix spoofing address pb)

  I made several tests but I still don't undertand what's wrong???

  >Try re-ordering the Acces Control Entries(ACE) in the  ACL 115 
  >Current ACL 
  >access-list 115 permit ip any 
  >access-list 115 deny   ip 

  >Change it to 

  >access-list 115 deny   ip 
  >access-list 115 permit ip any 


  matt wrote: 

    hello gurus, I try for a week to build a site-to-site VPN between a Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco and checkpoint to do that. 
    Actually I only see incoming ping requests from the cisco in the FW logs, the error is : "encryption failure: Received a cleartext packet within an encrypted connection" ... 
    So I ckecked again the cisco configuration (see below) and even with all debugging options I cannot see where the problem is. 
    Perhaps it's a problem of compatibility? Maybe I should use Easy VPN "module"??Could anynone help me?? 
    version 12.3 
    no service pad 
    service timestamps debug datetime localtime show-timezone 
    service timestamps log datetime localtime show-timezone 
    service password-encryption 
    hostname RouterESM_PRA 
    no logging console 
    enable password 7 **************** 
    ! username monitor password 7 1******* 
    clock timezone GMT 1 
    clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00 
    no aaa new-model 
    ip subnet-zero 
    ip dhcp pool CLIENT 
       import all 
    no ip bootp server 
    ip audit notify log 
    ip audit po max-events 100 
    vpdn enable 
    no ftp-server write-enable 
    crypto isakmp policy 1 
     encr 3des 
     hash md5 
     authentication pre-share 
     group 2 
     lifetime 3600 
    crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT 
    crypto ipsec transform-set ts1 esp-3des esp-md5-hmac 
    crypto map EsmMap 10 ipsec-isakmp 
     description specify IPSec policy for ESM 
     set transform-set ts1 
     match address 110 
    interface Ethernet0 
     description LAN_PRA 
     ip address 
     ip nat inside 
     no cdp enable 
     hold-queue 100 out 
    interface ATM0 
     no ip address 
     no atm ilmi-keepalive 
     pvc 8/35 
      encapsulation aal5mux ppp dialer 
      dialer pool-member 1 
     dsl operating-mode auto 
    interface FastEthernet1 
     no ip address 
     duplex auto 
     speed auto 
    interface FastEthernet2 
     no ip address 
     duplex auto 
     speed auto 
    interface FastEthernet3 
     no ip address 
     duplex auto 
     speed auto 
    interface FastEthernet4 
     no ip address 
     duplex auto 
     speed auto 
    interface Dialer1 
     description adslpro_wanadoo 
     ip address negotiated 
     no ip redirects 
     no ip unreachables 
     ip nat outside 
     encapsulation ppp 
     dialer pool 1 
     dialer-group 1 
     no cdp enable 
     ppp authentication chap pap callin 
     ppp chap hostname **** 
     ppp chap password 7 **** 
     ppp pap sent-username *** password 7 *** 
     crypto map EsmMap 
    ip nat inside source route-map nonat4vpn interface Dialer1 overload 
    ip classless 
    ip route Dialer1 
    no ip http server 
    no ip http secure-server 
    access-list 1 permit 
    access-list 110 remark define an ACL for the traffic to be encrypted 
    access-list 110 permit ip 
    access-list 115 remark traffic between the sites does not get natted 
    access-list 115 permit ip any 
    access-list 115 deny   ip 
    no cdp run 
    route-map nonat4vpn permit 1 
     match ip address 115 
    line con 0 
     exec-timeout 120 0 
     no modem enable 
     stopbits 1 
    line aux 0 
    line vty 0 4 
     access-class 23 in 
     exec-timeout 120 0 
     login local 
     length 0 
    scheduler max-task-time 5000 
VPN mailing list
VPN at lists.shmoo.com

  Accédez au courrier électronique de La Poste : www.laposte.net ;
  3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/6b1fa7b5/attachment.htm 

More information about the VPN mailing list