[VPN] IOS Checkpoint VPN
matt
mattdu.31 at laposte.net
Thu Apr 21 16:15:24 EDT 2005
Sorry, I don't understand what you mean.
I use CP NG55 and don't have any "via" column in the rules (I saw "encrypt" action related to previous CP version in several doc). I have already define a meshed site-to-site community and checked that I have the same parameters (shared-secret, 3des, md5,..) that those which are defined on the cisco.
:-/
----- Original Message -----
From: Andrew Prince
To: mattdu.31 at laposte.net ; 'vparamas'
Cc: 'vpn'
Sent: Thursday, April 21, 2005 7:12 PM
Subject: RE: [VPN] IOS Checkpoint VPN
You must tell the Checkpoint rule that traffic from the local & remote subnets it should be encrypted in the "Via" column of the rule - you should define your VPN community there (depending on your version of CP) if it is 4.1 or below the action column should be "encrypt"
------------------------------------------------------------------------------
From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com [mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On Behalf Of mattdu.31 at laposte.net
Sent: 21 April 2005 17:32
To: vparamas
Cc: vpn
Subject: Re: [VPN] IOS Checkpoint VPN
Yes thanks my problem was the access-lists!! I removed the "ip nat inside..." temporary from the configuration, IKE exchange completed succesfully.
But another problem appeared: "encryption failure: packet was decrypted but policy says connection should not be decrypted" :((
I have the following rules :
Cisco837 to FW-1 any traffic : accept
LanBehindCisco to LanBehindFW: dns, icmp, http: accept.
The lan located behind the cisco router is "natted" (hide method) behind Gateway which ip address is the internal address is 10.50.1.110. (I modified the topology to fix spoofing address pb)
I made several tests but I still don't undertand what's wrong???
>Try re-ordering the Acces Control Entries(ACE) in the ACL 115
>Current ACL
>=======
>access-list 115 permit ip 10.3.48.0 0.0.15.255 any
>access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
>Change it to
>=======
>access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
>access-list 115 permit ip 10.3.48.0 0.0.15.255 any
>Thanks,
>Vijay
matt wrote:
hello gurus, I try for a week to build a site-to-site VPN between a Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco and checkpoint to do that.
Actually I only see incoming ping requests from the cisco in the FW logs, the error is : "encryption failure: Received a cleartext packet within an encrypted connection" ...
So I ckecked again the cisco configuration (see below) and even with all debugging options I cannot see where the problem is.
Perhaps it's a problem of compatibility? Maybe I should use Easy VPN "module"??Could anynone help me??
Code:
!
version 12.3
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RouterESM_PRA
!
no logging console
enable password 7 ****************
! username monitor password 7 1*******
clock timezone GMT 1
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00
no aaa new-model
ip subnet-zero
!
ip dhcp pool CLIENT
import all
!
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
vpdn enable
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT
!
!
crypto ipsec transform-set ts1 esp-3des esp-md5-hmac
!
crypto map EsmMap 10 ipsec-isakmp
description specify IPSec policy for ESM
set peer PUBLIC_IP_FW_CHECKPOINT
set transform-set ts1
match address 110
!
!
!
!
interface Ethernet0
description LAN_PRA
ip address 10.3.48.1 255.255.240.0
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description adslpro_wanadoo
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 7 ****
ppp pap sent-username *** password 7 ***
crypto map EsmMap
!
ip nat inside source route-map nonat4vpn interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 1 permit 10.3.48.0 0.0.15.255
access-list 110 remark define an ACL for the traffic to be encrypted
access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
access-list 115 remark traffic between the sites does not get natted
access-list 115 permit ip 10.3.48.0 0.0.15.255 any
access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
no cdp run
route-map nonat4vpn permit 1
match ip address 115
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
----------------------------------------------------------------------------_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Accédez au courrier électronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50 (0,34/mn)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20050421/6b1fa7b5/attachment.htm
More information about the VPN
mailing list