[VPN] IOS Checkpoint VPN

Jean-Francois Dive jef at linuxbe.org
Fri Apr 29 01:35:33 EDT 2005


hello matt,

not sure you still need helps but your problem is that the traffic that
goes trough the ipsec tunnel should not be nated. This is classic
configuration problem with IOS. Have a look to 
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml

the trick, in a nutshell is the following:

- due to the order of operation, packet going out will be source nated
  before beeing ipsec processed --> they dont match the ipsec policy.

- So the goal is to not nat to_be_ipsec traffic.

- For a packet to be nated, it must come from an interface with an
  ip nat inside, and go out on an interface with an ip nat outside.

- The thing is to  reroute the packets to be routed trough the loopback
  interface so they appear on the external interface not coming from
  the lan one, so they dont get nated. This is done with a route map.

This should solve your problem.

J.

On Wed, Apr 20, 2005 at 08:22:06PM +0200, matt wrote:
> hello gurus, 
> 
> I try for a week to build a site-to-site VPN between a Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco and checkpoint to do that.
> Actually I only see incoming ping requests from the cisco in the FW logs, the error is : "encryption failure: Received a cleartext packet within an encrypted connection" ...
> So I ckecked again the cisco configuration (see below) and even with all debugging options I cannot see where the problem is.
> Perhaps it's a problem of compatibility? Maybe I should use Easy VPN "module"??
> Could anynone help me??
> 
> 
> Code: 
> ! 
> version 12.3 
> no service pad 
> service timestamps debug datetime localtime show-timezone 
> service timestamps log datetime localtime show-timezone 
> service password-encryption 
> ! 
> hostname RouterESM_PRA 
> ! 
> no logging console 
> enable password 7 **************** 
> ! 
> 
> username monitor password 7 1******* 
> clock timezone GMT 1 
> clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00 
> no aaa new-model 
> ip subnet-zero 
> ! 
> ip dhcp pool CLIENT 
>    import all 
> ! 
> ! 
> no ip bootp server 
> ip audit notify log 
> ip audit po max-events 100 
> vpdn enable 
> ! 
> no ftp-server write-enable 
> ! 
> ! 
> ! 
> ! 
> crypto isakmp policy 1 
>  encr 3des 
>  hash md5 
>  authentication pre-share 
>  group 2 
>  lifetime 3600 
> crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT 
> ! 
> ! 
> crypto ipsec transform-set ts1 esp-3des esp-md5-hmac 
> ! 
> crypto map EsmMap 10 ipsec-isakmp 
>  description specify IPSec policy for ESM 
>  set peer PUBLIC_IP_FW_CHECKPOINT 
>  set transform-set ts1 
>  match address 110 
> ! 
> ! 
> ! 
> ! 
> interface Ethernet0 
>  description LAN_PRA 
>  ip address 10.3.48.1 255.255.240.0 
>  ip nat inside 
>  no cdp enable 
>  hold-queue 100 out 
> ! 
> interface ATM0 
>  no ip address 
>  no atm ilmi-keepalive 
>  pvc 8/35 
>   encapsulation aal5mux ppp dialer 
>   dialer pool-member 1 
>  ! 
>  dsl operating-mode auto 
> ! 
> interface FastEthernet1 
>  no ip address 
>  duplex auto 
>  speed auto 
> ! 
> interface FastEthernet2 
>  no ip address 
>  duplex auto 
>  speed auto 
> ! 
> interface FastEthernet3 
>  no ip address 
>  duplex auto 
>  speed auto 
> ! 
> interface FastEthernet4 
>  no ip address 
>  duplex auto 
>  speed auto 
> ! 
> interface Dialer1 
>  description adslpro_wanadoo 
>  ip address negotiated 
>  no ip redirects 
>  no ip unreachables 
>  ip nat outside 
>  encapsulation ppp 
>  dialer pool 1 
>  dialer-group 1 
>  no cdp enable 
>  ppp authentication chap pap callin 
>  ppp chap hostname **** 
>  ppp chap password 7 **** 
>  ppp pap sent-username *** password 7 *** 
>  crypto map EsmMap 
> ! 
> ip nat inside source route-map nonat4vpn interface Dialer1 overload 
> ip classless 
> ip route 0.0.0.0 0.0.0.0 Dialer1 
> no ip http server 
> no ip http secure-server 
> ! 
> access-list 1 permit 10.3.48.0 0.0.15.255 
> access-list 110 remark define an ACL for the traffic to be encrypted 
> access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
> access-list 115 remark traffic between the sites does not get natted 
> access-list 115 permit ip 10.3.48.0 0.0.15.255 any 
> access-list 115 deny   ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255 
> no cdp run 
> route-map nonat4vpn permit 1 
>  match ip address 115 
> ! 
> ! 
> line con 0 
>  exec-timeout 120 0 
>  no modem enable 
>  stopbits 1 
> line aux 0 
> line vty 0 4 
>  access-class 23 in 
>  exec-timeout 120 0 
>  login local 
>  length 0 
> ! 
> scheduler max-task-time 5000 
> ! 
> end 
>  

> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-- 
--

-> Jean-Francois Dive
--> jef at linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
    -- Oscar Wilde



More information about the VPN mailing list