[VPN] IOS Checkpoint VPN
Dana J. Dawson
Dana.Dawson at qwest.com
Mon May 2 11:24:21 EDT 2005
Rather than use the loopback routing hack a better solution would be to
fix the existing "access-list 115" so that it does what's intended.
Since access-lists are processed top-down on a first match basis, the
"deny" line for the VPN traffic will never be reached because the
previous "permit" line is more general. Swap the order of those two
lines and that should fix the NAT issue.
The loopback routing trick was needed when you had static one-to-one NAT
translations and VPN configured because there was no other way to
selectively apply the static NAT only to non-VPN traffic. However,
recent versions of IOS support route-maps on static translations so the
loopback trick should never be necessary in this case. In general,
policy routing should only be used as a last resort, especially in cases
where it will force the router to use the process switching path for
packets (which loopback routing will do).
HTH - Good luck!
Dana
Dana J. Dawson Dana.Dawson at qwest.com
Sr. Staff Engineer CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
Jean-Francois Dive wrote:
> hello matt,
>
> not sure you still need helps but your problem is that the traffic that
> goes trough the ipsec tunnel should not be nated. This is classic
> configuration problem with IOS. Have a look to
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
>
> the trick, in a nutshell is the following:
>
> - due to the order of operation, packet going out will be source nated
> before beeing ipsec processed --> they dont match the ipsec policy.
>
> - So the goal is to not nat to_be_ipsec traffic.
>
> - For a packet to be nated, it must come from an interface with an
> ip nat inside, and go out on an interface with an ip nat outside.
>
> - The thing is to reroute the packets to be routed trough the loopback
> interface so they appear on the external interface not coming from
> the lan one, so they dont get nated. This is done with a route map.
>
> This should solve your problem.
>
> J.
>
> On Wed, Apr 20, 2005 at 08:22:06PM +0200, matt wrote:
>
>>hello gurus,
>>
>>I try for a week to build a site-to-site VPN between a Checkpoint FW-1 and a cisco 837 router. I followed several docs from cisco and checkpoint to do that.
>>Actually I only see incoming ping requests from the cisco in the FW logs, the error is : "encryption failure: Received a cleartext packet within an encrypted connection" ...
>>So I ckecked again the cisco configuration (see below) and even with all debugging options I cannot see where the problem is.
>>Perhaps it's a problem of compatibility? Maybe I should use Easy VPN "module"??
>>Could anynone help me??
>>
>>
>>Code:
>>!
>>version 12.3
>>no service pad
>>service timestamps debug datetime localtime show-timezone
>>service timestamps log datetime localtime show-timezone
>>service password-encryption
>>!
>>hostname RouterESM_PRA
>>!
>>no logging console
>>enable password 7 ****************
>>!
>>
>>username monitor password 7 1*******
>>clock timezone GMT 1
>>clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00
>>no aaa new-model
>>ip subnet-zero
>>!
>>ip dhcp pool CLIENT
>> import all
>>!
>>!
>>no ip bootp server
>>ip audit notify log
>>ip audit po max-events 100
>>vpdn enable
>>!
>>no ftp-server write-enable
>>!
>>!
>>!
>>!
>>crypto isakmp policy 1
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> lifetime 3600
>>crypto isakmp key 0 ***** address PUBLIC_IP_FW_CHECKPOINT
>>!
>>!
>>crypto ipsec transform-set ts1 esp-3des esp-md5-hmac
>>!
>>crypto map EsmMap 10 ipsec-isakmp
>> description specify IPSec policy for ESM
>> set peer PUBLIC_IP_FW_CHECKPOINT
>> set transform-set ts1
>> match address 110
>>!
>>!
>>!
>>!
>>interface Ethernet0
>> description LAN_PRA
>> ip address 10.3.48.1 255.255.240.0
>> ip nat inside
>> no cdp enable
>> hold-queue 100 out
>>!
>>interface ATM0
>> no ip address
>> no atm ilmi-keepalive
>> pvc 8/35
>> encapsulation aal5mux ppp dialer
>> dialer pool-member 1
>> !
>> dsl operating-mode auto
>>!
>>interface FastEthernet1
>> no ip address
>> duplex auto
>> speed auto
>>!
>>interface FastEthernet2
>> no ip address
>> duplex auto
>> speed auto
>>!
>>interface FastEthernet3
>> no ip address
>> duplex auto
>> speed auto
>>!
>>interface FastEthernet4
>> no ip address
>> duplex auto
>> speed auto
>>!
>>interface Dialer1
>> description adslpro_wanadoo
>> ip address negotiated
>> no ip redirects
>> no ip unreachables
>> ip nat outside
>> encapsulation ppp
>> dialer pool 1
>> dialer-group 1
>> no cdp enable
>> ppp authentication chap pap callin
>> ppp chap hostname ****
>> ppp chap password 7 ****
>> ppp pap sent-username *** password 7 ***
>> crypto map EsmMap
>>!
>>ip nat inside source route-map nonat4vpn interface Dialer1 overload
>>ip classless
>>ip route 0.0.0.0 0.0.0.0 Dialer1
>>no ip http server
>>no ip http secure-server
>>!
>>access-list 1 permit 10.3.48.0 0.0.15.255
>>access-list 110 remark define an ACL for the traffic to be encrypted
>>access-list 110 permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
>>access-list 115 remark traffic between the sites does not get natted
>>access-list 115 permit ip 10.3.48.0 0.0.15.255 any
>>access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255
>>no cdp run
>>route-map nonat4vpn permit 1
>> match ip address 115
>>!
>>!
>>line con 0
>> exec-timeout 120 0
>> no modem enable
>> stopbits 1
>>line aux 0
>>line vty 0 4
>> access-class 23 in
>> exec-timeout 120 0
>> login local
>> length 0
>>!
>>scheduler max-task-time 5000
>>!
>>end
>>
>
>
>>_______________________________________________
>>VPN mailing list
>>VPN at lists.shmoo.com
>>http://lists.shmoo.com/mailman/listinfo/vpn
>
>
More information about the VPN
mailing list