<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1498" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Sorry, I don't understand what you
mean.</FONT></DIV>
<DIV><FONT face=Arial size=2>I use CP NG55 and don't have any "via" column in
the rules (I saw "encrypt" action related to previous CP version
in several doc). I have already define a meshed site-to-site community and
checked that I have the same parameters (shared-secret, 3des, md5,..) that those
which are defined on the cisco.</FONT></DIV>
<DIV><FONT face=Arial size=2>:-/</FONT></DIV>
<DIV> </DIV>
<DIV>----- Original Message ----- </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=andrew.prince@trinitysecurity.com
href="mailto:andrew.prince@trinitysecurity.com">Andrew Prince</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=mattdu.31@laposte.net
href="mailto:mattdu.31@laposte.net">mattdu.31@laposte.net</A> ; <A
title=vparamas@cisco.com href="mailto:vparamas@cisco.com">'vparamas'</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=vpn@lists.shmoo.com
href="mailto:vpn@lists.shmoo.com">'vpn'</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, April 21, 2005 7:12
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [VPN] IOS Checkpoint
VPN</DIV>
<DIV><BR></DIV>
<DIV dir=ltr align=left><SPAN class=825171017-21042005><FONT face=Tahoma
size=2>You must tell the Checkpoint rule that traffic from the local &
remote subnets it should be encrypted in the "Via" column of the rule - you
should define your VPN community there (depending on your version of CP) if it
is 4.1 or below the action column should be "encrypt"</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:vpn-bounces+andrew.prince=trinitysecurity.com@lists.shmoo.com">vpn-bounces+andrew.prince=trinitysecurity.com@lists.shmoo.com</A>
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com@lists.shmoo.com] <B>On
Behalf Of </B><A
href="mailto:mattdu.31@laposte.net">mattdu.31@laposte.net</A><BR><B>Sent:</B>
21 April 2005 17:32<BR><B>To:</B> vparamas<BR><B>Cc:</B>
vpn<BR><B>Subject:</B> Re: [VPN] IOS Checkpoint VPN<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV style="FONT-SIZE: 12px; FONT-FAMILY: verdana, arial">
<DIV>Yes thanks my problem was the access-lists!! I removed the "ip nat
inside..." temporary from the configuration, IKE exchange completed
succesfully.</DIV>
<DIV> </DIV>
<DIV>But another problem appeared: "encryption failure: packet was decrypted
but policy says connection should not be decrypted" :((</DIV>
<DIV> </DIV>
<DIV>I have the following rules :</DIV>
<DIV>Cisco837 to FW-1 any traffic : accept</DIV>
<DIV>LanBehindCisco to LanBehindFW: dns, icmp, http: accept.</DIV>
<DIV> </DIV>
<DIV>The lan located behind the cisco router is "natted" (hide method) behind
Gateway which ip address is the internal address is 10.50.1.110. (I modified
the topology to fix spoofing address pb)</DIV>
<DIV> </DIV>
<DIV>I made several tests but I still don't undertand what's wrong???</DIV>
<DIV><BR> </DIV>
<DIV>>Try re-ordering the Acces Control Entries(ACE) in the ACL 115
<P>>Current ACL <BR>>======= <BR>>access-list 115 permit ip 10.3.48.0
0.0.15.255 any <BR>>access-list 115 deny ip 10.3.48.0
0.0.15.255 10.50.0.0 0.0.255.255
<P>>Change it to <BR>>=======
<P>>access-list 115 deny ip 10.3.48.0 0.0.15.255 10.50.0.0
0.0.255.255 <BR>>access-list 115 permit ip 10.3.48.0 0.0.15.255 any
<P>>Thanks, <BR>>Vijay
<P>matt wrote:
<BLOCKQUOTE TYPE="CITE">
<STYLE></STYLE>
<FONT face=Arial><FONT size=-1>hello gurus,</FONT></FONT> <FONT
face=Arial><FONT size=-1>I try for a week to build a site-to-site VPN
between a Checkpoint FW-1 and a cisco 837 router. I followed several docs
from cisco and checkpoint to do that.</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>Actually I only see incoming ping requests from the
cisco in the FW logs, the error is : "encryption failure: Received a
cleartext packet within an encrypted connection" ...</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>So I ckecked again the cisco configuration (see
below) and even with all debugging options I cannot see where the problem
is.</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>Perhaps it's a problem
of compatibility? Maybe I should use Easy VPN "module"??Could anynone help
me??</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>Code:</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>version 12.3</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>no service pad</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>service timestamps debug datetime localtime
show-timezone</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>service
timestamps log datetime localtime show-timezone</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>service password-encryption</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>hostname RouterESM_PRA</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>no logging
console</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>enable password 7
****************</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <FONT face=Arial><FONT size=-1>username monitor
password 7 1*******</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>clock
timezone GMT 1</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>clock
summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 2:00</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>no aaa new-model</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>ip subnet-zero</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>ip dhcp pool CLIENT</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> import all</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>no ip bootp server</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>ip audit notify log</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>ip audit po max-events 100</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>vpdn enable</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>no ftp-server write-enable</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>crypto isakmp policy 1</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> encr 3des</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> hash md5</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> authentication pre-share</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> group 2</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> lifetime 3600</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>crypto isakmp key 0 ***** address
PUBLIC_IP_FW_CHECKPOINT</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>crypto ipsec transform-set ts1 esp-3des
esp-md5-hmac</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>crypto map EsmMap
10 ipsec-isakmp</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> description specify IPSec policy for ESM</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1> set peer
PUBLIC_IP_FW_CHECKPOINT</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> set transform-set ts1</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> match address 110</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>interface Ethernet0</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> description LAN_PRA</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> ip address 10.3.48.1 255.255.240.0</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> ip nat inside</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> no cdp enable</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> hold-queue 100 out</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>interface ATM0</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> no ip address</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> no atm ilmi-keepalive</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> pvc 8/35</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> encapsulation aal5mux ppp dialer</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> dialer pool-member 1</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> !</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> dsl operating-mode auto</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>interface FastEthernet1</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> no ip address</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> duplex auto</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> speed auto</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>interface
FastEthernet2</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> no ip
address</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> duplex
auto</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> speed
auto</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>interface FastEthernet3</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1> no ip address</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1> duplex auto</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> speed auto</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>interface FastEthernet4</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> no ip address</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> duplex auto</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> speed auto</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>interface
Dialer1</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> description
adslpro_wanadoo</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> ip
address negotiated</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> no
ip redirects</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> no ip
unreachables</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> ip nat
outside</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> encapsulation
ppp</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> dialer pool
1</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> dialer-group
1</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> no cdp
enable</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> ppp
authentication chap pap callin</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1> ppp chap hostname ****</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> ppp chap password 7 ****</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1> ppp pap sent-username *** password
7 ***</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> crypto map
EsmMap</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>!</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>ip nat inside source route-map nonat4vpn
interface Dialer1 overload</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>ip classless</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>ip
route 0.0.0.0 0.0.0.0 Dialer1</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>no ip http server</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>no ip http secure-server</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>access-list 1
permit 10.3.48.0 0.0.15.255</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>access-list 110 remark define an ACL for the traffic to be
encrypted</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>access-list 110
permit ip 10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>access-list 115 remark traffic between the sites
does not get natted</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>access-list 115 permit ip 10.3.48.0 0.0.15.255 any</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>access-list 115 deny ip
10.3.48.0 0.0.15.255 10.50.0.0 0.0.255.255</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>no cdp run</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>route-map nonat4vpn permit 1</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> match ip address 115</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>line con
0</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> exec-timeout 120
0</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> no modem
enable</FONT></FONT> <BR><FONT face=Arial><FONT size=-1> stopbits
1</FONT></FONT> <BR><FONT face=Arial><FONT size=-1>line aux 0</FONT></FONT>
<BR><FONT face=Arial><FONT size=-1>line vty 0 4</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> access-class 23 in</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> exec-timeout 120 0</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> login local</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1> length 0</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>scheduler max-task-time 5000</FONT></FONT> <BR><FONT
face=Arial><FONT size=-1>!</FONT></FONT> <BR><FONT face=Arial><FONT
size=-1>end</FONT></FONT> <BR> <PRE><HR width="90%" SIZE=4>_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
<A href="http://lists.shmoo.com/mailman/listinfo/vpn">http://lists.shmoo.com/mailman/listinfo/vpn</A></PRE></BLOCKQUOTE></DIV></DIV>
<DIV style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial">
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV><EM>Accédez au courrier électronique de La Poste : www.laposte.net
;</EM></DIV>
<DIV><EM>3615 LAPOSTENET (0,34 /mn) ; tél : 08 92 68 13 50
(0,34/mn)</EM></DIV></DIV></BLOCKQUOTE></BODY></HTML>