Solved: Re: Mixed IOS Crypto Maps with Checkpoint Firewall

dloudon · ‎04-03-2003

I have a crypto config that works fine with a remote CheckPoint Firwall:

-------------- \/ CONFIG 1 \/--------------------

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key cryptokey1 address 1.2.3.4

!

crypto ipsec transform-set txfrmset1 esp-3des esp-md5-hmac

!

crypto dynamic-map vpn-dynamic 10

set transform-set txfrmset1

!

crypto map secure1_in 1 ipsec-isakmp

set peer 205.245.184.2

set transform-set txfrmset1

match address 105

!

ip nat inside source route-map nonat interface Ethernet0 overload

!

route-map nonat permit 10

match ip address 110

!

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

------------/\ CONFIG 1 /\ --------------------

I needed to add a map for remote clients using the Cisco 3.6 VPN client.

I have a crypto map that has worked great for me in the past. Combining

the two looks something like this:

---------------\/ CONFIG 2 \/ --------------------------

AAA new

aaa authentication login userauthen local

aaa authorization network groupauthor local

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key cryptokey1 address 1.2.3.4 no-xauth

!

crypto ipsec transform-set txfrmset1 esp-3des esp-md5-hmac

!

crypto dynamic-map vpn-dynamic 10

set transform-set txfrmset1

crypto isakmp client configuration group remote1

key cryptokey2

dns 10.0.0.4

wins 10.0.0.5

pool vpn-pool

!

crypto map secure1_in client authentication list userathen

crypto map secure1_in isakmp authorization list groupauthor

crypto map secure1_in client configuration address respond

crypto map secure1_in 5 ipsec-isakmp

set peer 1.2.3.4

set transform-set txfrmset1

match address 105

crypto map vpnclient 10 ipsec-isakmp dynamic vpn-dynamic

!

ip local pool vpn-pool 172.16.30.1 172.16.30.254

ip nat inside source route-map nonat interface Ethernet0 overload

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

!

access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

---------------/\ CONFIG 2 /\---------------------------

This is classic crypto right out of the Cisco playbook. This map works

fine with the Cisco VPN client, but produces the following errors after a

successful P1 setup with the Checkpoint Firewall:

--------------\/ ERROR OUTPUT \/ -----------------------

05:13:02: ISAKMP (0:2): sending packet to 1.2.3.4 (R) MM_KEY_EXCH

05:13:02: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

05:13:02: ISAKMP (0:2): Need config/address

05:13:02: ISAKMP: set new node 1502565681 to CONF_ADDR

05:13:02: ISAKMP (0:2): No IP address pool defined for ISAKMP!

05:13:02: ISAKMP (0:2): deleting node 1502565681 error FALSE reason ""

05:13:02: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT

05:13:02: ISAKMP (0:2): received packet from 1.2.3.4 (R) CONF_ADDR

05:13:02: ISAKMP: set new node -1848822857 to CONF_ADDR

05:13:02: ISAKMP (0:2): Unknown Input: state = IKE_CONFIG_MODE_SET_SENT, major, minor = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

05:13:04: ISAKMP (0:2): received packet from 1.2.3.4 (R) CONF_ADDR

--------------/\ ERROR OUTPUT /\--------------------------

This does not happen with config 1. If this were a PIX, i'd use the

no-config-mode keyword after the no-xauth on the "crypto isakmp key"

command line. This is not available on IOS IPSEC and I've never

needed to do it before. I'm running Cisco IOS 12.2(5.4)T on a 1721 VPN

router. The static map seems to work by itself. What am i doing wrong?

gfullage · ‎04-03-2003

I've seen his a couple of times and to be honest have never tracked it down to an exact cause, although in this case it almost looks like the CheckPoint is requesting an IP address which is weird. Try the following:

1. Add "crypto map secure1_in client configuration address initiate" and see what that does.

2. Try 12.2(8)T5 code with this, I had a previous user running 12.2(11)T and we got the same error messages, reverting to this code level resolved it.

Also, wouldn't you need:

> access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.30.0 0.0.0.255

as well, so that you don't NAT the VPN client traffic?

View solution in original post

gfullage · ‎04-03-2003

I've seen his a couple of times and to be honest have never tracked it down to an exact cause, although in this case it almost looks like the CheckPoint is requesting an IP address which is weird. Try the following:

1. Add "crypto map secure1_in client configuration address initiate" and see what that does.

2. Try 12.2(8)T5 code with this, I had a previous user running 12.2(11)T and we got the same error messages, reverting to this code level resolved it.

Also, wouldn't you need:

> access-list 110 deny ip 192.168.10.0 0.0.0.255 172.16.30.0 0.0.0.255

as well, so that you don't NAT the VPN client traffic?

dloudon · ‎04-04-2003

yes indeed - i omitted it from the code fragment that i posted - my apologies. What is driving me mad about this is that fact that the static map behaves differently when it is combined with the (lower priority) dynamic map in my second example. It almost seems like a bug - or a typo on my part...

I'll try the "... initiate" comand and also the 12.2(8)T image. I had a different crypto problem at another client with the recently released 12.2(15)T and had to revert to an earlier code release to fix it. This implementation is being done on an earlier release 12.2(5.4)T and perhaps this is a bug - i'll try it this morning and post my results.

dloudon · ‎04-07-2003

Bingo!

Upgrading the IOS image to 12.2(8)T5 fixed the problem with no further changes necessary. I tried the "... inititiate" command and it seemed to have no effect.

The system now behaves as we would expect - thanks you for your guidance.