- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 08-30-2010 05:11 AM
Hi,
Cannot get VPN to come up at all between a Cisco ASA and Checkpoint. Below are the hardware/software configurations
Checkpoint NGX R65
Model IP560
Software release 4.2 – BUILD106a02
Software version releng 1515 11.18.2209-195037
Configured in a high availability pair
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Cisco Adaptive Security Appliance Software Version 7.0(4)
The Checkpoint Firewall rebooted a week ago and since then we cannot get the VPN to come up at all. It was working fine before for a couple of years, but for whatever reason , it will not come up at all now
The 3rd party who look after the Checpoint have been cooperative and we have exchanged settings, but we cannot see why Phase1 is failing all the time. Never even gets past Phase1
The settings on ASA are as follows
ASA# show runn | begin crypto
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN-CRYPTO_INTERNET 1 set transform-set ESP-AES256-SHA
crypto dynamic-map DYN-CRYPTO_INTERNET 1 set reverse-route
crypto map CRYPTO_MAP_INTERNET 1 match address XXX-VPN-XXXX
crypto map CRYPTO_MAP_INTERNET 1 set peer 3.3.3.3
crypto map CRYPTO_MAP_INTERNET 1 set transform-set ESP-3DES-SHA
crypto map CRYPTO_MAP_INTERNET 1 set security-association lifetime seconds 3600
isakmp identity address
isakmp enable Internet
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 28800
isakmp policy 14 authentication pre-share
isakmp policy 14 encryption 3des
isakmp policy 14 hash sha
isakmp policy 14 group 2
isakmp policy 14 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
ASA# show crypto isakmp sa detail
Active SA: 6
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6
1 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 12820
2 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 3600
Lifetime Remaining: 1120
3 IKE Peer: X.X.X.X
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 3600
Lifetime Remaining: 1362
4 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 3600
Lifetime Remaining: 1692
5 IKE Peer: X.X.X.X
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 3600
Lifetime Remaining: 1847
6 IKE Peer: 3.3.3.3
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
I will attached screen-shots of the Checkpoint VPN settings
