Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
2
Replies

checkpoint-CISCO 837 fails,no IPSEC cryptomap exists for local address

gcscisco
Level 1
Level 1

‎09-09-2004 10:41 PM - edited ‎02-21-2020 01:20 PM

Hopefully somebody else has seen something like this?

For some reason connections from the cisco 837 site incoming to the enterprise bring up a tunnel and works the out put of debug at this time is

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x1.x2.x3.150, remote= x.x.x.14,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.60.64.0/255.255.240.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

That 255.255.240.0 is the correct netmask and matches, but when connecting back from the enterprise its failes with the wrong netmask 255.255.224.0 can I cant find where thats being generated

Sep 6 11:07:25.234: ISAKMP:(0:1:HW:2):atts are acceptable.

Sep 6 11:07:25.234: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= x1.x2.x3.150, remote= x.x.x.14,

local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.60.64.0/255.255.224.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Sep 6 11:07:25.234: CryptoEngine0: validate proposal request

Sep 6 11:07:25.238: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address x1.x2.x3.150

Sep 6 11:07:25.238: ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal

Sep 6 11:07:25.238: ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local x1.x2.x3.150 remote x.x.x.14)

Sep 6 11:07:25.238: ISAKMP: set new node -388680751 to QM_IDLE

Sep 6 11:07:25.242: CryptoEngine0: generate hmac context for conn id 1

Sep 6 11:07:25.242: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

Sep 6 11:07:25.246: ISAKMP:(0:1:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 43, message ID = -388680751

Sep 6 11:07:25.246: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)

Sep 6 11:07:25.250: ISAKMP:(0:1:HW:2): sending packet to x.x.x.14 my_port 500 peer_port 500 (I) QM_IDLE

Sep 6 11:07:25.250: ISAKMP:(0:1:HW:2):purging node -388680751

Sep 6 11:07:25.250: ISAKMP:(0:1:HW:2):deleting node -2030181510 error TRUE reason "QM rejected"

Sep 6 11:07:25.250: ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -2030181510: state = IKE_QM_READY

Sep 6 11:07:25.254: ISAKMP:(0:1:HW:2):Node -2030181510, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Sep 6 11:07:25.254: ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY New State = IKE_QM_READY

Sep 6 11:07:25.254: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.14

Labels:
0 Helpful
2 Replies 2

gcscisco
Level 1
Level 1

‎09-11-2004 11:09 PM

follow up to my own post. Can anybody tell me about the mask selected in the SA's proxy. remote_proxy in the sa request 255.255.224.0 is wrong, I believe that the checkpoint VPN at the other end has sent me the mask 255.255.240.0 and established my sa's with that mask (show crypto ipsec sa confirms the sa's exist with 240 and works for in bound traffic)

When I telnet from an internal unix machine the checkpoint VPN is then sending me packets

with the wrong sa mask 255.255.224.0 and my 837 rejects the conversation with no matching SA. The people that manage the checkpoint VPN claim they can't find anything that specified 224 instead of 240 and so its my problem ;(

0 Helpful

gcscisco
Level 1
Level 1
In response to gcscisco

‎11-23-2004 05:27 PM

Still haven't quite worked out what rules the checkpoint follows, but it seems to be doing some sort of network mask merging, resulting in it using an unexpect 255.255.224.0 when I expected 240.0.

The key to fixing this is to understand that the cisco creates the SA's from the network/mask supplied in the access-list used in the match address of the crypto map.

So by changing my access list

from

access-list 115 permit ip 192.168.3.0 0.0.0.255 10.60.64.0 0.0.15.255

access-list 115 permit ip 10.60.64.0 0.0.15.255 192.168.3.0 0.0.0.255

to

access-list 115 permit ip 192.168.3.0 0.0.0.255 10.60.64.0 0.0.31.255

access-list 115 permit ip 10.60.64.0 0.0.31.255 192.168.3.0 0.0.0.255

Has allowed the two way connections. But I think checkpoint needs its drugs dosage adjusted

How this helps some other poor nsdystf ;>

0 Helpful
Customers Also Viewed These Support Documents