cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2050
Views
0
Helpful
2
Replies

Checkpoint - CISCO - Site 2 Site VPN - CISCO router failing to decrypt!

mikull.kiznozki
Level 1
Level 1

An interesting problem that I have come across folks.

S2S between and CP and a CISCO 2600 router.

The tunnel comes up like a charm, but when interesting traffic hits the cisco router, i get the below error:

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=xxxx.47 remote=xxxx.45 spi=2FC9A6E1 seqno=00000040

#sh cry ipsec sa

interface: FastEthernet0/0

    Crypto map tag: mymap, local addr 1xxxx.47

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)

   current_peer 1xxxx45 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 11, #recv errors 68

     local crypto endpt.: 1xxxx7, remote crypto endpt.: 1xxxxx45

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x507E0DF0(1350438384)

     inbound esp sas:

      spi: 0x2FC9A6E1(801744609)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4603331/797)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x507E0DF0(1350438384)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: mymap

        sa timing: remaining key lifetime (k/sec): (4603335/795)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

any tips?

this is a cisco router and the peer is a checkpoint running r75.20 code.

cheers

2 Replies 2

mikull.kiznozki
Level 1
Level 1

jesus.. now seeing every second packet drop on the cisco router. i wonder if checkpoint is actually the culprit.

sorry I jumped the gun. fixed the problem myself. it was an issue with the security gateway settings on the checkpoint. it was trying to initiate traffic from the inside interface rather than the outside.

please close the thread.

edit: disabled nat traversal as well on the CP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: