Cisco 800 router to CheckPoint IPSEC VPN issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2012 04:08 AM - edited 02-21-2020 06:12 PM
Hi
I am trying to get a simple IPSEC VPN between a Cisco 800 router and a CheckPoint firewall.
The Phase 1 negotiation is working fine however the phase 2 negotiation is failing with the following error message:
Jul 16 10:53:42.734: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= X.X.X.X:0, remote= X.X.X.X:0,
local_proxy= X.X.X.0/255.255.255.0/256/0,
remote_proxy= X.X.0.0/255.255.0.0/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jul 16 10:53:42.734: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
I have double checked the configuration on both sides of the tunnel and they appear to match being:
- 3DES and MD5 and 3600 secs renewal time.
The configuration for the Cisco side is attached below. I would appreciate any help possible to get this resolved.
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
!
crypto ipsec transform-set AES128-SHA1-1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 3 ipsec-isakmp
description IPSec Tunnel XXXXXX
set peer X.X.X.X
set transform-set AES128-SHA1-1
match address 199
ip nat inside source route-map NONAT interface FastEthernet4 overload
access-list 111 deny ip X.X.X.0 0.0.0.255 X.X.0.0 0.0.255.255
access-list 111 permit ip X.X.X.0 0.0.0.255 any
access-list 199 permit ip X.X.X.0 0.0.0.255 X.X.0.0 0.0.255.255
route-map NONAT permit 10
match ip address 111
I am getting the following debugs:
SH CRY ISA SA
dst src state conn-id status
46.X.X.X 83.X.X.X QM_IDLE 2008 ACTIVE
46.X.X.X 83.X.X.X QM_IDLE 2007 ACTIVE
46.X.X.X 83.X.X.X QM_IDLE 2004 ACTIVE
SH CRY SESS
Interface: FastEthernet4
Session status: UP-IDLE
Peer: 83.X.X.X port 500
IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
IPSEC FLOW: permit ip X.X.X.0/255.255.255.0 X.X.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
many thanks in advance...
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2012 08:35 AM
After much head scratching and debugging it transpires that the config laid out above is correct and the tunnel should work perfectly. The problem was that the CheckPoint was configured with a class A network on the inside interface and therefore would raise the Phase I tunnel on the external interface then not be able to respond with a correctly constructed Phase II response.
The tunnel now works perfectly
