Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1838
Views
0
Helpful
1
Replies

Cisco 800 router to CheckPoint IPSEC VPN issue

james.armstrong
Level 1
Level 1

‎07-16-2012 04:08 AM - edited ‎02-21-2020 06:12 PM

Hi

I am trying to get a simple IPSEC VPN between a Cisco 800 router and a CheckPoint firewall.

The Phase 1  negotiation is working fine however the phase 2 negotiation is failing with the following error message:

Jul 16 10:53:42.734: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= X.X.X.X:0, remote= X.X.X.X:0,
    local_proxy= X.X.X.0/255.255.255.0/256/0,
    remote_proxy= X.X.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jul 16 10:53:42.734: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac }

I have double checked the configuration on both sides of the tunnel and they appear to match being:

  • 3DES and MD5 and 3600 secs renewal time.

The configuration for the Cisco side is attached below.  I would appreciate any help possible to get this resolved.

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key XXX address X.X.X.X
!
crypto ipsec transform-set AES128-SHA1-1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description IPSec Tunnel XXXXXX
 set peer X.X.X.X
 set transform-set AES128-SHA1-1
 match address 199
ip nat inside source route-map NONAT interface FastEthernet4 overload
access-list 111 deny   ip X.X.X.0 0.0.0.255 X.X.0.0 0.0.255.255
access-list 111 permit ip X.X.X.0 0.0.0.255 any
access-list 199 permit ip X.X.X.0 0.0.0.255 X.X.0.0 0.0.255.255
route-map NONAT permit 10
 match ip address 111

I am getting the following debugs:

SH CRY ISA SA

dst             src             state          conn-id status
46.X.X.X    83.X.X.X  QM_IDLE           2008 ACTIVE
46.X.X.X    83.X.X.X  QM_IDLE           2007 ACTIVE
46.X.X.X    83.X.X.X  QM_IDLE           2004 ACTIVE

SH CRY SESS

Interface: FastEthernet4
Session status: UP-IDLE
Peer: 83.X.X.X port 500
  IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
  IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
  IKEv1 SA: local 46.X.X.X/500 remote 83.X.X.X/500 Active
  IPSEC FLOW: permit ip X.X.X.0/255.255.255.0 X.X.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map

many thanks in advance...

Labels:
0 Helpful
1 Reply 1

james.armstrong
Level 1
Level 1

‎07-17-2012 08:35 AM

After much head scratching and debugging it transpires that the config laid out above is correct and the tunnel should work perfectly.  The problem was that the CheckPoint was configured with a class A network on the inside interface and therefore would raise the Phase I tunnel on the external interface then not be able to respond with a correctly constructed Phase II response.

The tunnel now works perfectly

0 Helpful
Customers Also Viewed These Support Documents