- Cisco Community
- Technology and Support
- Security
- VPN
- Site to Site VPN between Checkpoint NGX R65 and Cisco IOS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site to Site VPN between Checkpoint NGX R65 and Cisco IOS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 02:14 AM
Hi all,
I have read several guides on how to configure site-to-site VPN between Cisco and Checkpoint using pre-shared keys. The configuration is correct on Checkpoint side and as far as I know from Cisco as well.
The encryption policy is:
- 3DES - MD5 - DH Group 2 - 28800 seconds (Phase 1)
- 3DES - MD5 - DH Group 2 - 3600 seconds (Phase 2)
- Networks included are 10.240.0.0/22 and 192.168.252.0/24
Here is the debug output from Cisco IOS router:
2821-route#debug crypto isakmp
Crypto ISAKMP debugging is on
2821-route#debug crypto ipsec
Crypto IPSEC debugging is on
2821-route#debug crypto engine
Crypto Engine debugging is on
2821-route#
2821-route#
2821-route#
2821-route#
2821-route#
2821-route#
2821-route#
*Jul 8 09:06:58.975: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (N) NEW SA
*Jul 8 09:06:58.975: ISAKMP: Created a peer struct for 192.168.100.10, peer port 500
*Jul 8 09:06:58.975: ISAKMP: New peer created peer = 0x4612D7B8 peer_handle = 0x8000003F
*Jul 8 09:06:58.975: ISAKMP: Locking peer struct 0x4612D7B8, refcount 1 for crypto_isakmp_process_block
*Jul 8 09:06:58.975: ISAKMP: local port 500, remote port 500
*Jul 8 09:06:58.975: insert sa successfully sa = 45C3E8B8
*Jul 8 09:06:58.975: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 09:06:58.975: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jul 8 09:06:58.975: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 8 09:06:58.975: ISAKMP:(0): processing vendor id payload
*Jul 8 09:06:58.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Jul 8 09:06:58.975: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10
*Jul 8 09:06:58.975: ISAKMP:(0): local preshared key found
*Jul 8 09:06:58.975: ISAKMP : Scanning profiles for xauth ...
*Jul 8 09:06:58.975: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
*Jul 8 09:06:58.975: ISAKMP: encryption 3DES-CBC
*Jul 8 09:06:58.975: ISAKMP: hash MD5
*Jul 8 09:06:58.975: ISAKMP: auth pre-share
*Jul 8 09:06:58.975: ISAKMP: default group 2
*Jul 8 09:06:58.975: ISAKMP: life type in seconds
*Jul 8 09:06:58.975: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 8 09:06:58.975: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul 8 09:06:58.975: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 8 09:06:58.975: ISAKMP:(0):Acceptable atts:life: 0
*Jul 8 09:06:58.975: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 8 09:06:58.975: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Jul 8 09:06:58.975: ISAKMP:(0):Returning Actual lifetime: 28800
*Jul 8 09:06:58.975: ISAKMP:(0)::Started lifetime timer: 28800.
*Jul 8 09:06:58.975: ISAKMP:(0): processing vendor id payload
*Jul 8 09:06:58.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Jul 8 09:06:58.975: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 09:06:58.975: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 8 09:06:58.975: ISAKMP:(0): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 8 09:06:58.979: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 8 09:06:58.979: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 09:06:58.979: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 8 09:06:59.071: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 8 09:06:59.071: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 09:06:59.071: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 8 09:06:59.071: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 8 09:06:59.071: crypto_engine: Create DH shared secret
*Jul 8 09:06:59.103: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 8 09:06:59.103: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10
*Jul 8 09:06:59.103: crypto_engine: Create IKE SA
*Jul 8 09:06:59.103: crypto engine: deleting DH phase 2 SW:26
*Jul 8 09:06:59.103: crypto_engine: Delete DH shared secret
*Jul 8 09:06:59.103: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 09:06:59.103: ISAKMP:(1019):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 8 09:06:59.103: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 8 09:06:59.103: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Jul 8 09:06:59.103: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 09:06:59.103: ISAKMP:(1019):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 8 09:06:59.195: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 8 09:06:59.195: crypto_engine: Decrypt IKE packet
*Jul 8 09:06:59.195: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 09:06:59.195: ISAKMP:(1019):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 8 09:06:59.199: ISAKMP:(1019): processing ID payload. message ID = 0
*Jul 8 09:06:59.199: ISAKMP (0:1019): ID payload
next-payload : 8
type : 1
address : 192.168.100.10
protocol : 0
port : 0
length : 12
*Jul 8 09:06:59.199: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 8 09:06:59.199: ISAKMP:(1019): processing HASH payload. message ID = 0
*Jul 8 09:06:59.199: crypto_engine: Generate IKE hash
*Jul 8 09:06:59.199: ISAKMP:(1019):SA authentication status:
authenticated
*Jul 8 09:06:59.199: ISAKMP:(1019):SA has been authenticated with 192.168.100.10
*Jul 8 09:06:59.199: ISAKMP: Trying to insert a peer 192.168.200.10/192.168.100.10/500/, and inserted successfully 4612D7B8.
*Jul 8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 09:06:59.199: ISAKMP:(1019):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 8 09:06:59.199: ISAKMP:(1019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 8 09:06:59.199: ISAKMP (0:1019): ID payload
next-payload : 8
type : 1
address : 192.168.200.10
protocol : 17
port : 500
length : 12
*Jul 8 09:06:59.199: ISAKMP:(1019):Total payload length: 12
*Jul 8 09:06:59.199: crypto_engine: Generate IKE hash
*Jul 8 09:06:59.199: crypto_engine: Encrypt IKE packet
*Jul 8 09:06:59.199: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 8 09:06:59.199: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Jul 8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 09:06:59.199: ISAKMP:(1019):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 8 09:06:59.199: ISAKMP:(1019):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 8 09:06:59.287: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 09:06:59.287: ISAKMP: set new node 307071352 to QM_IDLE
*Jul 8 09:06:59.287: crypto_engine: Decrypt IKE packet
*Jul 8 09:06:59.287: crypto_engine: Generate IKE hash
*Jul 8 09:06:59.287: ISAKMP:(1019): processing HASH payload. message ID = 307071352
*Jul 8 09:06:59.287: ISAKMP:(1019): processing SA payload. message ID = 307071352
*Jul 8 09:06:59.287: ISAKMP:(1019):Checking IPSec proposal 1
*Jul 8 09:06:59.287: ISAKMP: transform 1, ESP_3DES
*Jul 8 09:06:59.287: ISAKMP: attributes in transform:
*Jul 8 09:06:59.287: ISAKMP: group is 2
*Jul 8 09:06:59.287: ISAKMP: SA life type in seconds
*Jul 8 09:06:59.287: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 8 09:06:59.287: ISAKMP: authenticator is HMAC-MD5
*Jul 8 09:06:59.287: ISAKMP: encaps is 1 (Tunnel)
*Jul 8 09:06:59.287: ISAKMP:(1019):atts are acceptable.
*Jul 8 09:06:59.287: IPSEC(validate_proposal_request): proposal part #1
*Jul 8 09:06:59.287: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.200.10, remote= 192.168.100.10,
local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 8 09:06:59.287: Crypto mapdb : proxy_match
src addr : 10.240.1.0
dst addr : 192.168.252.0
protocol : 0
src port : 0
dst port : 0
*Jul 8 09:06:59.287: ISAKMP:(1019): processing NONCE payload. message ID = 307071352
*Jul 8 09:06:59.287: ISAKMP:(1019): processing KE payload. message ID = 307071352
*Jul 8 09:06:59.287: crypto_engine: Create DH shared secret
*Jul 8 09:06:59.319: ISAKMP:(1019): processing ID payload. message ID = 307071352
*Jul 8 09:06:59.319: ISAKMP:(1019): processing ID payload. message ID = 307071352
*Jul 8 09:06:59.319: ISAKMP:(1019):QM Responder gets spi
*Jul 8 09:06:59.319: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 8 09:06:59.319: ISAKMP:(1019):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jul 8 09:06:59.319: crypto_engine: Generate IKE hash
*Jul 8 09:06:59.319: crypto_engine: Generate IKE QM keys
*Jul 8 09:06:59.319: crypto_engine: Create IPSec SA (by keys)
*Jul 8 09:06:59.319: crypto_engine: Generate IKE QM keys
*Jul 8 09:06:59.319: crypto_engine: Create IPSec SA (by keys)
*Jul 8 09:06:59.319: crypto engine: deleting DH phase 2 SW:27
*Jul 8 09:06:59.319: crypto_engine: Delete DH shared secret
*Jul 8 09:06:59.319: crypto engine: deleting DH SW:25
*Jul 8 09:06:59.319: ISAKMP:(1019): Creating IPSec SAs
*Jul 8 09:06:59.323: inbound SA from 192.168.100.10 to 192.168.200.10 (f/i) 0/ 0
(proxy 192.168.252.0 to 10.240.1.0)
*Jul 8 09:06:59.323: has spi 0xFC7E44FA and conn_id 0
*Jul 8 09:06:59.323: lifetime of 3600 seconds
*Jul 8 09:06:59.323: outbound SA from 192.168.200.10 to 192.168.100.10 (f/i) 0/0
(proxy 10.240.1.0 to 192.168.252.0)
*Jul 8 09:06:59.323: has spi 0x61C47149 and conn_id 0
*Jul 8 09:06:59.323: lifetime of 3600 seconds
*Jul 8 09:06:59.323: crypto_engine: Encrypt IKE packet
*Jul 8 09:06:59.323: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 8 09:06:59.323: ISAKMP:(1019):Sending an IKE IPv4 Packet.
*Jul 8 09:06:59.323: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 8 09:06:59.323: ISAKMP:(1019):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jul 8 09:06:59.323: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 8 09:06:59.323: Crypto mapdb : proxy_match
src addr : 10.240.1.0
dst addr : 192.168.252.0
protocol : 0
src port : 0
dst port : 0
*Jul 8 09:06:59.323: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.100.10
*Jul 8 09:06:59.323: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.200.10, sa_proto= 50,
sa_spi= 0xFC7E44FA(4236133626),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2223
*Jul 8 09:06:59.323: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.100.10, sa_proto= 50,
sa_spi= 0x61C47149(1640264009),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2224
*Jul 8 09:06:59.323: crypto engine: updating MTU size of IPSec SA NETGX:224
*Jul 8 09:06:59.323: crypto_engine: Set IPSec MTU
*Jul 8 09:06:59.327: crypto_engine: Create DH
*Jul 8 09:06:59.351: crypto_engine: Delete DH
*Jul 8 09:06:59.419: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 09:06:59.419: crypto_engine: Decrypt IKE packet
*Jul 8 09:06:59.419: crypto_engine: Generate IKE hash
*Jul 8 09:06:59.419: ISAKMP:(1019):deleting node 307071352 error FALSE reason "QM done (await)"
*Jul 8 09:06:59.419: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 8 09:06:59.419: ISAKMP:(1019):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jul 8 09:06:59.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 8 09:06:59.423: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jul 8 09:06:59.423: IPSEC(key_engine_enable_outbound): enable SA with spi 1640264009/50
*Jul 8 09:06:59.423: IPSEC(update_current_outbound_sa): updated peer 192.168.100.10 current outbound sa to SPI 61C47149
*Jul 8 09:06:59.547: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 09:06:59.547: ISAKMP:(1019): phase 2 packet is a duplicate of a previous packet.
*Jul 8 09:06:59.547: ISAKMP:(1019): retransmitting due to retransmit phase 2
*Jul 8 09:06:59.547: ISAKMP:(1019): ignoring retransmission,because phase2 node marked dead 307071352
*Jul 8 09:06:59.631: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 09:06:59.631: ISAKMP:(1019): phase 2 packet is a duplicate of a previous packet.
*Jul 8 09:06:59.631: ISAKMP:(1019): retransmitting due to retransmit phase 2
*Jul 8 09:06:59.631: ISAKMP:(1019): ignoring retransmission,because phase2 node marked dead 307071352
Here is the configuration:
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key KEY address 192.168.100.10
!
!
crypto ipsec transform-set DR esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
set peer 192.168.100.10
set transform-set DR
set pfs group2
match address 103
access-list 103 permit ip 10.240.0.0 0.0.3.255 192.168.252.0 0.0.0.255
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 02:56 AM
Hi,
Is the remote peer (CheckPoint) single box or a clustered ?
Have you noticed if this issue occures when only one WS is using the VPN tunnel ?
If possible debug with only one WS and one flow (one destination) and monitor the
IPSEC SA's for it, then introduce another flow (another destination or second WS) and
see the IPSEC SA's associated. I've seen similar behaviour, when Checkpoint behaves
as it's configured to build SA's per host, no matter what you configure on it, and as per
default, cisco is building per network (per entries in access list with 'interesting' traffic).
The last can be easily verified by changing the behaviour if cisco for per host IPSEC SA's:
set security-association level per-host in crypto map configuration.
The other options you can check is if there is packet loss between the peers, causing
packet retransmission,or high network latency, causing the same, after timers get expired.
I would expect that the esp/udp flows are filtered only to those predefined peers, excluding
other fake peers to sent bulk 'vpn' traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 03:14 AM
hi,
the remote peer is Checkpoint ClusterXL running in unicast mode. So to give more detailed information:
1) I have configured Sticky Connections and load-sharing based on IPs so all connections are persistent.
2) I have configured max subnets for range and peer so I cannot have supernetting or something similar.
3) I have disabled to send the largest possible subnet for phase 2.
4) The configuration of the community is to use per-subnet and not per-host.
So I can see that we do not have any issues from Checkpoint side. I am seeing the same errors again. I have reconfigured both ends to use per-host security association but the problem has not disappeared.
predrag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 03:24 AM
Hi,
I have configured only one subnet and the behavior is set one VPN tunnel per-subnet.
Here is the debug output:
2821-route#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.200.10 192.168.100.10 QM_IDLE 1026 0 ACTIVE
IPv6 Crypto ISAKMP SA
2821-route#
*Jul 8 10:18:37.943: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (N) NEW SA
*Jul 8 10:18:37.943: ISAKMP: Found a peer struct for 192.168.100.10, peer port 500
*Jul 8 10:18:37.943: ISAKMP: Locking peer struct 0x45C4038C, refcount 2 for crypto_isakmp_process_block
*Jul 8 10:18:37.943: ISAKMP: local port 500, remote port 500
*Jul 8 10:18:37.943: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 462FF6D8
*Jul 8 10:18:37.943: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 10:18:37.943: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jul 8 10:18:37.943: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 8 10:18:37.943: ISAKMP:(0): processing vendor id payload
*Jul 8 10:18:37.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Jul 8 10:18:37.943: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10
*Jul 8 10:18:37.943: ISAKMP:(0): local preshared key found
*Jul 8 10:18:37.943: ISAKMP : Scanning profiles for xauth ...
*Jul 8 10:18:37.943: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
*Jul 8 10:18:37.943: ISAKMP: encryption 3DES-CBC
*Jul 8 10:18:37.943: ISAKMP: hash MD5
*Jul 8 10:18:37.943: ISAKMP: auth pre-share
*Jul 8 10:18:37.943: ISAKMP: default group 2
*Jul 8 10:18:37.943: ISAKMP: life type in seconds
*Jul 8 10:18:37.943: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Jul 8 10:18:37.943: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul 8 10:18:37.943: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 8 10:18:37.943: ISAKMP:(0):Acceptable atts:life: 0
*Jul 8 10:18:37.943: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 8 10:18:37.943: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Jul 8 10:18:37.943: ISAKMP:(0):Returning Actual lifetime: 28800
*Jul 8 10:18:37.943: ISAKMP:(0)::Started lifetime timer: 28800.
*Jul 8 10:18:37.943: ISAKMP:(0): processing vendor id payload
*Jul 8 10:18:37.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
*Jul 8 10:18:37.943: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 10:18:37.943: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 8 10:18:37.947: ISAKMP:(0): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 8 10:18:37.947: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 8 10:18:37.947: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 10:18:37.947: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 8 10:18:38.043: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 8 10:18:38.043: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 10:18:38.043: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 8 10:18:38.043: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 8 10:18:38.043: crypto_engine: Create DH shared secret
*Jul 8 10:18:38.075: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 8 10:18:38.075: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10
*Jul 8 10:18:38.075: crypto_engine: Create IKE SA
*Jul 8 10:18:38.075: crypto engine: deleting DH phase 2 SW:35
*Jul 8 10:18:38.075: crypto_engine: Delete DH shared secret
*Jul 8 10:18:38.075: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 10:18:38.075: ISAKMP:(1029):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 8 10:18:38.075: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 8 10:18:38.075: ISAKMP:(1029):Sending an IKE IPv4 Packet.
*Jul 8 10:18:38.075: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 10:18:38.075: ISAKMP:(1029):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 8 10:18:38.127: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 8 10:18:38.127: crypto_engine: Decrypt IKE packet
*Jul 8 10:18:38.127: ISAKMP:(1029):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 8 10:18:38.127: ISAKMP:(1029):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 8 10:18:38.127: ISAKMP:(1029): processing ID payload. message ID = 0
*Jul 8 10:18:38.127: ISAKMP (0:1029): ID payload
next-payload : 8
type : 1
address : 192.168.100.10
protocol : 0
port : 0
length : 12
*Jul 8 10:18:38.127: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 8 10:18:38.127: ISAKMP:(1029): processing HASH payload. message ID = 0
*Jul 8 10:18:38.127: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.127: ISAKMP:(1029):SA authentication status:
authenticated
*Jul 8 10:18:38.127: ISAKMP:(1029):SA has been authenticated with 192.168.100.10
*Jul 8 10:18:38.127: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 8 10:18:38.127: ISAKMP:(1029):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 8 10:18:38.127: ISAKMP:(1029):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 8 10:18:38.127: ISAKMP (0:1029): ID payload
next-payload : 8
type : 1
address : 192.168.200.10
protocol : 17
port : 500
length : 12
*Jul 8 10:18:38.127: ISAKMP:(1029):Total payload length: 12
*Jul 8 10:18:38.127: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.127: crypto_engine: Encrypt IKE packet
*Jul 8 10:18:38.131: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 8 10:18:38.131: ISAKMP:(1029):Sending an IKE IPv4 Packet.
*Jul 8 10:18:38.131: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 8 10:18:38.131: ISAKMP:(1029):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 8 10:18:38.131: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 8 10:18:38.131: ISAKMP:(1029):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 8 10:18:38.227: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 10:18:38.227: ISAKMP: set new node 74112823 to QM_IDLE
*Jul 8 10:18:38.227: crypto_engine: Decrypt IKE packet
*Jul 8 10:18:38.227: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.227: ISAKMP:(1029): processing HASH payload. message ID = 74112823
*Jul 8 10:18:38.227: ISAKMP:(1029): processing SA payload. message ID = 74112823
*Jul 8 10:18:38.227: ISAKMP:(1029):Checking IPSec proposal 1
*Jul 8 10:18:38.227: ISAKMP: transform 1, ESP_3DES
*Jul 8 10:18:38.227: ISAKMP: attributes in transform:
*Jul 8 10:18:38.227: ISAKMP: group is 2
*Jul 8 10:18:38.227: ISAKMP: SA life type in seconds
*Jul 8 10:18:38.227: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jul 8 10:18:38.227: ISAKMP: authenticator is HMAC-MD5
*Jul 8 10:18:38.227: ISAKMP: encaps is 1 (Tunnel)
*Jul 8 10:18:38.227: ISAKMP:(1029):atts are acceptable.
*Jul 8 10:18:38.227: IPSEC(validate_proposal_request): proposal part #1
*Jul 8 10:18:38.227: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.200.10, remote= 192.168.100.10,
local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 8 10:18:38.227: Crypto mapdb : proxy_match
src addr : 10.240.1.0
dst addr : 192.168.252.0
protocol : 0
src port : 0
dst port : 0
*Jul 8 10:18:38.227: ISAKMP:(1029): processing NONCE payload. message ID = 74112823
*Jul 8 10:18:38.227: ISAKMP:(1029): processing KE payload. message ID = 74112823
*Jul 8 10:18:38.227: crypto_engine: Create DH shared secret
*Jul 8 10:18:38.259: ISAKMP:(1029): processing ID payload. message ID = 74112823
*Jul 8 10:18:38.259: ISAKMP:(1029): processing ID payload. message ID = 74112823
*Jul 8 10:18:38.259: ISAKMP:(1029):QM Responder gets spi
*Jul 8 10:18:38.259: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 8 10:18:38.259: ISAKMP:(1029):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jul 8 10:18:38.259: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.259: crypto_engine: Generate IKE QM keys
*Jul 8 10:18:38.259: crypto_engine: Create IPSec SA (by keys)
*Jul 8 10:18:38.259: crypto_engine: Generate IKE QM keys
*Jul 8 10:18:38.259: crypto_engine: Create IPSec SA (by keys)
*Jul 8 10:18:38.259: crypto engine: deleting DH phase 2 SW:36
*Jul 8 10:18:38.259: crypto_engine: Delete DH shared secret
*Jul 8 10:18:38.259: crypto engine: deleting DH SW:34
*Jul 8 10:18:38.259: ISAKMP:(1029): Creating IPSec SAs
*Jul 8 10:18:38.259: inbound SA from 192.168.100.10 to 192.168.200.10 (f/i) 0/ 0
(proxy 192.168.252.0 to 10.240.1.0)
*Jul 8 10:18:38.259: has spi 0x4052249 and conn_id 0
*Jul 8 10:18:38.259: lifetime of 3600 seconds
*Jul 8 10:18:38.259: outbound SA from 192.168.200.10 to 192.168.100.10 (f/i) 0/0
(proxy 10.240.1.0 to 192.168.252.0)
*Jul 8 10:18:38.259: has spi 0x16FE7BBB and conn_id 0
*Jul 8 10:18:38.259: lifetime of 3600 seconds
*Jul 8 10:18:38.259: crypto_engine: Encrypt IKE packet
*Jul 8 10:18:38.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 8 10:18:38.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.
*Jul 8 10:18:38.263: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 8 10:18:38.263: ISAKMP:(1029):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jul 8 10:18:38.263: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 8 10:18:38.263: Crypto mapdb : proxy_match
src addr : 10.240.1.0
dst addr : 192.168.252.0
protocol : 0
src port : 0
dst port : 0
*Jul 8 10:18:38.263: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.100.10
*Jul 8 10:18:38.263: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.200.10, sa_proto= 50,
sa_spi= 0x4052249(67445321),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2267
*Jul 8 10:18:38.263: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.100.10, sa_proto= 50,
sa_spi= 0x16FE7BBB(385776571),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2268
*Jul 8 10:18:38.263: crypto engine: updating MTU size of IPSec SA NETGX:268
*Jul 8 10:18:38.263: crypto_engine: Set IPSec MTU
*Jul 8 10:18:38.263: IPSEC(early_age_out_sibling): sibling outbound SPI 5595E401 expiring in 30 seconds
*Jul 8 10:18:38.263: ISAKMP: set new node 2098796805 to QM_IDLE
*Jul 8 10:18:38.263: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.263: crypto_engine: Encrypt IKE packet
*Jul 8 10:18:38.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 8 10:18:38.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.
*Jul 8 10:18:38.263: ISAKMP:(1029):purging node 2098796805
*Jul 8 10:18:38.263: ISAKMP:(1029):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 8 10:18:38.263: ISAKMP:(1029):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 8 10:18:38.267: crypto_engine: Create DH
*Jul 8 10:18:38.291: crypto_engine: Delete DH
*Jul 8 10:18:38.331: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 10:18:38.331: crypto_engine: Decrypt IKE packet
*Jul 8 10:18:38.331: crypto_engine: Generate IKE hash
*Jul 8 10:18:38.331: ISAKMP:(1029):deleting node 74112823 error FALSE reason "QM done (await)"
*Jul 8 10:18:38.331: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 8 10:18:38.331: ISAKMP:(1029):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Jul 8 10:18:38.331: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 8 10:18:38.331: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Jul 8 10:18:38.331: IPSEC(key_engine_enable_outbound): enable SA with spi 385776571/50
*Jul 8 10:18:38.331: IPSEC(update_current_outbound_sa): updated peer 192.168.100.10 current outbound sa to SPI 16FE7BBB
*Jul 8 10:18:38.443: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 10:18:38.443: ISAKMP:(1029): phase 2 packet is a duplicate of a previous packet.
*Jul 8 10:18:38.443: ISAKMP:(1029): retransmitting due to retransmit phase 2
*Jul 8 10:18:38.443: ISAKMP:(1029): ignoring retransmission,because phase2 node marked dead 74112823
*Jul 8 10:18:38.531: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE
*Jul 8 10:18:38.531: ISAKMP:(1029): phase 2 packet is a duplicate of a previous packet.
*Jul 8 10:18:38.531: ISAKMP:(1029): retransmitting due to retransmit phase 2
*Jul 8 10:18:38.531: ISAKMP:(1029): ignoring retransmission,because phase2 node marked dead 74112823
*Jul 8 10:19:08.263: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.200.10, sa_proto= 50,
sa_spi= 0x4917DCEE(1226300654),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2263,
(identity) local= 192.168.200.10, remote= 192.168.100.10,
local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4)
*Jul 8 10:19:08.263: crypto engine: deleting IPSec SA NETGX:263
*Jul 8 10:19:08.263: crypto_engine: Delete IPSec SA
*Jul 8 10:19:08.263: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.100.10, sa_proto= 50,
sa_spi= 0x5595E401(1435886593),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2264,
(identity) local= 192.168.200.10, remote= 192.168.100.10,
local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4)
*Jul 8 10:19:08.263: crypto engine: deleting IPSec SA NETGX:264
*Jul 8 10:19:08.263: ISAKMP: set new node 1543518040 to QM_IDLE
*Jul 8 10:19:08.263: crypto_engine: Generate IKE hash
*Jul 8 10:19:08.263: crypto_engine: Encrypt IKE packet
*Jul 8 10:19:08.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 8 10:19:08.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.
*Jul 8 10:19:08.263: ISAKMP:(1029):purging node 1543518040
*Jul 8 10:19:08.263: ISAKMP:(1029):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 8 10:19:08.263: ISAKMP:(1029):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 8 10:19:08.263: crypto_engine: Delete IPSec SA
*Jul 8 10:19:28.331: ISAKMP:(1029):purging node 74112823
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 05:10 AM
Hi,
Can you make sure that the ACLs for the 'interesting' traffic for that specific tunnel
are matching (mirrored direction of course). One other thing, which might shed some
light about the P2 negotiation is to increase the debug verbosity to 20+.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 05:37 AM
Hi,
The point is that we have only one ACL in the crypto access list. I have narrowed it down to only one /24 subnet between both peers.
Predrag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 06:00 AM
yes, on cisco's side is access-list, and checkpoint this is configured as network objects, but those
should match exctly - network and mask, just mirrored directions - source in 1st peer is destionation
on 2nd peer and vice versa.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 06:01 AM
you can check this for examples: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ac4.shtml
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2010 06:06 AM
The access-lists are fine, this guide is for an older version of FW-1.
EDIT: newer profiles can be found here
http://www.vpnc.org/InteropProfiles/cisco-ios.txt
http://www.vpnc.org/InteropProfiles/checkpoint-profile.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2010 09:12 AM
do you have any other suggestions since I believe this is an IOS issue, it works normally with previos versions...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2010 06:45 PM
can you include the "fw ver" on the CP NGx R65 and "show ver" on the Cisco IOS? I can test and tell you if it is an IOS issue in the next 24 hours.
You can also use "vpn debug ikeon" on the Checkpoint firewall and view the $FWDIR/log/ike.elg file with IKEView.exe file. It will tell you where things
go wrong.
Furthermore, are you running HFA_70 on the NGx R65 firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2010 12:25 AM
Hi,
2821-route#show ver
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 17:09 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)
2821-route uptime is 29 weeks, 4 days, 20 hours, 6 minutes
System returned to ROM by reload at 11:13:16 UTC Thu Dec 17 2009
System image file is "flash:c2800nm-advsecurityk9-mz.124-15.T7.bin"
[fw-gate1]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_70, Hotfix 670 - Build 033
EDIT:
I have also contacted Checkpoint support and they said everything is normal from Checkpoint side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2010 03:09 AM
I am sadly to report that I have been able to reproduce your issue with the same IOS version you described. As soon as I downgraded to an older version, the issue goes away. Must be a bug in IOS train
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2010 06:13 AM
which IOS version would you recommend to use ? on which one you were able to establish the vpn tunnel ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide