05-03-2012 01:57 AM
Hi, I'm trying to configure a VPN between a Check Point firewall (UTM-1, running R75.10) and a 2921 router (15.0(1r)M9).
Here's the relevant config (names and external IP addresses only modified - using 1.1.1.1 for Check Point and 2.2.2.2 for Cisco):
================================================
## vpn phase 2 access list (also used for route map)
access-list 2699 permit ip 192.168.209.16 0.0.0.15 192.168.51.128 0.0.0.127
## nat route map
route-map R1 permit 2699
match ip address 2699
## phase 1 details
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 86400
## psk
crypto isakmp key ............... address 1.1.1.1 no-xauth
## phase 2 transform set
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
## phase 2 details
crypto map VPN 2699 ipsec-isakmp
set peer 1.1.1.1
set pfs group2
set transform-set AES-256
set security-association lifetime seconds 3600
match address 2699
## nat definitions
ip nat inside source static 10.231.70.250 192.168.209.17 route-map R1 reversible
ip nat inside source static 10.231.10.1 192.168.209.18 route-map R1 reversible
ip nat inside source static 10.231.10.10 192.168.209.19 route-map R1 reversible
================================================
Phase 1 appears to complete without issue, however at phase two it fails with "Fail to allocate ip address" (full debug attached). Everything I've read suggests that this issue relates to client based VPN, where the Cisco router cannot assign other related attributes to the requesting client (DNS server etc.) but obviously that isn't relevant in this case. Can anyone shed any light on why the router might think it's a client connection and how to stop it?
While I'm troubleshooting this issue currently with a Check Point VPN we've noticed the issue appear on other VPNs (to Cisco 880 routers), and the problem seems to solve itself (which obviously doesn't help in finding the cause of the problem!).
05-03-2012 03:49 AM
I've done IPSec between Checkpoint and Cisco IOS many times without any issues; however, in many of my configurations, the IOS is always 12.4(24)T or lower. I've never used IOS 15.x for IPSec site-2-site vpn before so this may be either "new" or a "bug". I would suggest you tried the following if it is allowed in IOS 15.x:
crypto isakmp key ............... address 1.1.1.1 no-xauth no-config-mode
05-03-2012 05:47 AM
Thanks, unfortunately the "no-config-mode" doesn't seem to have survived in the new IOS version.
As you say this isn't something I would usually expect to have issues with. My only slight concern is that I've done something wrong with the NAT, but it seems to be OK (and "show ip nat trans" shows the correct inside local/global mappings.
EDIT: Looks like you might be on the right track with that though, I'll have to find what the equivalent is in IOS 15.
05-04-2012 03:45 AM
I've fixed some issues with the route map configuration (this is part of a larger project, all others are working), so at least I'm now comfortable with the NAT.
Would definitely appreciate it if someone could shine a light on how to replicate the functionality of no-config-mode in IOS15.
05-16-2012 03:28 AM
In case anyone is interested, I found the cause of this problem. The engineer that built the client VPN configuration for this device configured it to initiate ip client configuration as well as respond.
Removed the "crypto map mapname client configuration initiate" line from the config and it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide