Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3010
Views
0
Helpful
3
Replies

VPN between ASA and Checkpoint

Colin Higgins
Level 2
Level 2

‎12-07-2011 07:28 AM

I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).

I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.

The other company is saying:

"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"

However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.

Is there a hidden default setting I have to turn off? If so, how do I do this?

Labels:
0 Helpful
3 Replies 3

david.tran
Level 4
Level 4

‎12-07-2011 09:28 AM

Phase 2 failures means several things:

Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,

Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.

Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:

- output of "uname -a" and "fw ver"

- is this Nokia, Windows or Secureplatform Checkpoint?

- run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 

Disable/turn OFF kilobytes timeouts is not the solution. 

0 Helpful

Colin Higgins
Level 2
Level 2
In response to david.tran

‎12-07-2011 01:43 PM

We used IKEView.exe on the Checkpoint side and discovered what the issue is.

When the Checkpoint tries to establish the tunnel, it does not supply a SA KB timeout value. The ASA 5505 running IOS 8.4 is demanding it. I tried to turn this off with the

no ipsec security-association lifetime kilo 4608000

command, but the ASA is still sending the KB timeout (along with the seconds timeout) and demanding it from the other end. Therefore, we cannot complete Phase2.

How can I turn this off or make it optional?

0 Helpful

david.tran
Level 4
Level 4
In response to Colin Higgins

‎12-07-2011 01:56 PM

I have an existing VPN tunnel between Pix 8.0.4 and Checkpoint SPLAT NGx R71.30 running without any issues.  I would have tested the code 8.4 for you but unfortunately, Pix does not support anything above 8.0.4

If this is the case, then this must be a "new" feature required in 8.4. 

You have a few options here:

#1:  ask for a fix from Cisco,

#2:  downgrade the code from 8.4 to 8.0.4,

#3:  change the checkpoint VPN configuration from "simplified mode" to "traditional mode" method.  I've not used "traditional mode" method in years but with traditional mode method, it does give you the ability to set the timeout based on the number of bytes.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents