vpn between checkpoint and pix

admin_2 · ‎07-02-2002

I need to configure a pix to create a vpn tunnel to a Checkpoint firewall. I have configured pix and when I ping from an inside host on the pix to a host on the dmz of CP FW I get MM_NO_STATE when I issue the cmd sh isakmp sa. PIX appears to initiate the vpn tunnel. Any advise.

Report Inappropriate Content · ‎07-02-2002

need to turn on debug crytpo ipsec/isakmp/engine.

Also try the PIX tsa at :

http://te.cisco.com/SRVS/CGI-BIN/WEBCGI.EXE?New,KB=PIX,dtree=stepbystep

m.lestoquoy · ‎07-03-2002

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend

m.lestoquoy · ‎07-03-2002

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend

m.lestoquoy · ‎07-03-2002

I agree we need these debugs

debug crypto isakmp

debug crypto ipsec

Pay attention with lifetimes (IKE&SA)

Configure the Checkpoint to be in "Main mode" and not in "Agressive mode"

Do not enter on the Cisco side "crypto isakmp keepalive xx"

And pay attention the Checkpoint 'aggregates' hosts with subnets (like 255.255.255.254 to include 2 hosts)

The debug will be your best friend