cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
368
Views
0
Helpful
0
Replies
DAVID FRAGIACOMO
Beginner

VPN between PIX 515 Version 6.3(3) and CheckPoint NGX R70.10

I'm trying to setup a simple VPN between a PIX 515 running version 6.3(3) and a Checkpoint running NGX R70.10 and I'm unable to get the tunnel created fully.

What makes it puzzling is that the ACL defining the interesting traffic on the PIX side (which is always the inbound side of the traffic) is registering hits on it's rule. "access-list 130 line 1 permit ip host B.B.B.B D.D.D.0 255.255.255.0 (hitcnt=54)" but the D.D.D.0 address isn't showing up in the debug output below.

Turning the PIX VPN debugging on "debug crypto ipsec" and "debug crypto isakmp" I'm receiving the following output which results in an error and which appears to also have an unexpected ip network (10.27.0.0) being displayed.  As displayed below nowhere is the "D.D.D.0" address showing up.

I know this may be confusing to read, but I tried to hide the ip addresses by replacing them with letters.  Whatever assistance is appreciated.

crypto_isakmp_process_block:src:A.A.A.A, dest:B.B.B.A spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 649100472

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES

ISAKMP:   attributes in transform:

ISAKMP:     SA life type in seconds

ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP:     authenticator is HMAC-SHA

ISAKMP:     encaps is 1

ISAKMP:     key length is 256

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= B.B.B.A, src= A.A.A.A,

   dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),

   src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),

   protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= B.B.B.A, src= A.A.A.A,

   dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),

   src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),

   protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES

ISAKMP:   attributes in transform:

ISAKMP:     SA life type in seconds

ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP:     authenticator is HMAC-SHA

ISAKMP:     encaps is 1

ISAKMP:     key length is 256

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= B.B.B.A, src= A.A.A.A,

   dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),

   src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),

   protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= B.B.B.A, src= A.A.A.A,

   dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),

   src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),

   protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,

   lifedur= 0s and 0kb,

   spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

0 REPLIES 0
Content for Community-Ad