08-25-2006 06:44 AM - edited 02-21-2020 02:35 PM
do this config on cisco, im trying to establish vpn with checkpoint.
The tunnel its ok, but i don't get return the traffic, i see that packets arrives on my router, but apparently they not returning to source.(198.x and 157.x)
Any ideas??
Regards,
Everton
look config
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key vpn address 198.87.xx.xx
crypto isakmp key vpn address 157.238.xx.xx
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map vpn 2 ipsec-isakmp
set peer 198.87.49.254
set peer 157.x.x.130
set transform-set veraz
match address 117
sh ip access-lists
Extended IP access list 117
permit ip host 208.48.xx.xx 198.87.xx.xx 0.0.0.31 (22 matches)
permit ip host 208.48.xx.xx 157.238.xx.xx 0.0.0.31
permit gre host 208.48.xx.xx host 198.87.xx.xx
permit gre host 208.48.xx.xx host 157.238.xx.xx
permit gre host 208.48.xx.xx host 157.238.xx.xx
permit gre host 208.48.xx.xx host 198.87.xx.xx
permit udp host 208.48.xx.xx host 198.87.xx.xx eq isakmp (13 matches)
permit udp host 208.48.xx.xx host 157.238.xx.xx. eq isakmp (13 matches)
permit udp host 208.48.xx.xx host 157.238.xx.xx eq isakmp (196 matches)
permit udp host 208.48.xx.xx host 198.87.xx.xx eq isakmp (208 matches)
permit tcp host 208.48.xx.xx host 198.87.xx.xx eq 500
permit tcp host 208.48.xx.xx host 157.238.xx.xx eq 500
permit tcp host 208.48.xx.xx host 157.238.xx.xx eq 500
permit tcp host 208.48.xx.xx host 198.87.xx.xx eq 500
permit ip 10.90.0.0 0.0.0.255 host 198.87.xx.xx
permit ip 10.90.1.0 0.0.0.255 host 198.87.xx.xx
permit ip 10.90.2.0 0.0.0.31 host 198.87.xx.xx (8 matches)
permit ip 10.90.2.32 0.0.0.31 host 198.87.xx.xx
permit ip 10.90.2.64 0.0.0.31 host 198.87.xx.xx
permit ip 10.90.3.0 0.0.0.31 host 198.87.xx.xx
permit ip 10.90.3.32 0.0.0.31 host 198.87.xx.xx
permit ip 10.90.3.64 0.0.0.31 host 198.87.xx.xx
permit ip 10.90.0.0 0.0.0.255 host 157.238.xx.xx
permit ip 10.90.1.0 0.0.0.255 host 157.238.xx.xx
permit ip 10.90.2.0 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.2.32 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.2.64 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.3.0 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.3.32 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.3.64 0.0.0.31 host 157.238.xx.xx
permit ip 10.90.0.0 0.0.0.255 198.87.xx.xx 0.0.0.31
permit ip 10.90.1.0 0.0.0.255 198.87.xx.xx 0.0.0.31
permit ip 10.90.2.0 0.0.0.31 198.87.xx.xx 0.0.0.31 (87 matches)
permit ip 10.90.2.32 0.0.0.31 198.87.xx.xx 0.0.0.31
permit ip 10.90.2.64 0.0.0.31 198.87.xx.xx 0.0.0.31
permit ip 10.90.3.0 0.0.0.31 198.87.4xx.xx 0.0.0.31
permit ip 10.90.3.32 0.0.0.31 198.87.xx.xx 0.0.0.31
permit ip 10.90.0.0 0.0.0.255 157.238.xx.xx 0.0.0.31
permit ip 10.90.1.0 0.0.0.255 157.238.xx.xx 0.0.0.31
permit ip 10.90.2.0 0.0.0.31 157.238.xx.xx 0.0.0.31 (27 matches)
permit ip 10.90.2.32 0.0.0.31 157.238.xx.xx 0.0.0.31
permit ip 10.90.2.64 0.0.0.31 157.238.xx.xx 0.0.0.31
permit ip 10.90.3.0 0.0.0.31 157.238.xx.xx 0.0.0.31
permit ip 10.90.3.0 0.0.0.255 157.238.xx.xx 0.0.0.31
#sh crypto isakmp sa
dst src state conn-id slot
157.238.xx.xx208.48.xx.xx MM_NO_STATE 36 0 (deleted)
208.48.xx.xx 157.238.xx.xxQM_IDLE 2 0
198.87.xx.xx 208.48.xx.xx MM_KEY_EXCH 37 0
208.48.xx.xx 198.87.xx.xx QM_IDLE 1 0
08-25-2006 10:09 AM
Try 'show crypto ipsec sa'. That should give you the counters for packets encrypted / decrypted.
08-25-2006 11:13 AM
no, i dont see nothing, only 0 pkts.
But, in "sh crypto eng conn ac", i see the pkts
ID Interface IP-Address State
2001 FastEthernet5/0 208.48.xx.xx set
Algorithm Encrypt Decrypt
HMAC_SHA+3DES_56_C 9 0
08-25-2006 03:13 PM
In "show crypto isakmp sa" a healthy state is QM_IDLE, indicating that phase1 has negotiated successfully.
For your two Check point peers (198.87.x.254 & 157.x.185.130) you do not have this, so you have a phase1 problem.
Check isakmp policy and pre-shared keys match.
"debug cry isa" may help.
08-26-2006 11:49 AM
Yes grant, i talk with guy of CP and he said me that tunnel is ok....but we don?t see any traffic. In cisco, i see encrypt process and on CP the guy see too, but i don?t ping any host on the CP side and the CP side don?t ping any host on my side.
I think that this is a rounting problem or firewall rules. i try put a route to the CP side with the next hop=IP CP, but nothing happens too.
I don?t know what more to do.
Thks all.
08-27-2006 06:10 PM
Hi .. I am not sure if it was a typo error but your config applies transfor-set 'veraz' to the crypto map .. however you are defining transform-set 'vpn' on the config.
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map vpn 2 ipsec-isakmp
set peer 198.87.49.254
set peer 157.238.185.130
set transform-set veraz
match address 117
I hope it helps .. please rate it if it does !!!
08-27-2006 07:51 PM
Tks Fernando, but the error is not this. In my config the transform-set is the same.
Tks again...
09-04-2006 11:04 PM
Did you tried something like this?
crypto map vpn local-address "your interface"
crypto map vpn 1 ipsec-isakmp
set peer 198.87.49.254
set transform-set veraz
match address X
crypto map vpn 2 ipsec-isakmp
set peer 157.238.185.130
set transform-set veraz
match address Y
But this is the configuration for 2 tunneling connection. You only need 1 tunnel between 2 routers? If so, why did you set 2 peers on your cisco (asuming that this cisco is one of tunnel endings..)? I am not sure i understand exactly what you want...maybe if you attach some .jpg diagram it will be more clearly... :)
09-05-2006 12:50 AM
To go back to my earlier posting, if "show cry isakmp sa" does not show QM_IDLE for the CheckPoint peers, then you have a phase1 problem.
It is easier to debug on a Cisco than a CheckPoint so I would trust what you see and not what you are told.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide