Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
2
Replies

VPN from Cisco 837 to Checkpoint NG

Eamon.Moran
Level 1
Level 1

‎05-14-2004 08:24 AM

Dear all

I am trying to build a VPN between a checkpoint and Cisco 837 and while I can ping the ip address allocated to the dialer interface of the DSL router(Cisco 837), this router does not raise the VPN or start communication on ISAKMP port. Am I missing something in the config ?

Current configuration : 2982 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname hp-gw

!

enable secret xxxxx

!

username XX password 0 XXXXXXXXXXX

no aaa new-model

ip subnet-zero

ip domain name rwdi.com

ip name-server 159.x.x.6

ip name-server 159.x.x.17

!

!

ip inspect name lanaccess tcp

ip inspect name lanaccess udp

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 11

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxx address 193.x.x.97

!

!

crypto ipsec transform-set galileo esp-3des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer 193.120.131.97

set transform-set galileo

set pfs group2

match address 120

!

!

!

!

interface Ethernet0

description this is the local address of the network.

ip address 172.16.x.x.x.255.0

ip access-group 100 in

ip nat inside

ip inspect lanaccess in

no ip route-cache

ip tcp adjust-mss 1452

ip policy route-map vpn

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication chap callin

ppp chap hostname hpgalway1

ppp chap password 0 galway1

crypto map nolan

!

interface Dialer1

no ip address

!

ip nat inside source route-map vpn interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

no ip http secure-server

!

access-list 100 permit ip 172.x.x.x.0.0.255 any

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

access-list 100 permit icmp any any

access-list 120 permit ip 172.16.1.0 0.0.0.255 x.x.x.0 0.0.0.255

access-list 130 deny ip 172.16.1.0 0.0.0.255 x.x.x.0 0.0.0.255

access-list 130 permit ip 172.16.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

route-map vpn permit 10

match ip address 130

!

!

line con 0

exec-timeout 120 0

password XXXXXXXXXXXX

login local

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

password XXXXXXXXXXXX

login

length 0

transport input telnet ssh

!

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎05-16-2004 10:02 PM

Can't see exactly what IOS version you're running, but try adding the crypto map onto the physical interface as well:

int atm0

   crypto map nolan

0 Helpful

mary_odriscoll
Level 1
Level 1
In response to gfullage

‎05-17-2004 01:53 AM

Hiya,

Ta for that but seeing as NAT is also involved, I added the Natt'd external subnet to access-list 120 which allowed the traffic to be encrypted, also had to add the pfs group 2 to the transform-set. So, far looks good

ta

mary

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents