Guys,

I am with problems to establish a tunnel vpn site-to-site between one router Cisco 3660 e one firewall checkpoint NG AI R55.

In the SiteA is an environment with one router Cisco 3660 using the following configurations:

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 86400

!

crypto isakmp key [removed] address 172.17.10.111

!

crypto ipsec transform-set serasa esp-des esp-md5-hmac

!

crypto map serasa 1 ipsec-isakmp

set peer 172.17.10.111

set transform-set serasa

match address 101

!

interface Serial5/4

bandwidth 64

ip address 192.168.163.6 255.255.255.252

no ip unreachables

no cdp enable

crypto map serasa

!

ip route 10.12.0.155 255.255.255.255 192.168.163.5

ip route 172.17.10.111 255.255.255.255 192.168.163.5

ip route 172.17.10.155 255.255.255.255 192.168.163.5

!

access-list 101 permit tcp host 172.248.7.200 10.12.0.0 0.0.255.255 eq 3315

In the SiteB we have one environment with high availability Nokia using VRRP.

The IP address configured as cluster in the Check Point is 172.17.10.111.

We already confirm all the configurations of phase 1 and 2 and is OK, but the VPN does not establish.

The following messages appear in the router and firewall:

ROUTER

Jun 15 10:39:24 Orbital: ISAKMP (0:252): Checking IPSec proposal 1

Jun 15 10:39:24 Orbital: ISAKMP: transform 1, ESP_DES

Jun 15 10:39:24 Orbital: ISAKMP: attributes in transform:

Jun 15 10:39:24 Orbital: ISAKMP: encaps is 1

Jun 15 10:39:24 Orbital: ISAKMP: SA life type in seconds

Jun 15 10:39:24 Orbital: ISAKMP: SA life duration (basic) of 3600

Jun 15 10:39:24 Orbital: ISAKMP: SA life type in kilobytes

Jun 15 10:39:24 Orbital: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Jun 15 10:39:24 Orbital: ISAKMP: authenticator is HMAC-MD5

Jun 15 10:39:24 Orbital: ISAKMP (0:252): atts are acceptable.

Jun 15 10:39:24 Orbital: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 192.168.163.6, remote= 172.17.10.111,

local_proxy= 172.248.7.200/255.255.255.255/0/0 (type=1),

remote_proxy= 10.12.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Jun 15 10:39:24 Orbital: IPSEC(kei_proxy): head = serasa, map->ivrf = , kei->ivrf =

Jun 15 10:39:24 Orbital: IPSEC(validate_transform_proposal): proxy identities not supported

Jun 15 10:39:24 Orbital: ISAKMP (0:252): IPSec policy invalidated proposal

Jun 15 10:39:24 Orbital: ISAKMP (0:252): phase 2 SA policy not acceptable! (local 192.168.163.6 remote 172.17.10.111)

Jun 15 10:39:24 Orbital: ISAKMP: set new node 2114856837 to QM_IDLE

Jun 15 10:39:24 Orbital: ISAKMP (0:252): sending packet to 200.245.207.111 my_port 500 peer_port 500 (I) QM_IDLE

Jun 15 10:39:24 Orbital: ISAKMP (0:252): purging node 2114856837

Jun 15 10:39:24 Orbital: ISAKMP (0:252): Unknown Input for node -528822595: state = IKE_QM_I_QM1, major = 0x00000001, minor = 0x0000000C

Jun 15 10:39:24 Orbital: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.17.10.111

FIREWALL

IKE: Main Mode Received Notification from Peer: Initial Contact

IKE: Main Mode completion.

IKE: Quick Mode Received Notification from Peer: no proposal chosen

IKE: Quick Mode Received Notification from Peer: no proposal chosen

Ike: Informational Exchange Received Delete IKE-SA from Peer:

Somebody has idea of which can be the problem?

Thank you for help.

Fabiano Mendonca.