Checkpoint R56 <> PIX VPN

[rickrude11]

Hi guys,
I have setup a number of VPNs, to various companies, including some to other PIX devices, but this one has me stumped.

The other end can establish a tunnel by pinging me or whatever, but I can't establish the tunnel at all. There is an error in my log that says "Packet is dropped because there is no valid SA". Once he pings me and the tunnel is established, communication is all go in both directions.

Any 2cents appreciated.

 

[brianinms]

It means that the access-lists for interesting traffic don't match on each end.

 

[rickrude11]

Thanks for the quick response. I will investigate how to specify interesting traffic on the Checkpoint box. As far as I was aware, any traffic destined to the other end is considered interesting.

 

[brianinms]

Yes that would be true, and both sides of the tunnel have to have mirrored configuration.

 

[rickrude11]

Mirrored configuration such as encrytion types etc yes, but are you saying that interesting traffic access-lists have to match?

 

[brianinms]

Yes they do, or you will get errors such as unknown security association as you have seen.