VPN between CIsco PIX and Checkpoint 4.1

[lengoo]

Hey All,
I am having problems setting up a VPN between our CHeckpoint 4.1 firewall and another company Cisco Pix. I have actually done this before but this time round, we're not so lucky, it's not working!
I am actually get Phase 2 which means the tunnel is up and running.. however, when the remote end try to get into our network, they get an error message...

“encryption failure: error occurred scheme: IKE”

and the packet is dropped.

It's almost like even though the tunnel is up, the packets aren't being encrypted.

I have 2 rulesets which should do this though,

Source Destination Service Action
internal external any encrypt
external internal any encrypt

I have configured this to work with IKE running DES as the algorithm, MD5 as the integrity check and ESP as the transform, pre-shared secret key

Has anyone have any ideas as to what could be wrong here???

Mucho gracias

 

[dshinde]

Hi !!

If you are getting phase-2 error on pix then you need to check whether the following:

1.The transform sets
2.The access-list

Make sure the transform set is the same on both the ends.
If you are getting the error:
encryption failure: error occurred scheme: IKE.

Make sure that you have the command isakmp enable outside.

Also you can check this link for more details:

http://www.cisco.com/warp/customer/110/cp-p.html

To verify whether the tunnel is established fine, give these commands on the pix:

To verify phase-1:
sh crypto isakmp sa

Under state it should show QM_IDLE

To verify phase-2
sh crypto ipsec sa

You should be able to see encrypts and decrypts.

Let me know how it goes and mail me if you have any queries.

 

[lengoo]

Heya,
Thanks for the reply.. I found out the the remote end got our IP range wrong.. we're on a class B network, they put our details in as a class A.

Thanks for responding.. take care