Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN: Checkpoint and Cisco PIX

Status
Not open for further replies.
lengoo

lengoo

IS-IT--Management
Jan 15, 2002
381
GH
Dear All,
I am having problems setting up a VPN between our CHeckpoint 4.1 firewall and another device Cisco Pix 515e running 6.2(2) software. I have actually done this before but this time round, we're not so lucky, it's not working!
I am actually get Phase 2 which means the tunnel is up and running.. however, when the remote end try to get into our network, they get an error message...

“encryption failure: error occurred scheme: IKE”

and the packet is dropped.

It's almost like even though the tunnel is up, the packets aren't being encrypted.

I have 2 rulesets which should do this though,

Source Destination Service Action
internal external any encrypt
external internal any encrypt

I have configured this to work with IKE running DES as the algorithm, MD5 as the integrity check and ESP as the transform, pre-shared secret key

Has anyone have any ideas as to what could be wrong here???

Mucho gracias
 
Sort by date Sort by votes
I think there is a Checkpoint bug on this issue. If I remember correctly the Checkpoint side is not able to initiate the tunnel but if the tunnel is initiated from the PIX's side everything works great. If that is your case I think checkpoint has now a fix available for this bug. Hope this helps!
 
Upvote 0 Downvote
Hi TheMut

I did notice some weird things happening on the firewall, at one point we had 5 VPN tunnels between the sites..

The weird thing is, we have a site in Pakistan and they are using the Cisco PIX and that works ok..
 
Upvote 0 Downvote
Make sure all parameters have the same values on both ends. Clear all the SAs and reinitiate the tunnel from the PIX side. Does the tunnel work fine if it is initiated from the PIX side?
 
Upvote 0 Downvote
themut,

No, it still doesn't work.. though we can get Phase 2 which indicates the VPN is up. At one point we were getting invalid cookies messages in the CP log and it says on the Checkpoint website to check the network objects which I have done but that's all it says.. not very helpful at all huh?
Do you think the configuration is ok since Phase 2 does complete?

Regards
 
Upvote 0 Downvote
Can you post the show outputs below from the PIX?

show crypto isakmp sa
show crypto ipsec sa

Do you have any debugs from the PIX (ie: ipsec and isakmp)?
 
Upvote 0 Downvote
themut,
Thanks, I'll try and get the outputs from the PIX tomorrow as I've to get it posted from Aberdeen!! Thanks :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
779
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
647
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
176
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
523
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
700
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top