Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Cisco PIX and Checkpoint NG AI R55

Status
Not open for further replies.
freeelectron60

freeelectron60

Technical User
Dec 23, 2003
3
FR
Dear All,

I have problem setting up a VPN between a CHeckpoint NG AI R55 and another device Cisco Pix 515e running 6.2(2).
I Want to creat a bidirectional VPN , it's not working!


When the remote end try to get into our network, they get an error message...

“encryption failure: error occurred scheme: IKE” and the packet is dropped.


IPSEC packets come in, but are dropped reason : "No valid SA". And for each packet being dropped, a
packet "Delete IPSEC SA" is sent from the Checkpoint.


There are some issues regarding Pix<->fw1 vpns that are solved in FP3
HF2. This is described in sk18456 (&quot;What to do when a VPN tunnel between
PIX and Check Point GateWay sporadically fails&quot;).



But In my version I don't find a solution, do you know a issue for this configuration

Thank you


 
Sort by date Sort by votes
Hi,

What object are you using for the Cisco Pix on NG AI. I am, trying to create this too but don't know what object to use. The only one which allows external gateway is the Checkpoint objects. No VPN in New Node>gateway.

Appreciate any help

Thanks
 
Upvote 0 Downvote
Hi,

THe object you need for the Cisco PIX is an Interoperable Deivce, which may not be shown on the Nework Objects lists initially... just right click and select New>Interoperable Device.

Any was after that I had failires with The PIX to NGAI VPN - SA failures but got it going eventually.

You need to ensure that the exact same parameters that are configure on the PIX are set on the Interoperable Device (Cisco PIX) that you create within your NG policy. i.e. only 3DES, SHA1, DH Group etc is selected.

Cheers
 
Upvote 0 Downvote
you need to create your policy in traditional mode as the cisco is an Interoperable device as previously stated, and don't forget to add a no nat for the subnets in your translation policy,as the error &quot;No valid SA&quot; can be because the traffic being pesented is from the gateway external ip and not the lan ip behind it.

hope this helps.
 
Upvote 0 Downvote
Awesome tip! I just needed this today. Will test tomorrow & see what happens.
 
Upvote 0 Downvote
i have had almost the same error with 2 Nokia IP120 and checkpoint NG AI. And the probleme is that the management server on that i'm trying to ping in the other side was static NAT and wasn't a part of the VPN domain. So the encryption failed !

You can try ping from an other workstation or server from the VPN domain or adding the static adress of the management server.

Hope it can help you


LaNceLoT
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
324
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
340
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
95
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
278
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
379
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top