On Fri, Sep 28, 2001 at 10:12:06AM +0300, METE EMINAGAOGLU (IT) wrote:
> Hi to all.
>
> We' ve been struggling with a terrific problem for some time.
>
> PROBLEM:
>
> We want to establish a VPN tunnel between a network behind a CISCO3640 IOS
> version 12.09 and a network behind CP FW 4.1 SP3 (management), IP650 IPSO
> SP3.3.8 (module).
Compare with Cisco's idea how to do the same thing...
http://www.cisco.com/warp/public/707/cp-r.shtml
There's also good debug tips. Be sure to post the solution
when you sort it out.
alan
[..]
>
> At first sight, it seems trivial and easy. Alas!
>
> Even though all the conf.s, IP' s, etc. seem to be set correct, (both for
> the router and the FW), VPN tunnelling can' t be established! The key
> installations between FW and the router seem O.K. in the logs, but when we
> try communicating from either any of the network sides to the other, no VPN,
> no encryption, and in the FW logs, packets accepted (no drop!!!), BUT in the
> info,
>
> encryption failure: gateway connected to both endpoint scheme: IKE
>
> What' s more strange, even there' s no other alternative accept rule in the
> FW, communication can be established somehow between these two networks, but
> without encryption...
>
> All the conf. in the FW is established just as defined in CP' s manual - AKA
> http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/cisco_ios_vpn
> .pdf
>
> Are we missing sthg in the Router's conf. or what???
>
>
> The Router' s conf. is denoted below: (IP' s, crypto map names, etc. are
> abbreviated...)
>
> Current configuration : 1797 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname HOSTX
> !
> enable password 7 ..................
> !
> !
> !
> !
> !
> ip subnet-zero
> !
> ip audit notify log
> ip audit po max-events 100
> !
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key secretxxx address aa.bb.cc.dd
> !
> !
> crypto ipsec transform-set SET1 esp-des esp-sha-hmac
> !
> crypto map MAP1 1 ipsec-isakmp
> set peer aa.bb.cc.dd
> set transform-set SET1
> match address 115
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address ff.ee.tt.hh 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> speed auto
> half-duplex
> no cdp enable
> !
> interface Serial1/0
> no ip address
> shutdown
> fair-queue
> serial restart-delay 0
> no cdp enable
> !
> interface Serial1/1
> ip address ss.ee.rr.ii 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> serial restart-delay 0
> no cdp enable
> crypto map MAP1
> !
> interface Serial1/2
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> interface Serial1/3
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> interface Serial2/0
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> interface Serial2/1
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> interface Serial2/2
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> interface Serial2/3
> no ip address
> shutdown
> serial restart-delay 0
> no cdp enable
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 serial1/1
> ip route vv.pp.nn.xx 255.255.255.0 ss.ee.rr.1
> ip route aa.bb.cc.0 255.255.255.0 ss.ee.rr.1
> no ip http server
> !
> access-list 115 permit ip ss.ee.rr.0 0.0.0.255 vv.pp.nn.xx 0.0.0.255
> access-list 115 permit ip vv.pp.nn.xx 0.0.0.255 ss.ee.rr.0 0.0.0.255
> no cdp run
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> exec-timeout 0 0
> password 7 ..........?
> login
> !
> end
>
>
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
