Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way onl

from Geoff Brisbine [Permanent Link]
Subject: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only.
From: Geoff Brisbine <geoffbrisbine AT MI-ASSISTANT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 20 Sep 2004 15:48:46 -0500 
Greetings, all.

I am having a problem with the VPN between our R55 HFA07 SPLAT box and a
Cisco 3005 VPN Concentrator.

I am not able to establish the tunnel nor ping the remote server.  The other
end can establishing the tunnel and ping our servers just fine.

If I attempt to establish the tunnel I get an "IKE: Main mode completion"
(from us to them) and then I get a "IKE: Informational Exchange Received
Delete IKE-SA from Peer: xxxxxxxx" (from them to us).

The one thing that caught me a little off-guard with this setup is their VPN
Concentrator and the server we're trying to hit have the same first 3 octets
in their IP address.  I created a host (within a group) and added just the
server to the VPN Domain, which didn't work.  I created a Class C network
and used that as the VPN Domain, which didn't work either.

The gentleman that I spoke with (at the far side) said that in his notes he
sees that there was another VPN that was CP <--> CP that had this problem,
which was solved by making a chance on the CP box.  He did not know what
change the other admin had made on the CP box to make it work.

Here's the rundown on our config...
 | Interoperable device object
 | ===========================
 |  Name = Vendor_X_Device
 |  IP Address = 111.222.333.4
 |  VPN Domain = Vendor_X_Network
 |
 | Network object
 | ==============
 |  Network = Vendor_X_Network - 111.222.333.0/24
 |
 | Node object
 | ===========
 |  Node = Vendor_X_Server - 111.222.333.105
 |
 | VPN object
 | ===========
 |  Participating Gateways = Our firewall and Vendor_X_Device
 |  VPN Properties: 3DES/MD5, 3DES/MD5
 |  IKE: DH Group 2, 144 minutes
 |  Using a shared secret

Any ideas?

Geoff Brisbine | Network Administrator
Direct: 715.287.3225 x190

MI-Assistant - A Division of Fiserv FSC, Inc.
26550 West Mondovi Street | Eleva, WI  54738
Phone: 715.287.4262 | Fax: 715.287.4576
http://www.mi-assistant.com/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] CONF Folder difference...?, James Lee Bell
Next by Date:  Re: [FW-1] replicating NGAI environment, Richard
Previous by Thread:  [FW-1] RE : [FW-1] NAT question, Chanoine
Next by Thread:  Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Will Zegeer
Indexes:  [Date] [Thread] [Top] [All Lists]