Site to Site VPN between Checkpoint NGX and Cisco VPN Concentrator

[srikkantan]

I have a problem in a site to site VPN connectivity between Checkpoint NGX and Cisco VPN Concentrator. Tunnel can be established from Cisco side and they are able to reach my network. But we are unable to establish the tunnel from our side (Checkpoint). In the log i could see all these errors

IKE: Quik Mode sent Notification Invalid ID information.

Error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information".

Cisco sending "Delete SA" message to Check Point peer

Can anyone help me to resolve this issue..

[Sergej]

Did you use cisco article as a reference?
http://www.cisco.com/en/US/products/...80150fee.shtml

[srikkantan]

Yes I have this document, but still the problem is there.

[Lackie]

If you have access to the Check Point KB, take a look at sk26336.

[srikkantan]

Yes I have seen that, I would like to know if i do those changes. It will affect the existing VPN tunnels?

[Lackie]

It should not affect your current VPN's. You are just defining what you are using for the encryption domain.

[sarvesh]

Many a times Pix & checkpoint behaves in different ways when understanding / interpreting the encryption domains (ip subnet-source & destination).
To MATCH them, pls ensure as per the example given below:

Host based:
===========
Both parties define the vpn domain as 172.25.8.2

Host defined as network objects
===========================
Both parties define the vpn domain as 172.25.8.2/255.255.255.255

Network based:
==============
Both parties define the vpn domain as 172.25.8.0/255.255.248.0

[networkranger]

have you seen this

Quote:

Originally Posted by alienbaby

The problem was because the PIX ACL and the CheckPoint Encryption Domain did not match.

CheckPoint is far more forgiving than the PIX is.

Consider the following example.

Site 1 is a large network and the Administrator has placed network object of 10.0.0.0/255.0.0.0 as the Encyption Domain. Site 1 is the CheckPoint firewall.
Site 2 is a small company (a vendor, credit card processor or something) and uses a PIX or Cisco Router with IPSec VPN feature set. Site 2's VPN device has only been told about a small portion of Site 1's network; ie 10.100.1.0/255.255.255.0.

When Site 2 attempts to initate a VPN, it negociates for 10.100.1.0/255.255.255.0 subnet. Since the checkpoint firewall finds that 10.100.1.0/255.255.255.0 is within 10.0.0.0/255.0.0.0, it allows the erronious subnet negociated VPN. The VPN is setup successfully.
When Site 1 attempts to initiate a VPN to Site 2, the CheckPoint includes it's 10.0.0.0/255.0.0.0 subnet in the subnet negociation. The PIX/Cisco VPN device strictly checks the 10.0.0.0/255.0.0.0 subnet against it's VPN ACL. When it does not match, the PIX/Cisco VPN device disallows the VPN.

The two solutions are to Uncheck the Subnet negociation checkbox on the Interoperable device for the PIX/CIsco; or correct the Encyption Domain on the CheckPoint side. In addition to the 10.0.0.0/255.0.0.0 network object, you can include a network object for 10.100.1.0/255.255.255.0. Even though one is technically inside the other, it will work. You could even change the Cisco's ACL to include the 10.0.0.0/255.0.0.0 instead of 10.100.1.0/255.255.255.0 and use the firewall policy to allow the very few hosts accross the VPN.

Matching the Encyption Domains is the correct solution.

Unchecking the Subnet Negociation checkbox increases the overhead on both Firewalls. Two SAs will be needed for every IP Address pair instead on two SAs for the subnet to subnet VPN.

More than just the Phase 1 and Phase 2 properties have to be corrent for a successful IKE negociation to take place. The Encryption Domain/VPN ACLs have to match as well.

[gladiatorkev]

HI ,

What logs do u get in the PIX side when u intiate the Tunnel..?!

Have u tried makin the LinkSelection--> manual-->ExternalIP from Topology for ur GATEWAY..!?

Try doin that for ur vpn ..!

Mostly should work..!

If not have u tried defining the VPN in Traditional Mode instead of Simple Mode and defining the settings exactly as that of PIX side.?

Regards,
Kev