PDA

View Full Version : Site-to-Site VPN with Cisco PIX



tekkitan
2006-03-24, 11:04
We have a customer with an edge box in Europe, that is doing a Site-to-Site VPN to a Cisco PIX here in the states. All of our setting are identicle, except for the VPN domains. They are doing per host VPN, and we are stuck with network. Since the edge only has capability (to our knowledge) to do up to three hosts/networks, this is causing problems we think.

We are seeing the following errors:


00029 24Mar2006 15:36:49 Failed to establish VPN Tunnel with ***.***.***.***: no response from peer.
00028 24Mar2006 15:36:13 Failed to establish VPN Tunnel with ***.***.***.***: no proposal chosen
00027 24Mar2006 15:36:13 IKE Phase1: Completed successfully with VPN peer ***.***.***.*** [Security: 3DES/MD5 Expire Time: 23 hour(s), 59 minute(s), 59 second(s) NAT-T: turned off]
00024 24Mar2006 15:34:12 Closed VPN Tunnel with ***.***.***.***
00023 24Mar2006 15:34:12 Failed to establish VPN Tunnel with ***.***.***.***: no proposal chosen
00022 24Mar2006 15:32:50 Failed to establish VPN Tunnel with ***.***.***.***: no response from peer.
00021 24Mar2006 15:32:15 IKE Phase2: Completed successfully with VPN peer ***.***.***.*** [My Ranges: 192.168.10.0-192.168.10.255 Peer Ranges: 172.16.3.97-172.16.3.97 Security: 3DES/SHA1 Expire time: 1 hour(s), 0 second(s) NAT-T: turned off]
00020 24Mar2006 15:32:15 Failed to establish VPN Tunnel with ***.***.***.***: no proposal chosen
00019 24Mar2006 15:32:14 IKE Phase1: Completed successfully with VPN peer ***.***.***.*** [Security: 3DES/MD5 Expire Time: 23 hour(s), 59 minute(s), 59 second(s) NAT-T: turned off]
00018 24Mar2006 15:32:14 ESP ***.***.***.*** [Decryption error] ***.***.***.*** (Safe@Office)
00017 24Mar2006 15:32:14 TCP 192.168.10.254 (DOM-SITE) [TCP out of state] 2046 172.16.3.97 1352 (Lotus Notes)
00016 24Mar2006 15:32:12 Closed VPN Tunnel with ***.***.***.***
00015 24Mar2006 15:32:12 Failed to establish VPN Tunnel with ***.***.***.***: no proposal chosen
00014 24Mar2006 15:30:52 IKE Phase2: Completed successfully with VPN peer ***.***.***.*** [My Ranges: 192.168.10.0-192.168.10.255 Peer Ranges: 172.16.3.97-172.16.3.97 Security: 3DES/SHA1 Expire time: 1 hour(s), 0 second(s) NAT-T: turned off]
00013 24Mar2006 15:30:49 Failed to establish VPN Tunnel with ***.***.***.***: no response from peer.
00012 24Mar2006 15:30:14 Failed to establish VPN Tunnel with ***.***.***.***: no proposal chosen
00011 24Mar2006 15:30:13 IKE Phase1: Completed successfully with VPN peer ***.***.***.*** [Security: 3DES/MD5 Expire Time: 23 hour(s), 59 minute(s), 59 second(s) NAT-T: turned off]

Anyone have any ideas for us? Do you think it's the host based VPN that the Cisco PIX is doing?

Sergej
2006-03-25, 07:02
I advise you to use Network to Network VPN (eg mask /24) and then restrict communication to some /32 hosts. PIX 7.x support assigning filtering access-lists to separate VPN tunnels. Not sure about Safe@

jimytri
2006-04-10, 08:07
Change IPsec proposal. like ecryption method...

DES, MD5...

some of the PIX, because of licensing problem, it cannot support AES and 3DES...

phatgreenbuds
2006-06-11, 17:32
This is Checkpoint you are dealing with...remember they followed a standard unlike Cisco. Cisco thinks they own the world of networking and they are quite wrong. That being said...since you're trying a site to site tunnel and I see no mention of a manager here you might take a look at the timeout setting for the VPN. Cisco set their default differently then the rest of the industry and CP has always had trouble with VPN's to Cisco unless these are matched up. This would be much easier BTW if you were using the smartcenter to manage the Edge box. That would elimninate the issue of the encryption domain you mentioned and allow you to define as much as you like behind the Edge.

serlud
2010-03-31, 16:11
This is Checkpoint you are dealing with...remember they followed a standard unlike Cisco.

One of the supper standart is suppernetting > every one has compabiliy issue due to this CP standart. Of course you can disable this CP standart ,but some times it does not work > search CP SK for this issue.