CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Issue with site to site vpn to cisco ASA - HELP

  1. #1
    Join Date
    2012-08-29
    Posts
    77
    Rep Power
    6

    Default Issue with site to site vpn to cisco ASA - HELP

    Hi All
    I have just installed a Checkpoint 3200 NGTP appliance in a site at Russia with a VPN back to the UK.
    We have lots of VPNs from various Checkpoints to our ASA and they work fine.
    However, not this one!
    for some reason all I get back from the Checkpoint in Russia is a "No proposal found" on the in the initial IKE exchange, I can see 11 proposals from the ASA using IKEview but none seem to work.
    I have tried all different settings on the Checkpoint and nothing works.

    The box is running R77.30 build 0.22

    any ideas guys?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,204
    Rep Power
    13

    Default Re: Issue with site to site vpn to cisco ASA - HELP

    Quote Originally Posted by carl_t View Post
    Hi All
    I have just installed a Checkpoint 3200 NGTP appliance in a site at Russia with a VPN back to the UK.
    We have lots of VPNs from various Checkpoints to our ASA and they work fine.
    However, not this one!
    for some reason all I get back from the Checkpoint in Russia is a "No proposal found" on the in the initial IKE exchange, I can see 11 proposals from the ASA using IKEview but none seem to work.
    I have tried all different settings on the Checkpoint and nothing works.

    The box is running R77.30 build 0.22

    any ideas guys?
    Are you seeing a "Main/Aggressive Mode complete" log (key icon) message followed immediately by "No proposal chosen", or are you only seeing "No proposal chosen" over and over again? If the former you are failing in IKE Phase 2, if the latter you are failing in Phase 1. Need to know which phase you are failing in to troubleshoot further.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-08-29
    Posts
    77
    Rep Power
    6

    Default Re: Issue with site to site vpn to cisco ASA - HELP

    Quote Originally Posted by ShadowPeak.com View Post
    Are you seeing a "Main/Aggressive Mode complete" log (key icon) message followed immediately by "No proposal chosen", or are you only seeing "No proposal chosen" over and over again? If the former you are failing in IKE Phase 2, if the latter you are failing in Phase 1. Need to know which phase you are failing in to troubleshoot further.

    Hi, we are failing in IKE phase 1 over and over again

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,204
    Rep Power
    13

    Default Re: Issue with site to site vpn to cisco ASA - HELP

    Quote Originally Posted by carl_t View Post
    Hi, we are failing in IKE phase 1 over and over again
    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2012-08-29
    Posts
    77
    Rep Power
    6

    Default Re: Issue with site to site vpn to cisco ASA - HELP

    Quote Originally Posted by ShadowPeak.com View Post
    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
    I have tried every variation of setting there is

    any other ideas ?

  6. #6
    Join Date
    2006-09-26
    Posts
    3,140
    Rep Power
    15

    Default Re: Issue with site to site vpn to cisco ASA - HELP

    Quote Originally Posted by ShadowPeak.com View Post
    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
    Can you share your ASA VPN configuration?

Similar Threads

  1. Site to Site VPN with Cisco router having same internet IP subnet at both sides
    By jangidsachin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2014-02-27, 01:53
  2. IKEv2 issue - Site to site VPN to Cisco ASA running IKEV2
    By irishboyabroad in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2013-09-18, 21:25
  3. Checkpoint 4600 To Cisco 5505 ASA Site to Site IPSec Help
    By jg93635 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2013-08-21, 17:37
  4. Configruration VPN site to site between Checkpoint NGX and Router Cisco 1861
    By vikjava in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2010-04-28, 09:03
  5. Issue with Site to Site VPN b/w CP R60 and Cisco ASAs
    By stvkincaid in forum Interoperability
    Replies: 5
    Last Post: 2009-03-09, 14:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •