[c-nsp] Cisco to Checkpoint VPN
Ted Mittelstaedt
tedm at toybox.placo.com
Sat Feb 17 10:29:53 EST 2007
A Cisco what? IOS-based router? PIX? VPN coencentrator?
Please post the config from the cisco side along with version numbers
Ted
----- Original Message -----
From: "Jee Kay" <jeekay at gmail.com>
To: "c-nsp" <cisco-nsp at puck.nether.net>
Sent: Friday, February 16, 2007 6:16 AM
Subject: [c-nsp] Cisco to Checkpoint VPN
> I'm trying to set up a Cisco to Checkpoint VPN. As far as I can tell
> everything is set up right (access-lists/IKE IDs match both sides,
> PSKs have been reverified a hundred times, etc), but during the
> negotiation we run into this:
>
> Feb 16 14:13:29.400 GMT: ISAKMP:(0:77:HW:2): sending packet to x.y.z.t
> my_port 500 peer_port 500 (I) MM_KEY_EXCH
> Feb 16 14:13:29.404 GMT: ISAKMP:(0:77:HW:2):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> Feb 16 14:13:29.404 GMT: ISAKMP:(0:77:HW:2):Old State = IKE_I_MM4 New
> State = IKE_I_MM5
> Feb 16 14:13:29.488 GMT: ISAKMP (0:268435533): received packet from
> x.y.z.t dport 500 sport 500 Global (I) MM_KEY_EXCH
> Feb 16 14:13:39.404 GMT: ISAKMP:(0:77:HW:2): retransmitting phase 1
> MM_KEY_EXCH...
> Feb 16 14:13:39.404 GMT: ISAKMP (0:268435533): incrementing error
> counter on sa, attempt 1 of 5: retransmit phase 1
>
> To me it seems like we send the key exchange packet, the remote end
> (x.y.z.t) replies correctly but we completely ignore it. 10 seconds
> later we then retransmit the initial packet which then continues until
> the session times out and is removed.
>
> Does anyone know why the Cisco appears to be ignoring the MM_KEY_EXCH
> packet reply from the remote end?
>
> Thanks,
> Ras
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list