VPN - Cisco PIX to Checkpoing FW-1 troubleshooting

From: Yizhar Hurwitz (deletethis.yizhar@mail.com)
Date: 02/24/02

  • Next message: Greg Hennessy: "Re: Cisco PIX"

    From: "Yizhar Hurwitz" <deletethis.yizhar@mail.com>
    Date: Sun, 24 Feb 2002 22:47:14 +0200

    (XPost in several NG)

    I would like some assistance with troubleshooting IPSec IKE VPN between pix
    6.1(1) and CheckPoint 4.1 sp3.

    I will try to be descriptive as needed, please ask me if I miss important


    I was trying to establish VPN between a pix and a checkpoint.
    The users behind the pix need access to a FTP server behind the FW-1.
    I have full access to the pix box, but I have no direct access to the
    checkpoint -
    I only talk by phone to the remote FW1 administrator.
    The Checkpoint FW1 is accepting VPN (IKE) connections from several other
    "partner" FW-1 machines and SecuRemote clients, but our was the first CISCO
    side to try to connect to it.
    Since it didn't work yet, I have configured few clients (in the pix side)
    with SecuRemote to establish client to FW-1 VPN , but I would still like to
    learn and troubleshoot the gateway to gateway solution so it can be used
    Currently, there is no problem to connect to FTP server using SecuRemote
    client from workstation,
    but trying to connect using the pix configuration detailed here gives
    connection timeout at the ftp client,
    and the debug output shown at the bottom of this message.

    Network info:

    Behind the pix there are 3 internal subnets: 192.168.1.X 192.168.2.X
    192.168.3.X (all class C).
    The pix internal interface is
    The internal router to other subnets is
    The pix external interface will be referenced as PIXOUTSIDE and is connected
    to an external router and to ISP.
    The pix vpn clients (not related to the checkpoint) get ip addresses of

    The FW-1 external interface will be referenced as CHECKPOINT
    The ftp server behind the FW-1 will be referenced as FTPSERVER

    IPSec info:

    Both checkpoint and pix configured with DES & MD5 for IKE phase 1, and also
    for IPSec (phase 2).
    Using shared-secret authentication.
    The timeout values were agreed:
    The CheckPoint ISAKMP timeout was configured to 1440 min (86400 sec) to
    agree with the pix maximum value.
    The pix IPSec timeout was configured to 3600 sec to agree with the
    I did the pix side configuration, and the FW-1 administrator did the FW-1
    We both used the following article:

    PIX partial config:

    NOTE1 - The pix also supports incoming VPN client connections with xauth as
    shown in the partial config.
    NOTE2 - I've used the network in access-list instead of
    specifying each class C separately.
    NOTE3 - There is also an access-list on the outside interface which is not
    shown here.

    access-list nonatinside permit ip
    access-list nonatinside permit ip host FTPSERVER
    access-list tonamal permit ip host FTPSERVER
    ip local pool vpnclientpool
    nat (inside) 0 access-list nonatinside
    nat (inside) 1 0 0

    sysopt connection permit-ipsec
    crypto ipsec transform-set mytransform esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto dynamic-map mydynmap 10 set transform-set mytransform
    crypto dynamic-map mydynmap 10 set security-association lifetime seconds
    28800 kilobytes 4608000
    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address tonamal
    crypto map mymap 20 set peer CHECKPOINT
    crypto map mymap 20 set transform-set mytransform
    crypto map mymap 100 ipsec-isakmp dynamic mydynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address CHECKPOINT netmask
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup XXXXXXX address-pool vpnclientpool
    vpngroup XXXXXXX split-tunnel localtovpnclient
    vpngroup XXXXXXX idle-time 1800
    vpngroup XXXXXXX password ********

    FW-1 Log:
    The log shows something like this (I'm not sure about the exact details):
    "IKE Log: Sent Notification : No proposal Chosen <phase1 Stage2> Negotiation

    PIX Debug output:


    VPN Peer: ISAKMP: Added new peer: ip:CHECKPOINT Total VPN Peers:3
    VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt incremented to:1 Total VPN
    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block: src CHECKPOINT, dest PIXOUTSIDE
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): retransmitting phase 1...
    ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
    ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
    ISADB: reaper checking SA 0x80d39ad8, conn_id = 0
    ISAKMP (0): retransmitting phase 1...
    ISAKMP (0): deleting SA: src PIXOUTSIDE, dst CHECKPOINT
    ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
    ISADB: reaper checking SA 0x80d3aee0, conn_id = 0
    ISADB: reaper checking SA 0x80d39ad8, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:CHECKPOINT Ref cnt decremented to:0 Total VPN
    VPN Peer: ISAKMP: Deleted peer: ip:CHECKPOINT Total VPN peers:2
    ISADB: reaper checking SA 0x80d37cc8, conn_id = 0
    ISADB: reaper checking SA 0x80d3aee0, conn_id = 0

    IPSEC(key_engine): request timer fired: count = 1,
      (identity) local= PIXOUTSIDE, remote= CHECKPOINT,
        local_proxy= (type=4),
        remote_proxy= FTPSERVER/ (type=1)
    IPSEC(key_engine): request timer fired: count = 2,
      (identity) local= PIXOUTSIDE, remote= CHECKPOINT,
        local_proxy= (type=4),
        remote_proxy= FTPSERVER/ (type=1)

    I would thank any info about this, and if you can further help me understand
    the debug output
    and the practical meaning of the FW-1 error "No proposal Chosen".



    Yizhar Hurwitz Kibbutz Gaaton, Israel http://come.to/yizhar http://teachers.sivan.co.il/yizhar

    Relevant Pages

    • Re: Cant configure VPN client in PIX
      ... > Hi gents, I have a problem with my pix, it has vpn tunnels ... I notice, though, that your isakmp policy 20 uses DES SHA for RSA ... When you have VPN clients that might have a connection dropped ...
    • PIX to checkpoint VPN
      ... I have a site-to-site VPN between a PIX and a checkpoint firewall, ... I have one network on the checkpoint object for the VPN encryption domain, and on network for the PIX object as the destination network. ...
    • PIX/Checkpoint VPN issue
      ... We have 2 site to site PIX/Checkpoint VPNs (one PIX box, ... Checkpoint boxes)... ... dies after a varying amount of time. ... When the VPN dies, the ...
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
    • Re: Nokia and CheckPoint or Cisco?
      ... Currently use a Nokia IP330 box with CheckPoint on. ... Cisco PDM has a basic GUI for PIX. ... active/standby mode, except when PIX 7.x is configured using multiple ...