Tuesday, March 30, 2010

How to configure an IPsec tunnel between a Cisco router and a Checkpoint Firewall

Resolution

Complete these steps to set up the IPsec VPN tunnel:

1. Configure the Internet Key Exchange (IKE) proposal on both devices.

2. Configure the IPsec parameters on both devices.

3. Specify network ranges on both devices for passing traffic across the proposed tunnel.

For assistance with the configuration settings, resolving an IPsec tunnel between a Cisco router and Checkpoint Firewall as well as specific debug setting information, refer to Configuring an IPSec Tunnel Between a Cisco Router and a Checkpoint NG.

Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If you are able to ping, the tunnel is functioning properly. If you are not able to ping, determine the state of the connection by issuing the show crypto isakmp sa and show crypto ipsec sa commands on the PIX Firewall.

If the show crypto isakmp sa command output shows anything other than QM_IDLE in the state, then phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.

The results should resemble this example:

cisco_endpoint#show crypto isakmp sa

dst src state pending created

172.18.124.157 172.18.124.35 QM_IDLE 0 2

The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec).

The proper peer and local endpoint for the tunnel should be identified. Furthermore, if traffic has been passed across the tunnel, the counters for both pkts encaps and pkts decaps should be incrementing. If either value is not incrementing, a determination can usually be made as to which side of the tunnel is having difficulty.

Given below is a portion of the command output:

cisco_endpoint#show crypto ipsec sa
interface: outside
Crypto map tag: rtpmap, local addr. 172.18.124.158
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.18.124.157
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest 20
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 20
#pkts compressed: 20, #pkts decompressed: 20
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)