This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASL 3.2.16 to Checkpoint problem

Running ASL 3.216, I'm trying to VPN through a checkpoint box.
I'm using an IPSec policy with PFS and compression off. I've made sure the remote checkpoint box has an SA time of less than 480 minutes.
My connection rule:
Type: standard
Local endpoint: External IP (210.55.x.x)
Remote endpoint: remote fw IP (203.97.x.x)
local subnet: 10.1.1.61/32
Remote subnet: 203.97.z.z/32
key: PSK

The VPN route shows a connection:
0 10.1.1.0/24 -> 203.97.x.x/27 => tun0x1002@203.97.x.x

Currently, for testing, the rule sets allow any communication between the firewalls. And any communications between the subnet.

VPN logs:

Feb 20 09:24:59 (none) ipsec__plutorun: 104 "name_1" #1: STATE_MAIN_I1: initiate
Feb 20 09:24:59 (none) ipsec__plutorun: ...could not start conn "name_1"
Feb 20 09:24:59 (none) Pluto[2330]: packet from 203.97.x.x:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Feb 20 09:24:59 (none) Pluto[2330]: "name_1" #1: initiating Main Mode
Feb 20 09:24:59 (none) Pluto[2330]: "name_1" #1: Peer ID is ID_IPV4_ADDR: '203.97.x.x'
Feb 20 09:24:59 (none) Pluto[2330]: "name_1" #1: ISAKMP SA established
Feb 20 09:24:59 (none) Pluto[2330]: "name_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Feb 20 09:24:59 (none) Pluto[2330]: "name_1" #2: sent QI2, IPsec SA established
Feb 20 09:25:03 (none) Pluto[2330]: packet from 203.97.x.x:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
Feb 20 09:25:07 (none) Pluto[2330]: packet from 203.97.x.x:500: Quick Mode message is for a non-existent (expired?) ISAKMP SA

when a connection attempt is made:

Feb 20 09:25:11 (none) Pluto[2330]: "name_1" #3: cannot respond to IPsec SA request because no connection is known for 10.1.1.61/32===210.55.x.x...203.97.x.x===203.97.z.z/32
Feb 20 09:25:13 (none) Pluto[2330]: "ericsson_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x79e63a48 (perhaps this is a duplicated packet)
Feb 20 09:26:22 (none) Pluto[2330]: "ericsson_1" #4: cannot respond to IPsec SA request because no connection is known for 10.1.1.61/32===210.55.x.x...203.97.x.x===203.97.z.z/32
Feb 20 09:26:24 (none) Pluto[2330]: "name_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00eebf01 (perhaps this is a duplicated packet)

And, obviously, nothing gets through. Any ideas?

Thanks, everyone, for taking the time to read this.
~micah

This thread was automatically locked due to age.

0 Andy_01 over 22 years ago

Micah, can you send this to support-us@astaro.com

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gert Hansen over 22 years ago in reply to Andy_01

HI there,

there are know interoperability problems with checkpoint if you use PFS.

PLease disable PFS and try again.

thanks and kind regards
Gert
Cancel
Vote Up 0 Vote Down

Cancel
0 Micah Lloyd over 22 years ago in reply to Gert Hansen

Thanks for the pointers.

For anyone finding this thread through the Search function, I cannont stress enough the importance of making sure your subnets match on both sides! That was the problem.

Cheers,
~micah
Cancel
Vote Up 0 Vote Down

Cancel