# (cisco-check point site-to-site vpn problems)



## lilhlfpint (Dec 11, 2001)

(i am running check point 4.1 firewall-1 and i am trying to establish a site-to-site vpn with a cisco 3000 vpn concentrator. we have verified over and over that all our settings are configured correctly but we still cannot connect.

in my logs, i see the phase 1 but we never get to phase 2 completion. the error message on my end is 'invalid cookie'. on the cisco send the error message is 'QM FSM error'. both of us tried to contact support people for our products but we keep getting the same response, make sure your timeout settings are the same.

has anyone encountered a similar problem?

i am really hoping to resolve this issue because i'd prefer a site-to-site vpn solution over installing cisco vpn client software on each machine.

thank you very much in advance.)


----------



## Rockn (Jul 29, 2001)

Seems like the handshake portion goes OK, but the second phase is failing because of a LAN to LAN mismatch in one or both concentrator configs. Both the local and remote LAN's need to be defined correctly on both ends of the tunnel.


----------



## lilhlfpint (Dec 11, 2001)

(hmmm...lan to lan mismatch. so you mean the subnets might be configured improperly? or it is a nat issue? thanks for replying, i really appreciate it.)


----------



## Rockn (Jul 29, 2001)

The routing setup in your concentrator config...there should be a source and destination configured on each one. Have a printout of your log file to show us the error or does it just time out without generating an error?


----------



## lilhlfpint (Dec 11, 2001)

(here's the error log from the cisco side:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fswiss\fcharset0 Arial;}}
\viewkind4\uc1\pard\sb100\sa100\b\f0\fs24 6 12/23/2002 16:34:38.570 SEV=3 IKE/134 RPT=32 64.x.x.x \b0 Group [64.x.x.x] Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal. Verify local and remote LAN-to-LAN connection lists.\par
\b 9 12/23/2002 16:34:38.570 SEV=4 IKE/119 RPT=616 64.x.x.x \b0 Group [64.x.x.x] PHASE 1 COMPLETED \par
\b 10 12/23/2002 16:34:38.570 SEV=4 AUTH/22 RPT=788 \b0 User 64.x.x.x connected \par
\b 11 12/23/2002 16:34:38.600 SEV=5 IKE/25 RPT=1180 64.x.x.x \b0 Group [64.x.x.x] Received remote Proxy Host data in ID Payload: Address 64.60.203.19, Protocol 0, Port 0 \par
\b 14 12/23/2002 16:34:38.610 SEV=5 IKE/34 RPT=634 64.x.x.x \b0 Group [64.x.x.x] Received local IP Proxy Subnet data in ID Payload: Address 10.51.0.0, Mask 255.255.0.0, Protocol 0, Port 0\par
\b 17 12/23/2002 16:34:38.610 SEV=4 IKE/61 RPT=32 64.x.x.x \b0 Group [64.x.x.x] Tunnel rejected: Policy not found for Src:64.60.203.19, Dst: 10.51.0.0! \par
\b 19 12/23/2002 16:34:38.610 SEV=4 IKEDBG/0 RPT=73 \b0 QM FSM error (P2 struct &0x3ec0c5c, mess id 0x354990ed)! \par
\b 20 12/23/2002 16:34:38.610 SEV=4 IKEDBG/0 RPT=74 \b0 QM FSM history (P2 struct &0x3ec0c5c): [13, 52], [3, 32], [3, 44], [3, 31] \par
\b 21 12/23/2002 16:34:38.610 SEV=4 AUTH/23 RPT=36 64.x.x.x \b0 User 64.x.x.x disconnected: duration: 0:00\par
\pard\f1\fs20\par
} 
on my side it basically says 'invalid cookie'.

thanks again for your help.)


----------



## Rockn (Jul 29, 2001)

The error is right there in green and white and tells you exactly what is wrong in the first line of the log...



> *Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal. Verify local and remote LAN-to-LAN connection lists*


and on line 17 it shows this:


> Tunnel rejected: Policy not found for *Src:64.60.203.19*, Dst: 10.51.0.0! \par


----------



## lilhlfpint (Dec 11, 2001)

(hey thanks again for responding so quickly. = ]

i will call the client and have him double check the settings on his end. i thought he had already added our nat'd ip but i must have been wrong.

if i get this up and running today management will be so happy. = D)


----------

