thanks daniel, it's not inconsistent, it's been down for a week without
recovery
a cpstop/cpstart knocked it out, and it didn't recover..... thinking about
it I don't believe a stop/start of the fw-1 engine has occured previously
since the VPN negotiated (by chance).
I do agree though, definately a a timing issue somewhere.
watch this space.
Gary
|---------+-------------------------------------------->
| | Daniel Samaan |
| | <dsamaan AT FORSYTHE DOT COM> |
| | |
| | Dept: |
| | Tel: |
| | Loc: |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <FW-1-MAILINGLIST AT AMADEUS.US DOT CHEC|
| | KPOINT.COM> |
| | |
| | Sent at: 31/07/2003 15:13 |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
| | |
|---------+-------------------------------------------->
>------------------------------------------------------------------------------------------------------------------|
|
|
|To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
|
|cc:
|
|bcc:
|
|Subject: Re: [FW-1] NG to Cisco router VPN setup.
|
>------------------------------------------------------------------------------------------------------------------|
If it's inconsistent than check your SA lifetime on both devices. If they
are not the same than the renegotiation of keys will not happen correctly.
Daniel Samaan
Technical Security Consultant
CCSP, CCSE, CCNA, CCA, MCSE+I
Cell: (847) 274-2034
dsamaan AT forsythe DOT com
---------------------------------------------------------------------
Forsythe Solutions
5440 W. Fargo Avenue
Skokie, IL 60077
www.forsythesolutions.com
Building cost-effective IT infrastructure that organizations trust.
|---------+-------------------------------------------->
| | @ |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <FW-1-MAILINGLIST AT AMADEUS.US DOT CHEC|
| | KPOINT.COM> |
| | |
| | |
| | 07/31/2003 08:35 AM |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
| | |
|---------+-------------------------------------------->
>
----------------------------------------------------------------------------------------------|
|
|
| To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
|
| cc:
|
| Subject: Re: [FW-1] NG to Cisco router VPN setup.
|
>
----------------------------------------------------------------------------------------------|
Thanks for the rapid reply Jean-Francois.
Absolutely agree with you that a mismatch exists. The isssue is where?
I have checkpoint, nokia, and cisco looking at this currently, but it's
dragging on a bit.
The strange thing is that I had this problem when we first setup the VPN
some 3-4 months ago, and then the problem just went away......!!? (link
established ok and was ok ever since.) Anyway, I had reason to stop/start
the box last week, and the problem came back.
It's a wierd one, I can't wait to crack it and document because I see quite
a few others have seen the same problem.
Gary
|---------+-------------------------------------------->
| | Jean-Francois Gobin |
| | <gobin AT GOBINJF DOT BE> |
| | |
| | Dept: |
| | Tel: |
| | Loc: |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <FW-1-MAILINGLIST AT AMADEUS.US DOT CHEC|
| | KPOINT.COM> |
| | |
| | Sent at: 31/07/2003 13:27 |
| | Please respond to Mailing list |
| | for discussion of Firewall-1 |
| | |
|---------+-------------------------------------------->
>
------------------------------------------------------------------------------------------------------------------|
|
|
|To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
|
|cc:
|
|bcc:
|
|Subject: Re: [FW-1] NG to Cisco router VPN setup.
|
>
------------------------------------------------------------------------------------------------------------------|
It means that Phase 2 encryption method differs from Cisco and
Checkpoint. Perhaps you should have a look into the Cisco and "debug
isakmp" on it ?
JF
On Thu, 31 Jul 2003, <Gary Hodson> wrote:
> Can anyone help please.
>
> I'm trying to setup a VPN between my NG (FP3 HF2) firewall and a cisco
> router. I'm using traditional mode on my end, and am fairly confident
(95%)
> that my config is correct. I have a number of other checkpoint to
> checkpoint VPNs running from the same box and they work fine.
>
> Anyway, I get the following key exchange messages in my log; IKE: Main
Mode
> completion.
> Which is immediately followed by; IKE: Quick Mode Received Notification
> from Peer: no proposal chosen
>
> I think that it's to do with the "ENCRYPT" action properties on my end.
> i.e. you don't appear to be able to select ESP, etc under NG whereas you
> could under 4.1.
>
> I managed to find a few other posted messages where people have had the
> same problem, but what i can't find is if anyone has the solution.
>
> All help is greatly appreciated.
> (I'm officially now pulling my hair out with this one.)
>
> Gary
>
>
>
>
>
>
>
>
>
>
==========================================================================
>
> Visit our website at http://www.gartmore.com
>
> Gartmore Investment Management plc is an appointed representative of
Gartmore Investment Ltd (GIL) which is authorised and regulated by the
Financial Services Authority. GIL represents only the NatWest and Gartmore
Marketing Group for life assurance, Pensions, unit trusts, other regulated
collective investment schemes and investment services.
>
> This message is sent in confidence for the addressee only. The contents
are not to be disclosed to anyone other than the addressee. Unauthorised
recipients must preserve this confidentiality and should please advise the
sender of any error in transmission.
>
> No person should rely on the contents of this e-mail without written
confirmation of its contents. This e-mail and the information it contains
are sent in good faith but Gartmore Investment Management plc and its
holding companies and subsidiaries shall not be under any liability in
damages or otherwise for any reliance the recipient may place upon them.
>
>
===========================================================================
>
> To improve email delivery times, and reduce attachment storage
requirements, Gartmore now ZIP most attachments. If you have received a
zipped attachment and do not have an unzip program, you may download a free
unzipper at
>
> http://www.mk-net-work.com/us/uz/unzip.htm
>
>
===========================================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
Jean-Francois Gobin - Administrateur gobinjf.be
http://www.gobinjf.be mailto:gobin AT gobinjf DOT be
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
.
==========================================================================
Visit our website at http://www.gartmore.com
Gartmore Investment Management plc is an appointed representative of
Gartmore Investment Ltd (GIL) which is authorised and regulated by the
Financial Services Authority. GIL represents only the NatWest and Gartmore
Marketing Group for life assurance, Pensions, unit trusts, other regulated
collective investment schemes and investment services.
This message is sent in confidence for the addressee only. The contents
are not to be disclosed to anyone other than the addressee. Unauthorised
recipients must preserve this confidentiality and should please advise the
sender of any error in transmission.
No person should rely on the contents of this e-mail without written
confirmation of its contents. This e-mail and the information it contains
are sent in good faith but Gartmore Investment Management plc and its
holding companies and subsidiaries shall not be under any liability in
damages or otherwise for any reliance the recipient may place upon them.
===========================================================================
To improve email delivery times, and reduce attachment storage
requirements, Gartmore now ZIP most attachments. If you have received a
zipped attachment and do not have an unzip program, you may download a free
unzipper at
http://www.mk-net-work.com/us/uz/unzip.htm
===========================================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
--------------------------------------------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error please notify the
originator of the message. This footer also confirms that this
email message has been scanned for the presence of computer viruses.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
.
==========================================================================
Visit our website at http://www.gartmore.com
Gartmore Investment Management plc is an appointed representative of Gartmore
Investment Ltd (GIL) which is authorised and regulated by the Financial
Services Authority. GIL represents only the NatWest and Gartmore Marketing
Group for life assurance, Pensions, unit trusts, other regulated collective
investment schemes and investment services.
This message is sent in confidence for the addressee only. The contents are
not to be disclosed to anyone other than the addressee. Unauthorised
recipients must preserve this confidentiality and should please advise the
sender of any error in transmission.
No person should rely on the contents of this e-mail without written
confirmation of its contents. This e-mail and the information it contains are
sent in good faith but Gartmore Investment Management plc and its holding
companies and subsidiaries shall not be under any liability in damages or
otherwise for any reliance the recipient may place upon them.
===========================================================================
To improve email delivery times, and reduce attachment storage requirements,
Gartmore now ZIP most attachments. If you have received a zipped attachment and
do not have an unzip program, you may download a free unzipper at
http://www.mk-net-work.com/us/uz/unzip.htm
===========================================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
