Neither of the suggestions worked for me.
I put ike_use_largest_possible_subnets = false in guidbedit and I put an
entry in user.def.
Since we'll only be hitting one server I changed the VPN Domain to a group
that I created with the single node in it (subnet 255.255.255.255). So in
user.def I put in...
max_subnet_for_range = { <111.222.333.105, 111.222.333.105; 255.255.255.255>
}:
After messing around a little bit (before doing the
ike_use_largest_possible_subnets I was getting an "invalid id information"
message, but now I'm just getting the constantly repeating "Main Mode
Complete" and then an IKE-SA delete from the far end.
Any other ideas?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Will
Zegeer
Sent: Tuesday, September 21, 2004 9:55 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes
one-way only.
Do a guidbedit or dbedit and change Setting
"ike_use_largest_possible_subnets" to "false" .
If that doesn't work:
Configure the "max_subnet_for_range" table in $FWDIR/lib/user.def on the
management (SmartCenter) - always backup files before editing.
Table name and format:
max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range,
last_IP_in_the_range; subnet_mask>, ... <first_IP_in_range,
last_IP_in_the_range; subnet_mask> };
The network and subnet for IKE negotiation will be determined according to
the table above. Host's IP will be matched on a relevant entry in this
table, entry's subnet will be used for negotiation. For ranges not specified
in the table, the subnet mask will be determined as if
ike_use_largest_possible_subnets were set to "true", wherever is relevant.
The "ike_use_largest_possible_subnets true" setting is there to cut down on
the number of phase 2 key exchanges but it can cause problems.
-Will
> -----Original Message-----
> From: Geoff Brisbine [mailto:geoffbrisbine AT MI-ASSISTANT DOT COM]
> Sent: Monday, September 20, 2004 4:49 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes
> one-way only.
>
> Greetings, all.
>
> I am having a problem with the VPN between our R55 HFA07 SPLAT box and
> a Cisco 3005 VPN Concentrator.
>
> I am not able to establish the tunnel nor ping the remote server. The
> other end can establishing the tunnel and ping our servers just fine.
>
> If I attempt to establish the tunnel I get an "IKE: Main mode
> completion" (from us to them) and then I get a "IKE: Informational
> Exchange Received Delete IKE-SA from Peer: xxxxxxxx" (from
> them to us).
>
> The one thing that caught me a little off-guard with this setup is
> their VPN Concentrator and the server we're trying to hit have the
> same first 3 octets in their IP address. I created a host (within a
> group) and added just the server to the VPN Domain, which didn't work.
> I created a Class C network and used that as the VPN Domain, which
> didn't work either.
>
> The gentleman that I spoke with (at the far side) said that in his
> notes he sees that there was another VPN that was CP <--> CP that had
> this problem, which was solved by making a chance on the CP box. He
> did not know what change the other admin had made on the CP box to
> make it work.
>
> Here's the rundown on our config...
> | Interoperable device object
> | ===========================
> | Name = Vendor_X_Device
> | IP Address = 111.222.333.4
> | VPN Domain = Vendor_X_Network
> |
> | Network object
> | ==============
> | Network = Vendor_X_Network - 111.222.333.0/24
> |
> | Node object
> | ===========
> | Node = Vendor_X_Server - 111.222.333.105
> |
> | VPN object
> | ===========
> | Participating Gateways = Our firewall and Vendor_X_Device
> | VPN Properties: 3DES/MD5, 3DES/MD5
> | IKE: DH Group 2, 144 minutes
> | Using a shared secret
>
> Any ideas?
>
> Geoff Brisbine | Network Administrator
> Direct: 715.287.3225 x190
>
> MI-Assistant - A Division of Fiserv FSC, Inc.
> 26550 West Mondovi Street | Eleva, WI 54738
> Phone: 715.287.4262 | Fax: 715.287.4576 http://www.mi-assistant.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
