Re: [FW-1] VPN between R55 and PIX

Subject:	Re: [FW-1] VPN between R55 and PIX
From:	Ramakrishnan Pillai <rpillai AT CHARLESTONCOUNTY DOT ORG>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 14 Dec 2005 21:29:38 -0500

Thanks.  Compared all the properties of PIX and R55.  The "Support key Exchange 
for Subnets" is already checked.  Still no luck.  Same message...RK

>>> oliver_dog2201 AT YAHOO DOT COM 12/14/05 5:37 PM >>>
In SmartDashboard, go to the interoperable device
object Properties (representing PIX), look for VPN -
VPN Advanced and uncheck the box: "Support key
Exchange for Subnets"
I hope that helps.

Regards,

Oliver.


 --- Ramakrishnan Pillai
<rpillai AT CHARLESTONCOUNTY DOT ORG> escribió:

> Thanks for the detailed reply.  Let me cross check
> everything...RK
> 
> >>> thorsten.behrens AT INTEGRALIS DOT COM 12/14/2005
> 10:45:06 AM >>>
> Parameters are not identical. I've run into this
> many times. For example, if policy on PIX ends up
> offering you DES/3DES/MD5/SHA1 (Phase-1), but the
> Interoperable Device representing the PIX has been
> set up for 3DES/SHA1, it will fail. You got to match
> exactly, not just have a match. Painful, but there
> you have it. Also check DH-groups, timeouts,
> PFS-or-not for Phase-2, and ideally don't choose
> Aggressive.
> No proposal chosen is likely Phase-1 settings. If it
> was encrypt domain, you'd see "no valid SA". Could
> also be encrypt settings Phase-2, but that's less
> common - transform sets are specific to a tunnel, so
> control is better. Policies are not, and that leads
> to a "VPNs are like a box of chocolates" situation.
> 
> If you are being supported by a CSP, run vpn debug
> trunc, get the handy ike.elg, and have them run it
> through IkeView. That will show you exactly what's
> going on and make short work of this issue. Could
> also use tcpdump and ethereal for phase-1 issues,
> but that's only get you halfway through the exchange
> - once encryption starts, you're blind. Ethereal
> won't help with Phase-2; IkeView will.
> 
> Good news is: This will come up once parameters
> match 100% on both sides.
> 
> 
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
>
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
> Behalf Of
> Ramakrishnan Pillai
> Sent: Wednesday, December 14, 2005 10:15 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] VPN between R55 and PIX
> 
> 
> While doing a site-to-site between R55 and PIX we
> are getting "Message from peer: No proposal choosen"
> at checkpoint end.  Using preshared secret and all
> parameters are identical.  Any idea where to check
> for.
> 
> Thanks in advance.
> RK
> 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 
> 
> Please note that:
> 
> 1. This e-mail may constitute privileged
> information. If you are not the intended recipient,
> you have received this confidential email and any
> attachments transmitted with it in error and you
> must not disclose, copy, circulate or in any other
> way use or rely on this information.
> 2. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful
> business practices.
> 3. The contents of this email are those of the
> individual and do not necessarily represent the
> views of the company.
> 4. The company does not conclude contracts by email
> and all negotiations are subject to contract.
> 5. The company accepts no responsibility once an
> e-mail and any attachments is sent.
> 
> http://www.integralis.com
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 
> 
> 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 


__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
Regístrate ya - http://correo.espanol.yahoo.com/ 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] VPN between R55 and PIX, Ramakrishnan Pillai Re: [FW-1] VPN between R55 and PIX, Thorsten Behrens Re: [FW-1] VPN between R55 and PIX, Ramakrishnan Pillai [FW-1] VRRP and Spoofing problem, Oliver [FW-1] HFA-17 for R55 out there..., no-need to-list Re: [FW-1] VRRP and Spoofing problem, Lindsay Hill Re: [FW-1] VRRP and Spoofing problem, Oliver Re: [FW-1] VPN between R55 and PIX, Oliver Re: [FW-1] VPN between R55 and PIX, Ramakrishnan Pillai <= [FW-1] Antwort: Re: [FW-1] VPN between R55 and PIX, Rene Gehlen Re: [FW-1] VPN between R55 and PIX, Jim Johnson Re: [FW-1] VPN between R55 and PIX, no-need to-list Re: [FW-1] VPN between R55 and PIX, Ramakrishnan Pillai Re: [FW-1] VPN between R55 and PIX, Oliver Re: [FW-1] VPN between R55 and PIX, Ramakrishnan Pillai

Previous by Date:	Re: [FW-1] VPN quesiton, Manjula Kularathne
Next by Date:	Re: [FW-1] VPN quesiton, Clive Luk
Previous by Thread:	Re: [FW-1] VPN between R55 and PIX, Oliver
Next by Thread:	[FW-1] Antwort: Re: [FW-1] VPN between R55 and PIX, Rene Gehlen
Indexes:	[Date] [Thread] [Top] [All Lists]