Hi,
typically the "No proposal chosen" message indicates incompatibilities
between the encryption domain definitions, e.g. 10.20.0/16 and
10.21.0.0/16 will be summarized by the checkpoint to 10.20.0.0/15 and the
remote gateways (ciscos in particular) often handle networks in a
different way.
So review your network definitions in detail and/or use ikeview - the
"quick mode" section that is followed by the info line displaying the ""No
proposal chosen" message shows you the network mask used for the handshake
by your checkpoint. Compare this mask with the one used by the PIX, it has
to match ...
Hope that helps, regards
René
Ramakrishnan Pillai <rpillai AT CHARLESTONCOUNTY DOT ORG>
Gesendet von: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
15.12.2005 03:29
Bitte antworten an
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
An
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Kopie
Thema
Re: [FW-1] VPN between R55 and PIX
Thanks. Compared all the properties of PIX and R55. The "Support key
Exchange for Subnets" is already checked. Still no luck. Same
message...RK
>>> oliver_dog2201 AT YAHOO DOT COM 12/14/05 5:37 PM >>>
In SmartDashboard, go to the interoperable device
object Properties (representing PIX), look for VPN -
VPN Advanced and uncheck the box: "Support key
Exchange for Subnets"
I hope that helps.
Regards,
Oliver.
--- Ramakrishnan Pillai
<rpillai AT CHARLESTONCOUNTY DOT ORG> escribió:
> Thanks for the detailed reply. Let me cross check
> everything...RK
>
> >>> thorsten.behrens AT INTEGRALIS DOT COM 12/14/2005
> 10:45:06 AM >>>
> Parameters are not identical. I've run into this
> many times. For example, if policy on PIX ends up
> offering you DES/3DES/MD5/SHA1 (Phase-1), but the
> Interoperable Device representing the PIX has been
> set up for 3DES/SHA1, it will fail. You got to match
> exactly, not just have a match. Painful, but there
> you have it. Also check DH-groups, timeouts,
> PFS-or-not for Phase-2, and ideally don't choose
> Aggressive.
> No proposal chosen is likely Phase-1 settings. If it
> was encrypt domain, you'd see "no valid SA". Could
> also be encrypt settings Phase-2, but that's less
> common - transform sets are specific to a tunnel, so
> control is better. Policies are not, and that leads
> to a "VPNs are like a box of chocolates" situation.
>
> If you are being supported by a CSP, run vpn debug
> trunc, get the handy ike.elg, and have them run it
> through IkeView. That will show you exactly what's
> going on and make short work of this issue. Could
> also use tcpdump and ethereal for phase-1 issues,
> but that's only get you halfway through the exchange
> - once encryption starts, you're blind. Ethereal
> won't help with Phase-2; IkeView will.
>
> Good news is: This will come up once parameters
> match 100% on both sides.
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
>
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
> Behalf Of
> Ramakrishnan Pillai
> Sent: Wednesday, December 14, 2005 10:15 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] VPN between R55 and PIX
>
>
> While doing a site-to-site between R55 and PIX we
> are getting "Message from peer: No proposal choosen"
> at checkpoint end. Using preshared secret and all
> parameters are identical. Any idea where to check
> for.
>
> Thanks in advance.
> RK
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
> Please note that:
>
> 1. This e-mail may constitute privileged
> information. If you are not the intended recipient,
> you have received this confidential email and any
> attachments transmitted with it in error and you
> must not disclose, copy, circulate or in any other
> way use or rely on this information.
> 2. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful
> business practices.
> 3. The contents of this email are those of the
> individual and do not necessarily represent the
> views of the company.
> 4. The company does not conclude contracts by email
> and all negotiations are subject to contract.
> 5. The company accepts no responsibility once an
> e-mail and any attachments is sent.
>
> http://www.integralis.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
Regístrate ya - http://correo.espanol.yahoo.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
