Hi Ramakrishnan,
My suggestion was "uncheck" the box for "Support key
Exchange for Subnets", NOT "check". (only in the
interoperable device)
Next, install the policy.
did you try that?
Regards,
Oliver.
--- Ramakrishnan Pillai
<rpillai AT CHARLESTONCOUNTY DOT ORG> escribió:
> Thanks. Will check supernetting option. As per
> another suggestion, I tried matching the encryption
> domains on both end. The PIX end is simple with two
> networks. But Checkpoint end encryption domain is
> common for all site-to-site and remote access
> clients and is a huge list of all IPs/networks
> inside the network which need to be accessed over
> VPN from outside. Hence it is difficult to match
> the encryption domain on both sides of the vpn
> tunnel. Any ideas on this?
>
> Thanks,
> Ramakrishnan
>
> >>> ogos69 AT YAHOO DOT COM 12/15/05 9:23 PM >>>
> disable SUPERNETTING on the Checkpoint side....Check
> Knowledge base for
> "how to" instructions.
> It may solve your problem.
> Regards
>
> Ramakrishnan Pillai <rpillai AT CHARLESTONCOUNTY DOT ORG>
> wrote:
> Thanks. Compared all the properties of PIX and
> R55. The "Support key Exchange for Subnets" is
> already checked. Still no luck. Same message...RK
>
> >>> oliver_dog2201 AT YAHOO DOT COM 12/14/05 5:37 PM >>>
> In SmartDashboard, go to the interoperable device
> object Properties (representing PIX), look for VPN -
> VPN Advanced and uncheck the box: "Support key
> Exchange for Subnets"
> I hope that helps.
>
> Regards,
>
> Oliver.
>
>
> --- Ramakrishnan Pillai
> escribió:
>
> > Thanks for the detailed reply. Let me cross check
> > everything...RK
> >
> > >>> thorsten.behrens AT INTEGRALIS DOT COM 12/14/2005
> > 10:45:06 AM >>>
> > Parameters are not identical. I've run into this
> > many times. For example, if policy on PIX ends up
> > offering you DES/3DES/MD5/SHA1 (Phase-1), but the
> > Interoperable Device representing the PIX has been
> > set up for 3DES/SHA1, it will fail. You got to
> match
> > exactly, not just have a match. Painful, but there
> > you have it. Also check DH-groups, timeouts,
> > PFS-or-not for Phase-2, and ideally don't choose
> > Aggressive.
> > No proposal chosen is likely Phase-1 settings. If
> it
> > was encrypt domain, you'd see "no valid SA". Could
> > also be encrypt settings Phase-2, but that's less
> > common - transform sets are specific to a tunnel,
> so
> > control is better. Policies are not, and that
> leads
> > to a "VPNs are like a box of chocolates"
> situation.
> >
> > If you are being supported by a CSP, run vpn debug
> > trunc, get the handy ike.elg, and have them run it
> > through IkeView. That will show you exactly what's
> > going on and make short work of this issue. Could
> > also use tcpdump and ethereal for phase-1 issues,
> > but that's only get you halfway through the
> exchange
> > - once encryption starts, you're blind. Ethereal
> > won't help with Phase-2; IkeView will.
> >
> > Good news is: This will come up once parameters
> > match 100% on both sides.
> >
> >
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> >
>
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
> > Behalf Of
> > Ramakrishnan Pillai
> > Sent: Wednesday, December 14, 2005 10:15 AM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: [FW-1] VPN between R55 and PIX
> >
> >
> > While doing a site-to-site between R55 and PIX we
> > are getting "Message from peer: No proposal
> choosen"
> > at checkpoint end. Using preshared secret and all
> > parameters are identical. Any idea where to check
> > for.
> >
> > Thanks in advance.
> > RK
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> >
> > Please note that:
> >
> > 1. This e-mail may constitute privileged
> > information. If you are not the intended
> recipient,
> > you have received this confidential email and any
> > attachments transmitted with it in error and you
> > must not disclose, copy, circulate or in any other
> > way use or rely on this information.
> > 2. E-mails to and from the company are monitored
> for
> > operational reasons and in accordance with lawful
> > business practices.
> > 3. The contents of this email are those of the
> > individual and do not necessarily represent the
> > views of the company.
> > 4. The company does not conclude contracts by
> email
> > and all negotiations are subject to contract.
> > 5. The company accepts no responsibility once an
> > e-mail and any attachments is sent.
> >
> > http://www.integralis.com
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> >
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
>
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y
> antispam ¡gratis!
> Regístrate ya - http://correo.espanol.yahoo.com/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
>
=== message truncated ===
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
Regístrate ya - http://correo.espanol.yahoo.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
