Tom,
Symptoms: Error in log viewer: "Encryption failure: packet is dropped as
there is no valid SA"
Cause of this problem :
In VPN-1/FireWall-1 NG, by default, the option:
"ike_use_largest_possible_subnets" is set to true, which will cause the
VPN-1 gateway to summarize subnet information sent in phase 2 of IKE key
exchange. This occurs when two subnets exist in VPN domain configured on
firewall module, resulting in a calculated summary, a "supernet" mask will
be sent.
Dbedit Method
Procedure:
1) Close all SmartDashboard sessions
2) Run command: "dbedit" on Management Server
3) Issue following commands:
modify properties firewall_properties ike_use_largest_possible_subnets false
update properties firewall_properties
quit
4) Install policy
Also make sure you have unchecked the Supernetting option in the
VPN--->Advanced on the Peer Address(Interoperable Device). This will fix
your problem...Also, refer sk19423 and you may have to manually enter the
Starting IP & Ending IP address in the User.def file on the Management
Server and then push the policy. Also, ensure that you have no dasboard or
tracker or open while making these changesd. I hope this will fix your
problem...
Also, speak to the other vendor and let them identify what Host /Network
addresses they are seeing while the phase 2 negotiation takes places and may
be you can change your config accordingly in the encryption
domain...Checkpoint Support is very bad...They take long time to get back to
us..
Good Luck !
Regards,
vasu
On 3/27/06, Tom Brown <tom.brown AT goodtechnology DOT com> wrote:
>
> Hi
>
> I'm trying to get this VPN going - I can get a key install to happen and
> i see this
>
> Encryption Methods: 3DES + MD5, Pre shared secrets
> Information: IKE: Main Mode completion.
>
> but after it never completes with this
>
> IKE: Quick Mode Received Notification from Peer: no proposal chosen
>
> any ideas where the issue may be?
>
> thanks
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
Regards,
Vasu
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
