Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55

Subject:	Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55
From:	Yang Xiao <yxiao2004 AT GMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 18 Jul 2006 14:59:04 -0400

On 7/17/06, cisco4ng <cisco4ng AT yahoo DOT com> wrote:


What you're saying is NOT true.  What happened if the Cisco devices
decided to send
  type 1 instead of type 4 in during the phase I exchange.  The best
option to do this
  if this happen is to modify the IKE_largest_possible_subnet from true to
"false" and
  you will also have to modify the $FWDIR/lib/base.def for this to happen.

  Last but not least, what you said on item #2 is correct if you do not
have to NAT
  inside the VPN tunnel.  If you have to NAT inside the VPN tunnel, you
need to
  have this option turn "OFF" or you will have a big problem on your hand.

  my 2c

Sathya Prakash <sathyaprakash AT HTCINDIA DOT COM> wrote:
  Hi Yang

Check if the following settings are enabled in your Checkpoint.

1. Select Interoperable Device --> Properties --> VPN Advanced --> Make
sure
support key exchange for subnets option is enabled.

2. Select VPN Community in your VPN tab --> Edit --> Advanced Properties
-->
NAT --> Make sure Disable NAT inside the VPN community option is enabled.

This should be solving your problem.

Regards
Sathya

----- Original Message -----
From: "Yang Xiao"
To:
Sent: Saturday, July 15, 2006 3:39 AM
Subject: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55


> Hi all,
> For some reason, we just can't get past phase 1 main mode completion,
and
> it
> keeps complaining about "no proposal chosen" by the Cisco PIX peer. I
have
> double checked all these:
>
> 1) Make sure UDP 500 is open to peers on both ends.
> 2) Pre-shared key is defined correctly on both peers.
> 3) Phase-1 proposals match on both ends including the lifetimes
> 4) Phase-2 proposals match on both sides including the lifetimes
> 4) IPSEC ACL should match the policies on Checkpoint.
> 5) Make sure Perfect Forward Secrecy is set to match on both ends. By
> default it is disabled on the Pix. If checkpoint is defined for DH
Group1
> or
> Group2 ,
>
> Is there anything else I should look into?
>
> Many thanks,
>
> - Yang
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



---------------------------------
Do you Yahoo!?
Everyone is raving about the  all-new Yahoo! Mail Beta.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


Thanks a bunch guys, it's working now, our counter-party on the PIX end
finally figured it out, it's their problem, the settings I have on the NG
R55 is fine.

- Yang

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, Yang Xiao Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, cisco4ng Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, Andrej Skamen Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, Sathya Prakash Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, cisco4ng Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, Yang Xiao <=

Previous by Date:	[FW-1] Web Intelligence, Mike Smith
Next by Date:	[FW-1] DCE-RPC Problems with R61, Michael Schwartzkopff
Previous by Thread:	Re: [FW-1] Site-to-Site VPN with Cisco PIX and NGAI R55, cisco4ng
Next by Thread:	[FW-1] Firewall Clusters and purpose defeating disaster conditions, Mark Elsen
Indexes:	[Date] [Thread] [Top] [All Lists]