Hello gurus of the list, I've been trying for the past 4 hours to setup a VPN between a SecureComputing Sidewinder (SCSD) and a CP FW-1 CP2000 v4.1 SP3 (FW) without luck. This is supposed to be a VPN between 2 Networks (how obvious). I've setup a Network object for their end, say NET-A (10.0.0.0/16) and a Network Object for my end, say NET-B (172.24.0.0/24). I've setup 2 rules allowing the IPSEC Group of services (AH, ESP, IKE, ISAKMP, SKIP) one to allow traffic to my FW from their SCSD and one to allow traffic from my FW to their SCSD: FW -> SCSD -> IPSEC -> Allow SCSD-> FW -> IPSEC -> Allow
I have also setup the encryption domains on the Network Objects as following: FW -> Other:NET-B SCSD -> Other:NET-A My FW is defined as a Workstation (Type: Gateway), (VPN-1 & Firewall-1), (Version 4.1), (Management Station). The SCSD is defined as a Workstation (Type: Gateway). I have also setup the VPN properties of the FW as (IKE, DES, MD5, Pre-Shared Secret, Support keys exchange for Subnets) and the VPN properties of the SCSD as (IKE, DES, MD5, Pre-Shared Secret, Support keys exchange for Subnets). Finaly, I've setup ONE rule as: NET-A-> NET-B-> ICMP-> Encrypt NET-B-> NET-A-> ICMP-> Encrypt and the encryption properties as IKE, Encryption + Data Integrity (ESP), DES, MD5, Allowed Peer Gateway (SCSD). The guy from the SCSD side has setup the following: General Tab Encapsulation: Tunnel Burb: Internal Mode: Fixed IP Remote IP: my REAL FW Internet IP Client Address Pool: Disabled Local Network IP: 10.0.0.0/16 Remote Network IP: 172.24.0.0/24 Authentication Tab Authentication Method: Password Crypto Tab IPSEC Crypto Algorithms Accept DES IPSEC Hashing Algorithms HMAC-MD5-96 Advanced Tab Phase 1 (ISAKMP) Rekey Hard Limits: 86400 sec (the same in minutes as my FW) 0 kb P1 Crypto: DES P1 Hash: MD5 P1 Oakley: Group 2 Soft Percentage: 85 Phase 2 (IPSEC) Rekey Hard Lifetimes: 3600 sec (same as mine) Soft Percentage: 85 0 KB I can see in my logs that Phase-1 completes OK (IKE Log: Phase 1 completion. DES/MD5/Pre shared secrets Negotiation Id: and various letters-numbers). But after 2-3 seconds I see the exact same entry but with a different Negotiation Id and when I try to ping the remote host to get the VPN up and running I get a icmp-type 8 icmp-code 0 encryption failure: no response from peer scheme: IKE. I am a bit puzzled over here. Does anyone has an idea of what might be wrong. Have any of you guys and gals out there had any luck so far in a VPN between a Sidewinder and a FW-1. If so, could you pretty please tell me what to do. Thank you all and sorry for my lengthy e-mail. Cheers, Dimitris ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
