3des/sha1 is what I use. Make sure that the object and encryption rules show the same. If you still have issues, let me know and we can take it offline and work it out.
Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Harald Astrand Sent: Wednesday, May 05, 2004 3:01 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] VPN-1 Edge to NG AI using traditional mode VPN Hi Matt, Thanks for you suggestions! When I configure a site-to-site VPN on the VPN-1 Edge and try to connect I can see the IKE packet being accepted by the R55 cluster. However I get the following error messages in the log file: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++ Number: 32848 Date: 5May2004 Time: 10:41:56 Product: VPN-1 & FireWall-1 Interface: daemon Origin: Central-vpn (x.x.x.x) Type: Log Action: Key Install Source: Central-vpn (x.x.x.x) Destination: x.x.x.x Encryption Scheme: IKE VPN Peer Gateway: x.x.x.x IKE Initiator Cookie: f34b85b9acd544322 Information: IKE: Main Mode Sent Notification to Peer: no proposal chosen Number: 32913 Date: 5May2004 Time: 10:42:01 Product: VPN-1 & FireWall-1 Interface: daemon Origin: Central-VPN (x.x.x.x) Type: Log Action: Reject Reject Reason: IKE failure Source: Remote-vpn (x.x.x.x) Destination: Central-vpn (x.x.x.x) Encryption Scheme: IKE VPN Peer Gateway: Remote-VPN (x.x.x.x) Information: IKE: Main Mode Missing IKE configuration for peer (authentication or encryption or hash) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++ It seems like it cannot get the encryption, hash or other parameters that are negotiated during main mode IKE. On the IP40, are you able to specify all the IKE parameters (3DES, SHA, etc)? Does anyonr know what parameters the VPN-1 Edge would use? Thanks again for your help! Regards, Harald Matt Arntsen <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> 04/30/2004 11:15 AM CST Please respond to Mailing list for discussion of Firewall-1 To: [EMAIL PROTECTED] cc: bcc: Harald Astrand/ICC Subject: Re: [FW-1] VPN-1 Edge to NG AI using traditional mode VPN It is possible, I have done it with many IP40s to an IP380 running R55 (non-clustered). I use an SR user to download the topology info and established a static vpn with keep-alives. I have a split tunnel so only corporate traffic is encrypted. I can help you if you need. matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Harald Astrand Sent: Friday, April 30, 2004 2:45 AM To: [EMAIL PROTECTED] Subject: [FW-1] VPN-1 Edge to NG AI using traditional mode VPN Hi, Is it possible to connect a VPN-1 Edge device to a NG AI R55 VPN cluster using traditional mode VPN? Or do we have to use simplified VPN? Regards, Harald ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
