Have you tried turning off "Support Key Exchange for Subnets" in the firewall object properties under VPN --> Advanced page?
On Thu, 14 Oct 2004 08:27:01 -0500, Previtera, Sal <[EMAIL PROTECTED]> wrote: > Here are the errors on the Checkpoint log... on IKE Phase 2 coming from > remote PIX 506 configured with DES-MD5; > --------------------------------------------------------------------------- > Number: 438038 > Date: 13Oct2004 > Time: 15:02:50 > Product: VPN-1 & FireWall-1 > Interface: daemon > Origin: My checkpoint Gateway > Type: Log > Action: Key Install > Source: Remote PIX 506 > Destination: My Checkpoint Gateway > Encryption Scheme: IKE > VPN Peer Gateway: Remote PIX 506 > IKE Phase2 Message ID: 819efb4a > Community: WTH-EXTRA-DESonly > Information: IKE: Quick Mode Received > Notification from Peer: invalid spi > ---------------------------------------------------------------------------- > > Number: 474424 > Date: 13Oct2004 > Time: 15:48:38 > Product: VPN-1 & FireWall-1 > Interface: daemon > Origin: My Checkpoint Gateway > Type: Log > Action: Key Install > Source: Remote PIX 506 > Destination: My Checkpoint gateway > Encryption Scheme: IKE > VPN Peer Gateway: Remote Pix 506 > IKE Phase2 Message ID: 456e4e3f > Community: WTH-EXTRA-DESonly > Information: IKE: Quick Mode Received > Notification from Peer: no proposal chosen > ---------------------------------------------------------------------------- > > This is the PIX506 config pertinent to the site to site VPN > > ----------------------------------------------------------------------- > PIX Version 6.3(1) > access-list 120 permit ip host (myfirewall) host (internal host behind > PIX506) > access-group 120 in interface outside > crypto ipsec transform-set rtptac esp-des esp-md5-hmac > crypto map rtprules 20 ipsec-isakmp > crypto map rtprules 20 match address 120 > crypto map rtprules 20 set peer (myfirewall) > crypto map rtprules 20 set transform-set rtptac > crypto map rtprules interface outside > isakmp enable outside > isakmp key (sharedkey) address (myfirewall) netmask 255.255.255.255 > isakmp nat-traversal 20 > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > ------------------------------------------------------------------------- > > > > > -----Original Message----- > From: Previtera, Sal > Sent: Wednesday, October 13, 2004 2:32 PM > To: Mailing list for discussion of Firewall-1 > Subject: Checkpoint NG R55 and PIX 506 des only..... > > Hello, > Has anyone able to setup a VPN site to site with a Cisco PIX 506 with > DES-MD5 only, with shared key?. > > I have others PIX 501 already setup with 3DES-MD5, Pre-share and they are > working fine. > But I seem to unable to get this one running. > Any suggestion?. > Regards, > Sal. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
