I have now solved by VPN creation problem. When configuring An Edge X as an Interoperable Device, you define the IP, IKE Encryption (AES/3DES/DES, MD5/SHA1, DH - Group 2) and the local network.
The VPN encrption rule encryption settings AES/SHA1/DH Group 2 - no PFS.
When attempting to establish a VPN connection from the Edge, Site to Site, VPN site (no restriction), Define internal network, Shared Secret, Attempt Conection.
When trying Edge X firmware 4.5.44x the connection fails with a <phase1 stage5> error, downgraded firmware v4.5.37 same problem, downgraded to v4.0.97 connection establishes immediately. Note, the configuration was not lost in the downgrade (great news for remote access)
During this time the NGAI firewall received no policy change, the changes took place only on the Edge unit.
Once the VPN's are established on the Edge X units, the firmware can be upgraded and the VPN will continue to work unless they are deleted from the NGAI and then recreated.
The NG-AI logs indicate client negotiation. The Edge reports client negotiation <phase1 stage5>.
I upgraded to HFA-09 but the problem persists
lancr wrote:
Russell, You do not need a newer firmware. Do you have any further log info from the negotiation cycle?
You will want to validate the settings on the remote gateway (edge device) to see if NAT is in use, and if so, verify that you are expecting to establish SA with the external ip of the edge. I've not seen many problems with this config.
Cryptotech
----- Original Message ----- From: "Russell Aspinwall" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 28, 2004 6:01 AM Subject: [FW-1] Site to Site VPN
I am trying to establish a VPN between an Edge unit running firmware
v.4.5.44x and ng-ai R55 hfa-07.
The edge is configured as Interoperable Device, using the same
instructions I used before but I can
not establish a VPN. I get as far as a Key Exchange.
Do I need to run a later HFA to fix this? --
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
