Well, I fixed the issue but I'm not quite sure how. I noticed in my debug logs that when it wasn't working (with 'Support...subnets' off) that it was sending just the IP of the machine I was working on. I had the other end change their config to just accept my machine (instead of the subnet) and it started working. I understand that with 'Support...subnets' off it tries to make a connection for each machine, not each subnet, but why wasn't it working when the other end was configured for the subnet and I had 'Support...subnets' turned on?
Scott Algatt wrote:
Yes, having the same schemes could cause problems. No response from peer is a vanilla error message. You could also try making sure that Supports Agressive mode is also not checked on the Concentrators object and make sure that your renegotiation times are the same.
Scott M. Algatt Enterprise Security Office American Education Services E-mail: [EMAIL PROTECTED] Phone: 717-720-1712 Cell: 717-648-2418
Matt Grommes <[EMAIL PROTECTED]> 12/09/04 03:36 PM
To Scott Algatt <[EMAIL PROTECTED]> cc
Subject Re: [FW-1] R55 to VPN Concentrator problem
Yeah, when I have 'Support...subnets' unchecked is when I get the 'Invalid id information'. When it's checked I get 'encryption failure: no response from peer' messages.
The vendor has a bunch of different tunnels set up on the Concentrator, would having the same IP scheme as another user cause a problem?
Scott Algatt wrote:
two things.
in the PIx object in your rulebase, make sure under VPN->Advanced that Supports key exchange for subnets is unchecked.
The other is to make sure that you are not using the same internal networks on both ends. That might cause a problem.
Scott M. Algatt Enterprise Security Office American Education Services E-mail: [EMAIL PROTECTED] Phone: 717-720-1712 Cell: 717-648-2418
Matt Grommes <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> 12/09/04 12:34 PM Please respond to Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
To [EMAIL PROTECTED] cc
Subject [FW-1] R55 to VPN Concentrator problem
I've got a weird VPN problem I'm hoping somebody can shed some light on. My end is a Checkpoint NG R55 (which I'm just now getting up to speed on so I'm a newbie at configuring it) and I'm trying to setup a VPN to a vendor whose using a Cisco VPN Concentrator 3005. I've also got a preexisting VPN for developers to login from home which works fine. The issue is that I only want the vendor to connect to one of my internal networks and the remote people to connect to two internal networks. When I have the VPN Domain of my Checkpoint set up with a group (VPN_NETWORKS) which includes both networks, the VPN to the vendor gives me an error 'IKE: Quick Mode Sent Notification: invalid id information'. When I change the VPN Domain to only the one internal network instead of the VPN_NETWORKS group, both VPNs work fine but the developers can only see the one network.
My checkpoint support folks seem to think that the way I have it setup should work fine but obviously it's not. I've tried looking through the vpn debug logs but the only thing that makes any sense to me is a line that says 'Subnet mismatch' but it doesn't say which subnet or where it's seeing the mismatch. The vendor has another customer using an R55 box and it's working fine. He's got his config set up to use the one internal network like he should.
I'm under the gun on this so any help would be very greatly appreciated. Thanks.
-- Matt Grommes QA Engineer SAMBA Holdings, Inc. 1730 Monta�o NW, Ste. F Albuquerque, NM 87107 505.797.2622 x114 (voice) 505.341.4796 (fax) http://www.samba.biz
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Matt Grommes QA Engineer SAMBA Holdings, Inc. 1730 Monta�o NW, Ste. F Albuquerque, NM 87107 505.797.2622 x114 (voice) 505.341.4796 (fax) http://www.samba.biz
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
