Yes - initially - thereafter I modified the user.def file and with additional tweaking tunnel was established bi-directional.
Beverly A. Picard Network Communications Analyst Outsourcing Group McKESSON Landmark Medical Center Woonsocket, RI 02895 401-769-4100 x2338 Fax 401-767-1619 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of LAN Guy Sent: Tuesday, March 15, 2005 3:37 PM To: [email protected] Subject: [FW-1] FW: Re: [FW-1] NG to Cisco 3000 VPN Problem Thanks for the advice. Weird part is (as I just discovered), the partner site on the Cisco 3000 side has no problem tunneling through to my network but I can't get to his. Same issue? Frank >From: cisco4ng <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] NG to Cisco 3000 VPN Problem >Date: Tue, 15 Mar 2005 11:16:08 -0800 > >I've seen this error many times. What you need to do is make sure that the >checkpoint >does NOT suppernet the encryption domain on the checkpoint side. If that >happens, >you will ALWAYS get a Quick mode error, or in Cisco word, "proxy id" error. > >Do the following on the Checkpoint side: > >1) Close the smartdashboard, >2) use Gui dbedit to edit this parameter: >"ike_use_largest_possible_subnet". The default >is "true". Change it to "false". >3) Save it before exiting gui dbedit. >4) Push the policy. >5) run "vpn tu" and clear out the tunnel. >6) initiate the traffic again. you should be good to go. > >It used to be that in NG Feature Pack 3, you have to modify the user.def >file to put in >individual networks behind the checkpoint that participate in the vpn >process. However, >it is NOT needed in NG-AI (I tested it NG with AI R55W with hfa-02). > >What happened here is that Checkpoint is suppernetting its encryption >domain. Other >VPNs device such as Cisco IOS, Pix, and VPN Concentrator don't like it. > >If you're not familiar with gui dbedit, then change the encryption domain >on the VPN >concentrator to accept a larger CIDR blocks to match with what it is >receiving from Checkpoint >and it will work too. My personal preference is to modify the >"ike_use_largest_possible_subnet" parameter from "true" to "false". > >Let me know if it is working for you. > >cisco4ng >CCNP, CCSE-NG, CCSE-Plus >4 times FAILED CCIE security lab and still trying > > > >LAN Guy <[EMAIL PROTECTED]> wrote: >I'm setting up an IPSEC VPN between my NG-AI R54 gateway and a partner's >Cisco VPN 3000 Concentrator. Everything looks like it's set up properly >(same IKE parameters, shared secret, etc), but every time I try to ping >from >my net to the partner net over the tunnel it fails with the same 3 log >entries: > >------------- >#1 > >Action: Key Install >Source: [my gateway] >Destination: [partner gateweay] >Encryption Scheme: IKE >VPN Peer Gateway: [partner gateweay] >IKE Initiator Cookie: 54b2334ee5635973 >IKE Responder Cookie: baa23cf0ae5b945d >Encryption Methods: 3DES + MD5, Pre shared secrets >Community: [vpn community for this partner] >Information: IKE: Main Mode completion. > >------------ >#2 > >Action: Key Install >Source: [my gateway] >Destination: [partner gateweay] >Encryption Scheme: IKE >VPN Peer Gateway: [partner gateway] >IKE Phase2 Message ID: 06094fba >Community: [vpn community for this partner] >Information: IKE: Quick Mode Sent Notification: invalid >id information > >------------ >#3 > >Action: Key Install >Source: [partner gateway] >Destination: [my gateway] >Encryption Scheme: IKE >VPN Peer Gateway: [partner gateway] >IKE Phase2 Message ID: 31604fab >Community: [vpn community for this partner] >Exchange Received Delete IPSEC-SA from Peer: 0c69e9ed >SPIs: 61e6bdf7 > >Then the traffic fails because there is no valid SA. > >Has anyone had some similar experience with this type of setup and knows >the >particulars?? >All help appreciated. > >Frank P. > >_________________________________________________________________ >FREE pop-up blocking with the new MSN Toolbar - get it now! >http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
