No, you will not see the SmartDashboard rules on the Edge. Make sure you have Perfect Forward Secrecy and site-to-site compression disabled. PFS can be enabled on the Edge only via CLI and compression can never be used.
Ray
From: "Brisbine, Geoff" <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: [FW-1] NG AI vs. VPN-1 Edge X-16... Date: Tue, 22 Mar 2005 07:32:59 -0600
Greetings, all.
We are experiencing a problem with a VPN between our NG AI box running SPLAT and our VPN-1 Edge X-16 box running 5.0.57x.
To setup the Edge box I did the normal three steps of creating a VPN-1 Edge/Embedded Profile, creating a VPN-1 Edge/Embedded Gateway, then creating a Site To Site community. Everything seems to go just fine. I am able to connect the Edge box to the Service Center (Software Updates, Remote Management, Dynamic VPN, Logging & Reporting) but when I attempt to ping from behind the Edge to behind the NG AI I am getting errors.
On the Edge device I get... "Failed to establish VPN Tunnel with xxx.xxx.xxx.xxx: no proposal chosen" "Failed to establish VPN Tunnel with yyy.yyy.yyy.yyy: no response from peer" - ~35 seconds after the first message. (Where xxx.xxx.xxx.xxx = external IP of NG and yyy.yyy.yyy.yyy = internal IP of host I am attempting to ping)
On our NG AI device I get "IKE: Main Mode Failed to match proposal: AES-256, SHA1, RSA Signature, Group 2 (1024 bit)"
I have attempted to set the VPN community to AES-256/SHA1 with no luck.
The VPN community is set like this: 3DES/MD5, AES-128/MD5, Group 2.
I've got two sets of rules allowing traffic...
Source Destination VPN Service Install on
EDGE RULES ============ Local Internal Net Remote Internal Net Any Any Edge Profile Remote Internal Net Local Internal Net Any Any Edge Profile
NG AI RULES ============ Local Internal Net Remote Internal Net Any Any NG Gateway Remote Internal Net Local Internal Net Any Any NG Gateway
I have attempted to downgrade to the 4.5.64 on the Edge device but that didn't help. I am running HFA-13 on the SPLAT box.
On the Edge box I don't see any Rules in Security -> Rules. Should the rules I placed in SmartDashboard to be installed on the Edge profile show up here? Under VPN -> VPN Sites I see a site name of "Enterprise" but I can't check the properties of it or anything.
I am more than happy to post any logs if anyone wishes to see them.
Any ideas would be greatly appreciated.
Geoff Brisbine | Network Administrator Direct: 715.287.3225 x190
MI-Assistant - A Division of Fiserv FSC, Inc. 26550 West Mondovi Street | Eleva, WI 54738 Phone: 715.287.4262 | Fax: 715.287.4576 http://www.mi-assistant.com/
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
