I tried 3DES/SHA1 with no luck. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of ?????? ?????? ??????????? Sent: Wednesday, March 23, 2005 9:03 AM To: [email protected] Subject: Re: [FW-1] NG AI vs. VPN-1 Edge X-16...
Hi I had similar problems with Nokia IP40. I have found out that 3DES/MD5 combination not supported by phase 1 IKE. Try 3DES/SHA1. Michail -----Original Message----- From: Brisbine, Geoff [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 5:21 PM To: [email protected] Subject: Re: [FW-1] NG AI vs. VPN-1 Edge X-16... Thanks for the reply, Ray. Both Perfect Forward Secrecy and Site to Site IP Compression are disabled. Any other ideas? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Tuesday, March 22, 2005 9:44 PM To: [email protected] Subject: Re: [FW-1] NG AI vs. VPN-1 Edge X-16... No, you will not see the SmartDashboard rules on the Edge. Make sure you have Perfect Forward Secrecy and site-to-site compression disabled. PFS can be enabled on the Edge only via CLI and compression can never be used. Ray >From: "Brisbine, Geoff" <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: [FW-1] NG AI vs. VPN-1 Edge X-16... >Date: Tue, 22 Mar 2005 07:32:59 -0600 > >Greetings, all. > >We are experiencing a problem with a VPN between our NG AI box running >SPLAT and our VPN-1 Edge X-16 box running 5.0.57x. > >To setup the Edge box I did the normal three steps of creating a VPN-1 >Edge/Embedded Profile, creating a VPN-1 Edge/Embedded Gateway, then >creating a Site To Site community. Everything seems to go just fine. >I am able to connect the Edge box to the Service Center (Software >Updates, Remote Management, Dynamic VPN, Logging & Reporting) but when >I attempt to ping from behind the Edge to behind the NG AI I am getting errors. > >On the Edge device I get... > "Failed to establish VPN Tunnel with xxx.xxx.xxx.xxx: no proposal >chosen" > "Failed to establish VPN Tunnel with yyy.yyy.yyy.yyy: no response >from peer" - ~35 seconds after the first message. > (Where xxx.xxx.xxx.xxx = external IP of NG and yyy.yyy.yyy.yyy = >internal IP of host I am attempting to ping) > >On our NG AI device I get > "IKE: Main Mode Failed to match proposal: AES-256, SHA1, RSA >Signature, Group 2 (1024 bit)" > >I have attempted to set the VPN community to AES-256/SHA1 with no luck. > >The VPN community is set like this: 3DES/MD5, AES-128/MD5, Group 2. > >I've got two sets of rules allowing traffic... > >Source Destination VPN >Service Install on > >EDGE RULES >============ >Local Internal Net Remote Internal Net Any Any >Edge Profile >Remote Internal Net Local Internal Net Any Any >Edge Profile > >NG AI RULES >============ >Local Internal Net Remote Internal Net Any Any >NG Gateway >Remote Internal Net Local Internal Net Any Any >NG Gateway > >I have attempted to downgrade to the 4.5.64 on the Edge device but that >didn't help. I am running HFA-13 on the SPLAT box. > >On the Edge box I don't see any Rules in Security -> Rules. Should the >rules I placed in SmartDashboard to be installed on the Edge profile >show up here? Under VPN -> VPN Sites I see a site name of "Enterprise" >but I can't check the properties of it or anything. > >I am more than happy to post any logs if anyone wishes to see them. > >Any ideas would be greatly appreciated. > >Geoff Brisbine | Network Administrator >Direct: 715.287.3225 x190 > >MI-Assistant - A Division of Fiserv FSC, Inc. >26550 West Mondovi Street | Eleva, WI 54738 >Phone: 715.287.4262 | Fax: 715.287.4576 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
