Seems the Edge is managed by your SmartCenter R55. Remember, 1. Service Center is supposed to be your SmartCenter server (you need to do a Static NAT for your SC if it is located in your internal network) 2. Update your Edge Appliance every time you have installed your policy in SC. 3. Make sure the VPN Tunnel is formed under "Reports" -> "VPN tunnel" of your Edge Appliance. 4. Disable NAT for the Edge_Enc_domain & Internal_Enc_domain (either enable "Disable NAT" in the VPN community or manually define rules under "Address Translation" 5. Take a look at the Sofaware - Support.
http://server.iad.liveperson.net/hc/s-9995810/cmd/kbresource/kb-7492204658881736006/front_page!PAGETYPE 6. Take a look at the Forum http://sofaware.infopop.cc/eve/ubb.x A VPN connection between Check Point VPN-1 and an Edge device may fail with error message 'No proposal chosen'. This can happen for the following reasons: The VPN-1 Edge gateway object is used in a traditional mode rulebase for the VPN (Encrypt) rule. In order to workaround this, you can use the standard Check Point externally managed gateway object instead of the VPN-1 Edge object. IP Compression is enabled for the VPN tunnel on SmartDashboard. The VPN-1 Edge gateway does not support IP compression. Hope this helps, Nick >From: "Brisbine, Geoff" <GeoffBrisbine AT MI-ASSISTANT DOT COM> >Reply-To: Mailing list for discussion of Firewall-1 ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM >Subject: [FW-1] NG AI vs. VPN-1 Edge X-16... >Date: Tue, 22 Mar 2005 07:32:59 -0600 > >Greetings, all. > >We are experiencing a problem with a VPN between our NG AI box running >SPLAT and our VPN-1 Edge X-16 box running 5.0.57x. > >To setup the Edge box I did the normal three steps of creating a VPN-1 >Edge/Embedded Profile, creating a VPN-1 Edge/Embedded Gateway, then >creating a Site To Site community. Everything seems to go just fine. >I am able to connect the Edge box to the Service Center (Software >Updates, Remote Management, Dynamic VPN, Logging & Reporting) but when >I attempt to ping from behind the Edge to behind the NG AI I am getting errors. > >On the Edge device I get... > "Failed to establish VPN Tunnel with xxx.xxx.xxx.xxx: no proposal >chosen" > "Failed to establish VPN Tunnel with yyy.yyy.yyy.yyy: no response >from peer" - ~35 seconds after the first message. > (Where xxx.xxx.xxx.xxx = external IP of NG and yyy.yyy.yyy.yyy = >internal IP of host I am attempting to ping) > >On our NG AI device I get > "IKE: Main Mode Failed to match proposal: AES-256, SHA1, RSA >Signature, Group 2 (1024 bit)" > >I have attempted to set the VPN community to AES-256/SHA1 with no luck. > >The VPN community is set like this: 3DES/MD5, AES-128/MD5, Group 2. > >I've got two sets of rules allowing traffic... > >Source Destination VPN >Service Install on > >EDGE RULES >============ >Local Internal Net Remote Internal Net Any Any >Edge Profile >Remote Internal Net Local Internal Net Any Any >Edge Profile > >NG AI RULES >============ >Local Internal Net Remote Internal Net Any Any >NG Gateway >Remote Internal Net Local Internal Net Any Any >NG Gateway > >I have attempted to downgrade to the 4.5.64 on the Edge device but that >didn't help. I am running HFA-13 on the SPLAT box. > >On the Edge box I don't see any Rules in Security -> Rules. Should the >rules I placed in SmartDashboard to be installed on the Edge profile >show up here? Under VPN -> VPN Sites I see a site name of "Enterprise" >but I can't check the properties of it or anything. > >I am more than happy to post any logs if anyone wishes to see them. > >Any ideas would be greatly appreciated. > >Geoff Brisbine | Network Administrator >Direct: 715.287.3225 x190 > >MI-Assistant - A Division of Fiserv FSC, Inc. >26550 West Mondovi Street | Eleva, WI 54738 >Phone: 715.287.4262 | Fax: 715.287.4576 __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
