Re: [FW-1] NG AI vs. VPN-1 Edge X-16...

[Ray]

Thanks for letting everyone know what happened. I'm sure it wil help someone
else in the future,

Ray

From: "Brisbine, Geoff" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NG AI vs. VPN-1 Edge X-16...
Date: Sat, 26 Mar 2005 12:15:15 -0600

Our tech support person and I figured out what the problem was.  After
figuring it out it makes a lot of sense, but it was a little
deceiving...

Within the Meshed Community, even though you use a shared secret for
some of the setup, you cannot have the "Use only Shared Secret for all
external members" checked.  Regardless of what the VPN config is for the
Service Center, the Edge device will only use a certificate for the main
VPN "Enterprise" tunnel.

When I setup the community I figured, "Yeah, I had to type in the shared
secret in SmartDashboard and in the Edge box so I guess I should check
/Use only Shared Secret for all external members/ within the community."

This was apparent in our FW-1-side log with the error message "IKE: Main
Mode Failed to match proposal: AES-256, SHA1, RSA Signature, Group 2
(1024 bit)" but I didn't know what the "RSA Sig" part was at the time.
Once I removed the checkmark and pushed the policy it worked like a
charm.

Thanks for everybody's ideas with this problem!

Geoff.

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Brandson
Sent: Thursday, March 24, 2005 1:35 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NG AI vs. VPN-1 Edge X-16...

Seems the Edge is managed by your SmartCenter R55.

Remember,
1. Service Center is supposed to be your SmartCenter server (you need to
do a Static NAT for your SC if it is located in your internal network)
2. Update your Edge Appliance every time you have installed your policy
in SC.
3. Make sure the VPN Tunnel is formed under "Reports"
-> "VPN tunnel" of your Edge Appliance.
4. Disable NAT for the Edge_Enc_domain & Internal_Enc_domain (either
enable "Disable NAT" in the VPN community or manually define rules under
"Address Translation"
5. Take a look at the Sofaware - Support.

http://server.iad.liveperson.net/hc/s-9995810/cmd/kbresource/kb-74922046
58881736006/front_page!PAGETYPE

6. Take a look at the Forum
http://sofaware.infopop.cc/eve/ubb.x

A VPN connection between Check Point VPN-1 and an Edge device may fail
with error message 'No proposal chosen'. This can happen for the
following reasons:

The VPN-1 Edge gateway object is used in a traditional mode rulebase for
the VPN (Encrypt) rule. In order to workaround this, you can use the
standard Check Point externally managed gateway object instead of the
VPN-1 Edge object.
IP Compression is enabled for the VPN tunnel on SmartDashboard. The
VPN-1 Edge gateway does not support IP compression.

Hope this helps,

Nick

>From: "Brisbine, Geoff" <GeoffBrisbine AT
MI-ASSISTANT DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST
>AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] NG AI vs. VPN-1 Edge X-16...
>Date: Tue, 22 Mar 2005 07:32:59 -0600
>
>Greetings, all.
>
>We are experiencing a problem with a VPN between our
NG AI box running
>SPLAT and our VPN-1 Edge X-16 box running 5.0.57x.
>
>To setup the Edge box I did the normal three steps of
creating a VPN-1
>Edge/Embedded Profile, creating a VPN-1 Edge/Embedded
Gateway, then
>creating a Site To Site community.  Everything seems
to go just fine.
>I am able to connect the Edge box to the Service
Center (Software
>Updates, Remote Management, Dynamic VPN, Logging &
Reporting) but when
>I attempt to ping from behind the Edge to behind the
NG AI I am getting
errors.
>
>On the Edge device I get...
>   "Failed to establish VPN Tunnel with
xxx.xxx.xxx.xxx: no proposal
>chosen"
>   "Failed to establish VPN Tunnel with
yyy.yyy.yyy.yyy: no response
>from peer" - ~35 seconds after the first message.
>   (Where xxx.xxx.xxx.xxx = external IP of NG and
yyy.yyy.yyy.yyy =
>internal IP of host I am attempting to ping)
>
>On our NG AI device I get
>         "IKE: Main Mode Failed to match proposal:
AES-256, SHA1, RSA
>Signature, Group 2 (1024 bit)"
>
>I have attempted to set the VPN community to
AES-256/SHA1 with no luck.
>
>The VPN community is set like this: 3DES/MD5,
AES-128/MD5, Group 2.
>
>I've got two sets of rules allowing traffic...
>
>Source                  Destination
  VPN
>Service Install on
>
>EDGE RULES
>============
>Local Internal Net      Remote Internal Net     Any
          Any
>Edge Profile
>Remote Internal Net     Local Internal Net      Any
          Any
>Edge Profile
>
>NG AI RULES
>============
>Local Internal Net      Remote Internal Net     Any
          Any
>NG Gateway
>Remote Internal Net     Local Internal Net      Any
          Any
>NG Gateway
>
>I have attempted to downgrade to the 4.5.64 on the
Edge device but that

>didn't help.  I am running HFA-13 on the SPLAT box.
>
>On the Edge box I don't see any Rules in Security ->
Rules.  Should the

>rules I placed in SmartDashboard to be installed on
the Edge profile
>show up here?  Under VPN -> VPN Sites I see a site
name of "Enterprise"
>but I can't check the properties of it or anything.
>
>I am more than happy to post any logs if anyone
wishes to see them.
>
>Any ideas would be greatly appreciated.
>
>Geoff Brisbine | Network Administrator
>Direct: 715.287.3225 x190
>
>MI-Assistant - A Division of Fiserv FSC, Inc.
>26550 West Mondovi Street | Eleva, WI  54738
>Phone: 715.287.4262 | Fax: 715.287.4576

__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================