Hi Oliver, Yes. I did uncheck it and try. It didn't help...Ramakrishnan
>>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>> Hi Ramakrishnan, My suggestion was "uncheck" the box for "Support key Exchange for Subnets", NOT "check". (only in the interoperable device) Next, install the policy. did you try that? Regards, Oliver. --- Ramakrishnan Pillai <[EMAIL PROTECTED]> escribió: > Thanks. Will check supernetting option. As per > another suggestion, I tried matching the encryption > domains on both end. The PIX end is simple with two > networks. But Checkpoint end encryption domain is > common for all site-to-site and remote access > clients and is a huge list of all IPs/networks > inside the network which need to be accessed over > VPN from outside. Hence it is difficult to match > the encryption domain on both sides of the vpn > tunnel. Any ideas on this? > > Thanks, > Ramakrishnan > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>> > disable SUPERNETTING on the Checkpoint side....Check > Knowledge base for > "how to" instructions. > It may solve your problem. > Regards > > Ramakrishnan Pillai <[EMAIL PROTECTED]> > wrote: > Thanks. Compared all the properties of PIX and > R55. The "Support key Exchange for Subnets" is > already checked. Still no luck. Same message...RK > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>> > In SmartDashboard, go to the interoperable device > object Properties (representing PIX), look for VPN - > VPN Advanced and uncheck the box: "Support key > Exchange for Subnets" > I hope that helps. > > Regards, > > Oliver. > > > --- Ramakrishnan Pillai > escribió: > > > Thanks for the detailed reply. Let me cross check > > everything...RK > > > > >>> [EMAIL PROTECTED] 12/14/2005 > > 10:45:06 AM >>> > > Parameters are not identical. I've run into this > > many times. For example, if policy on PIX ends up > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the > > Interoperable Device representing the PIX has been > > set up for 3DES/SHA1, it will fail. You got to > match > > exactly, not just have a match. Painful, but there > > you have it. Also check DH-groups, timeouts, > > PFS-or-not for Phase-2, and ideally don't choose > > Aggressive. > > No proposal chosen is likely Phase-1 settings. If > it > > was encrypt domain, you'd see "no valid SA". Could > > also be encrypt settings Phase-2, but that's less > > common - transform sets are specific to a tunnel, > so > > control is better. Policies are not, and that > leads > > to a "VPNs are like a box of chocolates" > situation. > > > > If you are being supported by a CSP, run vpn debug > > trunc, get the handy ike.elg, and have them run it > > through IkeView. That will show you exactly what's > > going on and make short work of this issue. Could > > also use tcpdump and ethereal for phase-1 issues, > > but that's only get you halfway through the > exchange > > - once encryption starts, you're blind. Ethereal > > won't help with Phase-2; IkeView will. > > > > Good news is: This will come up once parameters > > match 100% on both sides. > > > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > > [mailto:[EMAIL PROTECTED] > > Behalf Of > > Ramakrishnan Pillai > > Sent: Wednesday, December 14, 2005 10:15 AM > > To: [email protected] > > Subject: [FW-1] VPN between R55 and PIX > > > > > > While doing a site-to-site between R55 and PIX we > > are getting "Message from peer: No proposal > choosen" > > at checkpoint end. Using preshared secret and all > > parameters are identical. Any idea where to check > > for. > > > > Thanks in advance. > > RK > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > Please note that: > > > > 1. This e-mail may constitute privileged > > information. If you are not the intended > recipient, > > you have received this confidential email and any > > attachments transmitted with it in error and you > > must not disclose, copy, circulate or in any other > > way use or rely on this information. > > 2. E-mails to and from the company are monitored > for > > operational reasons and in accordance with lawful > > business practices. > > 3. The contents of this email are those of the > > individual and do not necessarily represent the > > views of the company. > > 4. The company does not conclude contracts by > email > > and all negotiations are subject to contract. > > 5. The company accepts no responsibility once an > > e-mail and any attachments is sent. > > > > http://www.integralis.com > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y > antispam ¡gratis! > Regístrate ya - http://correo.espanol.yahoo.com/ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > === message truncated === __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate ya - http://correo.espanol.yahoo.com/ ============================================3D===== To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
