Try this..... Disable the "Use Perfect Forward Secrecy" in the IKE Phase 2 properties of the Encrypt rule. In order to do this proceed with the following:
On the SmartDasbhoard 1. Right click on Encrypt under the ACTION column of the encrypt rule and select Edit Properties 2. In the Encryption Properties dialog box, click on Edit in the "Encryption schemes defined" section of the General tab 3. In the IKE Phase 2 Properties dialog box, uncheck the "Use Perfect Forward Secrecy" check box 4. Click on OK in the IKE Phase 2 Properties dialog box 5. Click on OK in the Encryption Properties dialog box 6. Repeat steps 1. through 5. for the encrypt rule going in the opposite direction (if the encrypt rules are separated by direction) 7. Reinstall the security policy Vasudevan Chetty Padmanabhan <[EMAIL PROTECTED]> wrote: Hi Ramakrishan, Were you able to setup the site-to-to tunnel working. Iam also in the same boat. I did the following, 1.Verified the encryption domain and the settings at both the end.(Cisco Pix 515E & CP R55). 2.Unchecked the "Support key Exchange for Subnets" 3. # dbedit (This should be done on the Mgmt Server) Enter Server name (Enter for Local Host) User Name / Password dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false dbedit> update properties firewall_properties firewall_properties updated successfully. dbedit> quit 4. Install the Policy Still no progress. Please let me know if something helped you.... Regards, Vasu On 12/16/05, Ramakrishnan Pillai wrote: > > Hi Oliver, > > Yes. I did uncheck it and try. It didn't help...Ramakrishnan > > >>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>> > > Hi Ramakrishnan, > My suggestion was "uncheck" the box for "Support key > Exchange for Subnets", NOT "check". (only in the > interoperable device) > Next, install the policy. > did you try that? > > Regards, > Oliver. > > > --- Ramakrishnan Pillai > escribió: > > > Thanks. Will check supernetting option. As per > > another suggestion, I tried matching the encryption > > domains on both end. The PIX end is simple with two > > networks. But Checkpoint end encryption domain is > > common for all site-to-site and remote access > > clients and is a huge list of all IPs/networks > > inside the network which need to be accessed over > > VPN from outside. Hence it is difficult to match > > the encryption domain on both sides of the vpn > > tunnel. Any ideas on this? > > > > Thanks, > > Ramakrishnan > > > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>> > > disable SUPERNETTING on the Checkpoint side....Check > > Knowledge base for > > "how to" instructions. > > It may solve your problem. > > Regards > > > > Ramakrishnan Pillai > > wrote: > > Thanks. Compared all the properties of PIX and > > R55. The "Support key Exchange for Subnets" is > > already checked. Still no luck. Same message...RK > > > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>> > > In SmartDashboard, go to the interoperable device > > object Properties (representing PIX), look for VPN - > > VPN Advanced and uncheck the box: "Support key > > Exchange for Subnets" > > I hope that helps. > > > > Regards, > > > > Oliver. > > > > > > --- Ramakrishnan Pillai > > escribió: > > > > > Thanks for the detailed reply. Let me cross check > > > everything...RK > > > > > > >>> [EMAIL PROTECTED] 12/14/2005 > > > 10:45:06 AM >>> > > > Parameters are not identical. I've run into this > > > many times. For example, if policy on PIX ends up > > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the > > > Interoperable Device representing the PIX has been > > > set up for 3DES/SHA1, it will fail. You got to > > match > > > exactly, not just have a match. Painful, but there > > > you have it. Also check DH-groups, timeouts, > > > PFS-or-not for Phase-2, and ideally don't choose > > > Aggressive. > > > No proposal chosen is likely Phase-1 settings. If > > it > > > was encrypt domain, you'd see "no valid SA". Could > > > also be encrypt settings Phase-2, but that's less > > > common - transform sets are specific to a tunnel, > > so > > > control is better. Policies are not, and that > > leads > > > to a "VPNs are like a box of chocolates" > > situation. > > > > > > If you are being supported by a CSP, run vpn debug > > > trunc, get the handy ike.elg, and have them run it > > > through IkeView. That will show you exactly what's > > > going on and make short work of this issue. Could > > > also use tcpdump and ethereal for phase-1 issues, > > > but that's only get you halfway through the > > exchange > > > - once encryption starts, you're blind. Ethereal > > > won't help with Phase-2; IkeView will. > > > > > > Good news is: This will come up once parameters > > > match 100% on both sides. > > > > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 > > > > > > [mailto:[EMAIL PROTECTED] > > > Behalf Of > > > Ramakrishnan Pillai > > > Sent: Wednesday, December 14, 2005 10:15 AM > > > To: [email protected] > > > Subject: [FW-1] VPN between R55 and PIX > > > > > > > > > While doing a site-to-site between R55 and PIX we > > > are getting "Message from peer: No proposal > > choosen" > > > at checkpoint end. Using preshared secret and all > > > parameters are identical. Any idea where to check > > > for. > > > > > > Thanks in advance. > > > RK > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > Please note that: > > > > > > 1. This e-mail may constitute privileged > > > information. If you are not the intended > > recipient, > > > you have received this confidential email and any > > > attachments transmitted with it in error and you > > > must not disclose, copy, circulate or in any other > > > way use or rely on this information. > > > 2. E-mails to and from the company are monitored > > for > > > operational reasons and in accordance with lawful > > > business practices. > > > 3. The contents of this email are those of the > > > individual and do not necessarily represent the > > > views of the company. > > > 4. The company does not conclude contracts by > > email > > > and all negotiations are subject to contract. > > > 5. The company accepts no responsibility once an > > > e-mail and any attachments is sent. > > > > > > http://www.integralis.com > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > __________________________________________________ > > Correo Yahoo! > > Espacio para todos tus mensajes, antivirus y > > antispam ¡gratis! > > Regístrate ya - http://correo.espanol.yahoo.com/ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > > === message truncated === > > > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > Regístrate ya - http://correo.espanol.yahoo.com/ > > ============================================3D===== > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
