Mathew, I am using Private Ranges 10.98.1.0 /24, 10.70.0.0/24, 192.168.115.0/24. Far end IP Address is 192.168.11.26. When i initiate the traffic, I found the vendor is seeing the traffic as 10.0.0.0/8. Also, when the traffic is initiated by Cisco, works fantastic..but when checkpoint initiates,,,it fails. When the Tunnel is UP(Traffic initiated by Cisco), i am not able to access anything on their end. No today everything broke.. Only Phase 1 is success and phase 2 is failing..
Also, i did modified the user.def by adding the first range and the last range with the subnet details..this aint help, when pushing the policy it fails. Did you come across this kind of problem..If i do NAT , will this solve the problem...Thanks for your response. Regards, Vasu On 2/14/06, Matthew Austin <[EMAIL PROTECTED]> wrote: > > Are you using a private range of addresses behind the CP Firewall, such as > 10.0.0.0/8? Are you seeing any errors for phase one or 2 either? > > *Vasudevan Chetty Padmanabhan <[EMAIL PROTECTED]>* wrote: > > Hi Ramakrishan, > > Were you able to setup the site-to-to tunnel working. Iam also in the same > boat. I did the following, > 1.Verified the encryption domain and the settings at both the end.(Cisco > Pix > 515E & CP R55). > 2.Unchecked the "Support key Exchange for Subnets" > 3. # dbedit (This should be done on the Mgmt Server) > Enter Server name (Enter for Local Host) > User Name / Password > dbedit> modify properties firewall_properties > ike_use_largest_possible_subnets false > > dbedit> update properties firewall_properties > firewall_properties updated successfully. > > dbedit> quit > 4. Install the Policy > > Still no progress. Please let me know if something helped you.... > > Regards, > Vasu > > > > On 12/16/05, Ramakrishnan Pillai wrote: > > > > Hi Oliver, > > > > Yes. I did uncheck it and try. It didn't help...Ramakrishnan > > > > >>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>> > > > > Hi Ramakrishnan, > > My suggestion was "uncheck" the box for "Support key > > Exchange for Subnets", NOT "check". (only in the > > interoperable device) > > Next, install the policy. > > did you try that? > > > > Regards, > > Oliver. > > > > > > --- Ramakrishnan Pillai > > escribi�: > > > > > Thanks. Will check supernetting option. As per > > > another suggestion, I tried matching the encryption > > > domains on both end. The PIX end is simple with two > > > networks. But Checkpoint end encryption domain is > > > common for all site-to-site and remote access > > > clients and is a huge list of all IPs/networks > > > inside the network which need to be accessed over > > > VPN from outside. Hence it is difficult to match > > > the encryption domain on both sides of the vpn > > > tunnel. Any ideas on this? > > > > > > Thanks, > > > Ramakrishnan > > > > > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>> > > > disable SUPERNETTING on the Checkpoint side....Check > > > Knowledge base for > > > "how to" instructions. > > > It may solve your problem. > > > Regards > > > > > > Ramakrishnan Pillai > > > wrote: > > > Thanks. Compared all the properties of PIX and > > > R55. The "Support key Exchange for Subnets" is > > > already checked. Still no luck. Same message...RK > > > > > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>> > > > In SmartDashboard, go to the interoperable device > > > object Properties (representing PIX), look for VPN - > > > VPN Advanced and uncheck the box: "Support key > > > Exchange for Subnets" > > > I hope that helps. > > > > > > Regards, > > > > > > Oliver. > > > > > > > > > --- Ramakrishnan Pillai > > > escribi�: > > > > > > > Thanks for the detailed reply. Let me cross check > > > > everything...RK > > > > > > > > >>> [EMAIL PROTECTED] 12/14/2005 > > > > 10:45:06 AM >>> > > > > Parameters are not identical. I've run into this > > > > many times. For example, if policy on PIX ends up > > > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the > > > > Interoperable Device representing the PIX has been > > > > set up for 3DES/SHA1, it will fail. You got to > > > match > > > > exactly, not just have a match. Painful, but there > > > > you have it. Also check DH-groups, timeouts, > > > > PFS-or-not for Phase-2, and ideally don't choose > > > > Aggressive. > > > > No proposal chosen is likely Phase-1 settings. If > > > it > > > > was encrypt domain, you'd see "no valid SA". Could > > > > also be encrypt settings Phase-2, but that's less > > > > common - transform sets are specific to a tunnel, > > > so > > > > control is better. Policies are not, and that > > > leads > > > > to a "VPNs are like a box of chocolates" > > > situation. > > > > > > > > If you are being supported by a CSP, run vpn debug > > > > trunc, get the handy ike.elg, and have them run it > > > > through IkeView. That will show you exactly what's > > > > going on and make short work of this issue. Could > > > > also use tcpdump and ethereal for phase-1 issues, > > > > but that's only get you halfway through the > > > exchange > > > > - once encryption starts, you're blind. Ethereal > > > > won't help with Phase-2; IkeView will. > > > > > > > > Good news is: This will come up once parameters > > > > match 100% on both sides. > > > > > > > > > > > > -----Original Message----- > > > > From: Mailing list for discussion of Firewall-1 > > > > > > > > > [mailto:[EMAIL PROTECTED] > > > > Behalf Of > > > > Ramakrishnan Pillai > > > > Sent: Wednesday, December 14, 2005 10:15 AM > > > > To: [email protected] > > > > Subject: [FW-1] VPN between R55 and PIX > > > > > > > > > > > > While doing a site-to-site between R55 and PIX we > > > > are getting "Message from peer: No proposal > > > choosen" > > > > at checkpoint end. Using preshared secret and all > > > > parameters are identical. Any idea where to check > > > > for. > > > > > > > > Thanks in advance. > > > > RK > > > > > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > Please note that: > > > > > > > > 1. This e-mail may constitute privileged > > > > information. If you are not the intended > > > recipient, > > > > you have received this confidential email and any > > > > attachments transmitted with it in error and you > > > > must not disclose, copy, circulate or in any other > > > > way use or rely on this information. > > > > 2. E-mails to and from the company are monitored > > > for > > > > operational reasons and in accordance with lawful > > > > business practices. > > > > 3. The contents of this email are those of the > > > > individual and do not necessarily represent the > > > > views of the company. > > > > 4. The company does not conclude contracts by > > > email > > > > and all negotiations are subject to contract. > > > > 5. The company accepts no responsibility once an > > > > e-mail and any attachments is sent. > > > > > > > > http://www.integralis.com > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > __________________________________________________ > > > Correo Yahoo! > > > Espacio para todos tus mensajes, antivirus y > > > antispam �gratis! > > > Reg�strate ya - http://correo.espanol.yahoo.com/ > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > > > === message truncated === > > > > > > __________________________________________________ > > Correo Yahoo! > > Espacio para todos tus mensajes, antivirus y antispam �gratis! > > Reg�strate ya - http://correo.espanol.yahoo.com/ > > > > ============================================3D===== > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >
