Hi Dude,
This did not help me..I still notice the Phase 2 is not coming up. Any other
options that you might want to share...
Thanks,
Vasu
On 2/14/06, cisco4ng <[EMAIL PROTECTED]> wrote:
>
> Hi there,
>
> Changing the IKE_largest_possible_subnet from true to "false" is only the
> first step.
>
> What you need to do is to basically include all the IP networks of the
> checkpoint
> encryption domain in the $FWDIR/lib/user.def file. For example, I have 3
> networks,
> so the user.def file will look something like this below:
>
> // User defined INSPECT code
> //
> max_subnet_for_range = {
> <192.168.10.0, 192.168.10.255; 255.255.255.0>,
> <192.168.11.0, 192.168.11.255; 255.255.255.0>,
> <192.168.13.0, 192.168.13.255; 255.255.255.0>
> };
> #endif /* __user_def__ */
>
> Install the policy and it will work. It has nothing to do with phase II
> PFS. In R55 and
> higher, you can have PFS on the pix side and no PFS on the checkpoint side
> and
> it still works. I deal with these everyday. NG Feature Pack 3 is another
> matter.
>
> Good luck!. If you still have problems, please repost.
>
> cisco4ng
>
> *Vasudevan Chetty Padmanabhan <[EMAIL PROTECTED]>* wrote:
>
> Hi,
>
> Iam using Checkpoint NG with AI - R55. Thanks for the Cisco config.....I
> have the latest hotfixes for CheckPoint installed. Any other thoughts
> please...
>
> thanks..
>
>
> On 2/14/06, no-need to-list wrote:
> >
> > Here is a PIX configuration that you may use as base....I have more than
> > 100 Cisco Pix working with Checkpoint FW
> >
> > I hope this help all the people having problems with Checkpoint and
> Cisco
> > PIX VPN
> >
> > PS...Checkpoint side latest HFA applied, PIX latest code used...
> >
> >
> >
> > BASIC PIX Configuration
> >
> > ------------------------------------
> > assign names to networks and hosts
> > ------------------------------------
> > name 192.168.0.0 your-192-168-x-x
> > name 111.111.111.111 yourFWCLUSTER
> > name 10.0.0.0 your-10-x-x-x
> >
> > ----------------------------------------------------
> > define the VPN networks reachable behind the Checkpoint FW
> > by creating a group
> > -----------------------------------------------------
> > object-group network your-vpn-dom
> > description your-vpn-domain
> > network-object your-10-x-x-x 255.0.0.0
> > network-object your-192-168-x-x 255.255.0.0
> > --------------------------------------------------
> > access list to disable SPLIT-Tunneling
> > --------------------------------------------------
> > access-list 101 permit ip host yourFWCLUSTER any
> > access-list 101 permit ip (yourpixinternalnet) 255.255.255.0 any
> > access-list 101 permit ip host pixexternal object-group your-vpn-dom
> > access-list nonat permit ip host yourFWCLUSTER any
> > access-list nonat permit ip (yourpixinternalnet) 255.255.255.0 any
> > access-list nonat permit ip host (yourpixexternaladdress) object-group
> > your-vpn-dom
> >
> > ---------------------------------------
> > gobal nat command
> > ---------------------------------------
> > global (outside) 1 interface
> > nat (inside) 0 access-list nonat
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >
> > ---------------------------------------------
> > define the crypto map, transform-sets and assign the access list
> > ----------------------------------------------
> >
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
> > crypto map rtprules 10 ipsec-isakmp
> > crypto map rtprules 10 match address 101
> > crypto map rtprules 10 set peer yourFWCLUSTER
> > crypto map rtprules 10 set transform-set rtptac
> > crypto map rtprules interface outside
> > -------------------------------------------------------
> > define the ISAKMP parameters to macth the Checkpoint FW
> > ---------------------------------------------------------
> >
> > isakmp enable outside
> > isakmp key (your-shared-key-here) address yourFWCLUSTER netmask
> > 255.255.255.255
> > isakmp policy 1 authentication pre-share
> > isakmp policy 1 encryption 3des
> > isakmp policy 1 hash md5
> > isakmp policy 1 group 2
> > isakmp policy 1 lifetime 86400
> >
> >
> >
> > Vasudevan Chetty Padmanabhan < [EMAIL PROTECTED]> wrote:
> > Hi Ramakrishan,
> >
> > Were you able to setup the site-to-to tunnel working. Iam also in the
> same
> > boat. I did the following,
> > 1.Verified the encryption domain and the settings at both the end.(Cisco
> > Pix
> > 515E & CP R55).
> > 2.Unchecked the "Support key Exchange for Subnets"
> > 3. # dbedit (This should be done on the Mgmt Server)
> > Enter Server name (Enter for Local Host)
> > User Name / Password
> > dbedit> modify properties firewall_properties
> > ike_use_largest_possible_subnets false
> >
> > dbedit> update properties firewall_properties
> > firewall_properties updated successfully.
> >
> > dbedit> quit
> > 4. Install the Policy
> >
> > Still no progress. Please let me know if something helped you....
> >
> > Regards,
> > Vasu
> >
> >
> >
> > On 12/16/05, Ramakrishnan Pillai wrote:
> > >
> > > Hi Oliver,
> > >
> > > Yes. I did uncheck it and try. It didn't help...Ramakrishnan
> > >
> > > >>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>>
> > >
> > > Hi Ramakrishnan,
> > > My suggestion was "uncheck" the box for "Support key
> > > Exchange for Subnets", NOT "check". (only in the
> > > interoperable device)
> > > Next, install the policy.
> > > did you try that?
> > >
> > > Regards,
> > > Oliver.
> > >
> > >
> > > --- Ramakrishnan Pillai
> > > escribió:
> > >
> > > > Thanks. Will check supernetting option. As per
> > > > another suggestion, I tried matching the encryption
> > > > domains on both end. The PIX end is simple with two
> > > > networks. But Checkpoint end encryption domain is
> > > > common for all site-to-site and remote access
> > > > clients and is a huge list of all IPs/networks
> > > > inside the network which need to be accessed over
> > > > VPN from outside. Hence it is difficult to match
> > > > the encryption domain on both sides of the vpn
> > > > tunnel. Any ideas on this?
> > > >
> > > > Thanks,
> > > > Ramakrishnan
> > > >
> > > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>>
> > > > disable SUPERNETTING on the Checkpoint side....Check
> > > > Knowledge base for
> > > > "how to" instructions.
> > > > It may solve your problem.
> > > > Regards
> > > >
> > > > Ramakrishnan Pillai
> > > > wrote:
> > > > Thanks. Compared all the properties of PIX and
> > > > R55. The "Support key Exchange for Subnets" is
> > > > already checked. Still no luck. Same message...RK
> > > >
> > > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>>
> > > > In SmartDashboard, go to the interoperable device
> > > > object Properties (representing PIX), look for VPN -
> > > > VPN Advanced and uncheck the box: "Support key
> > > > Exchange for Subnets"
> > > > I hope that helps.
> > > >
> > > > Regards,
> > > >
> > > > Oliver.
> > > >
> > > >
> > > > --- Ramakrishnan Pillai
> > > > escribió:
> > > >
> > > > > Thanks for the detailed reply. Let me cross check
> > > > > everything...RK
> > > > >
> > > > > >>> [EMAIL PROTECTED] 12/14/2005
> > > > > 10:45:06 AM >>>
> > > > > Parameters are not identical. I've run into this
> > > > > many times. For example, if policy on PIX ends up
> > > > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the
> > > > > Interoperable Device representing the PIX has been
> > > > > set up for 3DES/SHA1, it will fail. You got to
> > > > match
> > > > > exactly, not just have a match. Painful, but there
> > > > > you have it. Also check DH-groups, timeouts,
> > > > > PFS-or-not for Phase-2, and ideally don't choose
> > > > > Aggressive.
> > > > > No proposal chosen is likely Phase-1 settings. If
> > > > it
> > > > > was encrypt domain, you'd see "no valid SA". Could
> > > > > also be encrypt settings Phase-2, but that's less
> > > > > common - transform sets are specific to a tunnel,
> > > > so
> > > > > control is better. Policies are not, and that
> > > > leads
> > > > > to a "VPNs are like a box of chocolates"
> > > > situation.
> > > > >
> > > > > If you are being supported by a CSP, run vpn debug
> > > > > trunc, get the handy ike.elg, and have them run it
> > > > > through IkeView. That will show you exactly what's
> > > > > going on and make short work of this issue. Could
> > > > > also use tcpdump and ethereal for phase-1 issues,
> > > > > but that's only get you halfway through the
> > > > exchange
> > > > > - once encryption starts, you're blind. Ethereal
> > > > > won't help with Phase-2; IkeView will.
> > > > >
> > > > > Good news is: This will come up once parameters
> > > > > match 100% on both sides.
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Mailing list for discussion of Firewall-1
> > > > >
> > > >
> > > [mailto:[EMAIL PROTECTED]
> > > > > Behalf Of
> > > > > Ramakrishnan Pillai
> > > > > Sent: Wednesday, December 14, 2005 10:15 AM
> > > > > To: [email protected]
> > > > > Subject: [FW-1] VPN between R55 and PIX
> > > > >
> > > > >
> > > > > While doing a site-to-site between R55 and PIX we
> > > > > are getting "Message from peer: No proposal
> > > > choosen"
> > > > > at checkpoint end. Using preshared secret and all
> > > > > parameters are identical. Any idea where to check
> > > > > for.
> > > > >
> > > > > Thanks in advance.
> > > > > RK
> > > > >
> > > > >
> > > > > =================================================
> > > > > To set vacation, Out-Of-Office, or away messages,
> > > > > send an email to
> > > > [EMAIL PROTECTED]
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > > =================================================
> > > > > To unsubscribe from this mailing list,
> > > > > please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > > =================================================
> > > > > If you have any questions on how to change your
> > > > > subscription options, email
> > > > > [EMAIL PROTECTED]
> > > > > =================================================
> > > > >
> > > > >
> > > > > Please note that:
> > > > >
> > > > > 1. This e-mail may constitute privileged
> > > > > information. If you are not the intended
> > > > recipient,
> > > > > you have received this confidential email and any
> > > > > attachments transmitted with it in error and you
> > > > > must not disclose, copy, circulate or in any other
> > > > > way use or rely on this information.
> > > > > 2. E-mails to and from the company are monitored
> > > > for
> > > > > operational reasons and in accordance with lawful
> > > > > business practices.
> > > > > 3. The contents of this email are those of the
> > > > > individual and do not necessarily represent the
> > > > > views of the company.
> > > > > 4. The company does not conclude contracts by
> > > > email
> > > > > and all negotiations are subject to contract.
> > > > > 5. The company accepts no responsibility once an
> > > > > e-mail and any attachments is sent.
> > > > >
> > > > > http://www.integralis.com
> > > > >
> > > > > =================================================
> > > > > To set vacation, Out-Of-Office, or away messages,
> > > > > send an email to
> > > > [EMAIL PROTECTED]
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > > =================================================
> > > > > To unsubscribe from this mailing list,
> > > > > please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > > =================================================
> > > > > If you have any questions on how to change your
> > > > > subscription options, email
> > > > > [EMAIL PROTECTED]
> > > > > =================================================
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > =================================================
> > > > > To set vacation, Out-Of-Office, or away messages,
> > > > > send an email to
> > > > [EMAIL PROTECTED]
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > > =================================================
> > > > > To unsubscribe from this mailing list,
> > > > > please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > > =================================================
> > > > > If you have any questions on how to change your
> > > > > subscription options, email
> > > > > [EMAIL PROTECTED]
> > > > > =================================================
> > > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Correo Yahoo!
> > > > Espacio para todos tus mensajes, antivirus y
> > > > antispam ¡gratis!
> > > > Regístrate ya - http://correo.espanol.yahoo.com/
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to [EMAIL PROTECTED]
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [EMAIL PROTECTED]
> > > >
> > > === message truncated ===
> > >
> > >
> > > __________________________________________________
> > > Correo Yahoo!
> > > Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> > > Regístrate ya - http://correo.espanol.yahoo.com/
> > >
> > > ============================================3D=====
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> > >
> > >
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
> >
> >
> > ---------------------------------
> > Yahoo! Mail
> > Use Photomail to share photos without annoying attachments.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
> ------------------------------
> Yahoo!
> Autos<http://us.rd.yahoo.com/evt=38381/+ylc=X3oDMTEzcGlrdGY5BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDMWF1dG9z/*http://autos.yahoo.com/index.html+>.
> Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.
>
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
