-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 czar <[EMAIL PROTECTED]> wrote: > > I have already have a working vpn between r55 and freeswan on debian > (sarge). But with pix, no success - No valid SA issue.
It's important to realize that the "No valid SA" messages that fill up your logs are red herrings. They do NOT tell you about the nature of the problem. They are only a side effect of the tunnel negotiation failing to occur. Checkpoint (at least from R55 onward) actually has quite good messages about the nature of the negotiation failures, but you must find them by searching for traffic occurring between the pair of gateways, not between the target VPN networks. If the IKE negotiation traffic is not showing up in the logs, you need to enable logging of implicit rules. The number one log message I find is "No proposal chosen" which means that the IPSEC parameters do not agree with each other. Parameters are things like encryption type (3DES/MD5 on one side, vs. AES/SHA1 on the other) if the negotiation fails at phase 1, or subnet differences if the negotiation fails at phase 2. The number two most popular failure is a mismatch in shared secrets. Beyond that is may take some digging. cisco4ng <[EMAIL PROTECTED]> wrote: > > On the CP side, run "vpn debug iketrunc" and initiate traffic from > either side. You can also do "debug crypto isakmp 7" and "debug > crypto ipsec 7" and see what wrong on the Cisco pix side. My experience is that Checkpoint's "vpn debug" output, as well as Cisco's debug output, is extremely voluminous, and it is hard to find the nature of the problem. The messages that appear in the log viewer are generally short and direct. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGKnC7FSrKRjX5eCoRAsNqAJ92psXYxks4+RjNzel7KiOoT+d/kwCfWwTu yEMP+JT4M6h+yHVuvLvHbys= =opqz -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
