On the VPN community you have created, Change Tunnel management "VPN tunnel for host pair" instead of subnet pair....but that is for version R65
I think in earlier versions need to change "ike_use_largest_possible_subnets false" as Hugo implied Do a search on Checkpoint knowledge base for the correct SK and syntax. I do that for any VPN communities that does not talk to any other CHECKPOINT devices. Regards -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hugo van der Kooij Sent: Friday, June 13, 2008 3:18 AM To: [email protected] Subject: Re: [FW-1] Checkpoint R62 vs CiscoASA 5505 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fred Damstra wrote: | On Thu, Jun 12, 2008 at 4:51 AM, pkc_mls <[EMAIL PROTECTED]> wrote: |> but I suspect lifetime mismatch for phase 2. | | Isn't SA lifetime negotiated? I thought that SA lifetime would | negotiate down to the lowest of the configurations on the link? Is | that not the case with Checkpoint? That is how it is supposed to work. A common issue with Cisco is that Check Point may supernet entries which will result in a mismatch. Then there is the tunnel per gateway vs a tunnel per subnet that may through you off-balance. You can start vpn debugging and then read the vpnd.elg file to see what happens. Doing a tcpdump might be a way to learn things too about the actual negotiation. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIUi1SBvzDRVjxmYERAvkaAJ9Ikc0jKzxPHWFYlrSW7B47dg3yegCdFs0u dqN326/SYAseQ2SYnaBD/ds= =a/ne -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
