Thank you for all your help, The problem is solved, it was due to differences in configuration on the new R62 against the old R60, because we now are using simplified mode, and not traditional mode as we used to with some nat problems in the mix. With more log's from the cisco, we could find the reason for the deleting SA. Thank you
Best Regards, Miguel Cardoso Ferreira -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Ray Sent: sábado, 31 de Janeiro de 2009 13:45 To: [email protected] Subject: Re: [FW-1] IPSec/LAN-to-LAN -> R62 -cisco VPN Concentrator 3000 What version of FW-1 are you using on your side and what HFA? You ought to consider changing MD5 to SHA-1 given all of the bad publicity about MD5 recently. Are you sure PFS is disabled on both sides? Ray > Date: Fri, 30 Jan 2009 18:57:56 +0000 > From: [email protected] > Subject: [FW-1] IPSec/LAN-to-LAN -> R62 -cisco VPN Concentrator 3000 > To: [email protected] > > Hello, > > I am configuring a IPSec/LAN-to-LAN VPN between my FW--1 and a Cisco VPN > Concentrator 3000 after replacing a R60 FW-1 with the tunnel working. > > I've created the vpn community with the following specs: > > Phase 1 SA Attribute Decode for Transform # 1: Encryption Alg:Triple-DES > (5) Hash Alg:MD5 (1) Auth Method:Preshared Key (1) DH Group: Oakley > Group 2 (2) Life Time:86400 seconds > > Phase 2 Triple-DES (3) DH Group:Oakley Group 2 (2) Life Time:28800 seconds > HMAC Algorithm:MD5 (1) Encapsulation:Tunnel (1) > > And even after changing the largest ipsec subnets, with the exactly the same > vpn domain as it was working in the other FW-1 r60, changing the > configuration to pair of subnets and pair of hosts, we keep getting this > errors: > > 1 > > Number: 617913 > Date: 29Jan2009 > Time: 8:38:46 > Product: VPN-1 Power/UTM > VPN Feature: IKE > Interface: daemon > Origin: firewall > Type: Log > Action: Key Install > Source: firewall > Destination: cisco > Encryption Scheme: IKE > VPN Peer Gateway: cisco > IKE Initiator Cookie: bf9b17fdf99df6f6 > IKE Responder Cookie: eb795f46dfdff6cf > Encryption Methods: 3DES + MD5, Pre shared secrets > Community: VPN_community > Subproduct: VPN > Information: IKE: Main Mode completion [UDP]. > > > 2 > > Number: 617914 > Date: 29Jan2009 > Time: 8:38:46 > Product: VPN-1 Power/UTM > VPN Feature: IKE > Interface: daemon > Origin: firewall > Type: Log > Action: Key Install > Source: cisco > Destination: firewall > Encryption Scheme: IKE > VPN Peer Gateway: cisco > IKE Phase2 Message ID: 4b54s3dff4b > Subproduct: VPN > Information: IKE: Informational Exchange > Received Delete IKE-SA from Peer: cisco > Cookies: > fd179bbffdfsd6d699f9-465f79ebsdfcfsf68d22 > > > On the cisco side we got some log's that said the phase 1 was complete, > accpepted the ipsec proposal of the second phase and then delete sa. > > Any ideas that could help? > > Thank you > > Best Regards, > Miguel Ferreira > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= _________________________________________________________________ Windows Live(tm): E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_012009 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
