Kowalczyk, Thorsten a écrit :
Hi Guys,
I have a little bit trouble in a NGX R62 Cluster (Crossbeam) PIX VPN
combination.
I try to do a VPN to customer with a Cisco PIX. I have a Phase 1
completed. In Phase 2 I got the INVALID ID INFORMATION (see below). In
my VPN Domain I have 3 different networks (ex. 10.0.0.0/24,
172.16.0.0/24 192.168.0.0/24) on the Interoperable Device I have a
different network (192.168.5.0/24) as Domain.
IKE View shows me following entries.
QM packet 1 (13:02:07) - Mon Mar 2 2009
ID:
(0.0.0.0 0.0.0.0) - (0.0.0.0 0.0.0.0)
this sounds like you configured in the vpn community to use only one
tunnel per gateway pair.
can you please try to configure one tunnel per subnet pair ?
(tunnel management in the community).
what does the log on the pix say ?
Transport: UDP
PeerIP: c22c22 (Just an example)
PeerPort: 500
Peer Name: ANY-Gateway
==> Sent to peer 12.34.12.34 (Just an example)
INFO Paket
Notify Payload
Next Payload: NONE
Reserved: 0
Length: 00 a4 (164)
DOI: 00 00 00 01 (1)
ProtID: 1
SPI Size: 16
Notify Type: 18 (INVALID-ID-INFORMATION)
SPI: (JUST EXAMPLE)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
Notify Data: (JUST EXAMPLE)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
We are using the simplified mode in the VPN community, not traditional.
I modified already the $FWDIR/con/user.def.NGX_R60 several times.
Content I have tried first:
max_subnet_for_range = {
<10.0.0.0, 10.0.0.255; 255.255.255.0>, # EXAMPLE IPs
<172.16.0.0, 172.16.0.255; 255.255.255.0>,
<10.9.0.0, 10.9.0.255; 255.255.255.0>
}
and also tried second possibility (also just example IPS):
subnet_for_range_and_peer = {
<1.2.3.4, 10.0.0.0, 10.0.0.255; 255.255.255.0>,
<1.2.3.4, 10.1.0.255; 255.255.255.0>,
<1.2.3.4, 10.9.0.255; 255.255.255.0>
};
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
