[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] VPN Between VPN-1 and Cisco VPN 5000 Concentrator - No Proposal C hosen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, and thank you in advance for any help you may be able to provide and I apologize for the length of this message. I am trying to connect a customer's VPN-1/SP2 Firewall running on a Nokia IP330 to their partner's Cisco VPN 5000 concentrator (Cisco VPN 5001 Concentrator v6.0.16.0001 (dalecki) US). I have followed the document at http://www.cisco.com/warp/customer/471/cp-5000.html. The Cisco engineer at my customer's partner company is very confident that his 5000 is configured properly because it is currently working with my customer's existing VPN device (which we are trying to replace with Check Point), and also other partners of his' VPN devices. - ---------------------------------------------------------- Here's the Info: We are using DES/ESP/SHA1, a preshared secret, and are supporting subnets. We have also tried DES/ESP/MD5 with no luck. I do not have "Supports Aggressive Mode" checked. In Policy Properties, Encryption Tab, I have modified the "Renegotiate IKE SA's every" entry to 1440 minutes. I also modified the "Renegotiate IPSEC SA's every" entry to 28800 seconds. We are NATing on both ends. I have added a line in the NAT table basically saying "Don't NAT traffic between our VPN domains." - ---------------------------------------------------------- When we try to telnet from a client behind the CP firewall to a server behind the Cisco VPN 5000, using illegal addresses, we get the following entries in our Check Point log. I've been told that the "no proposal chosen" error has to do with our two VPN devices not having the same settings, but we checked, double-checked, and triple-checked our settings. - --------------- 1st log entry: - --------------- Action: key install Source: VPN-1 External IP Address Dest: Cisco 5000 External IP Address Info: IKE Log: Sent Notification: no proposal chosen <phase1 stage2> Negotiation Id: 90e35f.... - --------------- 2nd log entry: - --------------- Action: key install Source: VPN-1 External IP Address Dest: Cisco 5000 External IP Address Info: IKE Log: Received Notification from Peer: N/A - ---------------------------------------------------------- Please forward any questions or ideas you may have. Thank you again. Robert C. Schaefer CCSE, MCSE, CCEA Compudata, Inc.-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: WTF? iQA/AwUBOx1OYYybJ4mxOy+FEQKmhQCg5iOglLRMRgbpFMQpVZoqg3TPT8UAn2rF RfjnGRvFFLvH81az5Pb5J7Ul =GZLh -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|