Anyway, I tried this but sadly I didn't get it to work yet.
Patrick
>>> <
[email protected]> 28/06/01 17:25
>>>
Hi Patrick,
on FW1 site you should have defined a
workstation object called e.g. Netscreen.
If so then select the "FW-1/VPN-1"
button and version "4.1" - this "should" work
as it sets FW1in "mood" to
support subnets over vpn.
Hope it
helps...
Marco
"Patrick Coomans"
<
[email protected]> am 28.06.2001 09:29:15
An:
[email protected]Kopie:
(Blindkopie: Marco Rossi/asap)
Thema: [FW1] Again, VPN
w/ Netscreen & IKE gives me a headache
Hi,
I tried
to establish a VPN tunnel between a FW1 4.1 sp3 and a netscreen
version
2.5
So first I read the document of Netscreen "Checkpoint
Interoperability" &
checked out phoneboy.
I use IKE with DES/MD5
and pre-shared secrets,
configured a rule to allow IKE flow between the FW1
and the NSCRN,
configured Encrypt rules for all traffic between the
sites,
configured the VPN tab in both the FW1 and the NSCRN objects for
encryption in
the Encryption Domain,
we support subnets,
made sure the
time the I saw in the log viewer of the FW1 is exactly the same
time I
entered in the console of the netscreen,
and I also changed the IKE key
lifetime to 28800 seconds on both the netscreen
and the fw1.
The
logging gives me:
green Accept
IKE
blue IKE Phase1 Completion DES/MD5
pre-shared secrets
blue IKE Log: sent
notification : no proposal chosen <phase2 stage1>
and the VPN
failes.
I tried switching the different proposals in the netscreen and
selectig
different ones, I also tried to use pfm or nopfm, to no
avail.
Changing from aggressive mode to normal mode did not change a
thing.
I did find multiple archived messages of people asking the same
question, but
never found a response that works for me.
So please, if
anyone has a clue, please drop me a line!
Thanks,
Patrick
Coomans