Patrick,
I
have done extensive work using SonicWall and netscreen devices. I too have seen these errors, but they
have ALWAYS been due to minor mis-configurations on either side. Make sure that the encryption rule is
setup right, make sure you’re not trying to use PFS, etc.. Overall I recommend double-checking
your IKE settings… I hope this
helps.
Chad
.
.
Chad T. Mansfield
Security Engineer
The Hull Group, A Goldman Sachs Company
311 S. Wacker Dr., Suite 1400
Chicago, IL 60606
-----Original
Message-----
From: Patrick Coomans
[mailto:[email protected]]
Sent: Thursday, June 28, 2001 3:48
PM
To:
[email protected]
Subject: Re: [FW1] Again, VPN w/
Netscreen & IKE gives me a headache
So,
is this a fw1 bug?
Anyway,
I tried this but sadly I didn't get it to work yet.
Thx
anyway,
Patrick
>>> <[email protected]> 28/06/01 17:25 >>>
Hi Patrick,
on FW1 site you should have defined a workstation object called e.g. Netscreen.
If so then select the "FW-1/VPN-1" button and version "4.1"
- this "should" work
as it sets FW1in "mood" to support subnets over vpn.
Hope it helps...
Marco
"Patrick Coomans" <[email protected]> am 28.06.2001
09:29:15
An: [email protected]
Kopie: (Blindkopie: Marco Rossi/asap)
Thema: [FW1] Again, VPN w/ Netscreen & IKE gives me a
headache
Hi,
I tried to establish a VPN tunnel between a FW1 4.1 sp3 and a netscreen version
2.5
So first I read the document of Netscreen "Checkpoint
Interoperability" &
checked out phoneboy.
I use IKE with DES/MD5 and pre-shared secrets,
configured a rule to allow IKE flow between the FW1 and the NSCRN,
configured Encrypt rules for all traffic between the sites,
configured the VPN tab in both the FW1 and the NSCRN objects for encryption in
the Encryption Domain,
we support subnets,
made sure the time the I saw in the log viewer of the FW1 is exactly the same
time I entered in the console of the netscreen,
and I also changed the IKE key lifetime to 28800 seconds on both the netscreen
and the fw1.
The logging gives me:
green Accept IKE
blue IKE Phase1 Completion DES/MD5 pre-shared
secrets
blue IKE Log: sent notification : no proposal
chosen <phase2 stage1>
and the VPN failes.
I tried switching the different proposals in the netscreen and selectig
different ones, I also tried to use pfm or nopfm, to no avail.
Changing from aggressive mode to normal mode did not change a thing.
I did find multiple archived messages of people asking the same question, but
never found a response that works for me.
So please, if anyone has a clue, please drop me a line!
Thanks,
Patrick Coomans