[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Error by openig ipsec-tunnel between Checkpoint VPN-1 and PIX
Hello group, I have a problem by opening a ipsec-tunnel between a Check Point VPN-1 firewall (our FW) and a Pix (other FW). By installing the tunnel I used the Check Point white paper "Check Point VPN-1 and Cisco Pix Gateway to Gateway IKE VPN using Pre-Shared Secrets" written by David Dietrich. But the tunnel only works in one direction (from PIX to VPN-1), in the other direction there comes the following error message: "IKE Log: Sent Notification: authentication failed <phase1 stage2> Negotiation ID: c489b749c20f14c3-bae774" VPN-1 settings: Object FW-VPN1 ., Domain: other: Encrypt-Domain ., Encryption schemes defined: IKE ., Turn on Traffic Control Logging IKE Properties ., Support key exchange encryption with: DES ., Support data integrity with: SHA1 ., Support authentication methods: Pre-Shared Secret (vpn = abc) ., Supports Agressive Mode Support keys exchange for Subnets Object FW-PIX ., Domain: other: Encrypt-Domain ., Encryption schemes defined: IKE ., Turn on Traffic Control Logging IKE Properties ., Support key exchange encryption with: DES ., Support data integrity with: SHA1 ., Support authentication methods: Pre-Shared Secret (vpn = abc) ., Supports Agressive Mode Support keys exchange for Subnets general settings Policy/Properties/Encryption: ., Enable Exportable Skip ., Change SKIP Session Key every 120 seconds or every 10485760 Bytes ., Manual IPSEC: SPI allocation range from h100 to hffff ., IKE: Renegotiate IKE Security Associations every 1440 minutes ., IKE: Renegotiate IPSEC Security Assotiations every 1800 seconds encryption settings ., IKE ., Transform: Encryption + Data Integrity (ESP) ., Encryption Algorithm: DES ., Data Integrity Algorithm: SHA1 ., Allowed Peer Gateway: Any PIX settings: .,crypto ipsec transform-set earne esp-des esp-sha-hmac .,crypto map cmap 10 ipsec-isakmp .,crypto map cmap 10 match address uta-billbyclick .,crypto map cmap 10 set peer 145.20.254.210 .,crypto map cmap 10 set transform-set earne .,crypto map cmap interface outside .,isakmp enable outside .,isakmp key *** address 145.20.254.210 netmask 255.255.255.255 .,isakmp identity address .,isakmp policy 10 authentication pre-share .,isakmp policy 10 encryption des .,isakmp policy 10 hash sha .,isakmp policy 10 group 2 .,isakmp policy 10 lifetime 86400 Thank you for your contribution. Martin ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|