| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] Error by openig ipsec-tunnel between Checkpoint VPN-1 and PIX
Hello group,
I have a problem by opening a ipsec-tunnel between a Check Point VPN-1
firewall (our FW) and a Pix (other FW).
By installing the tunnel I used the Check Point white paper "Check Point
VPN-1 and Cisco Pix Gateway to Gateway IKE VPN using Pre-Shared Secrets"
written by David Dietrich.
But the tunnel only works in one direction (from PIX to VPN-1), in the other
direction there comes the following error message:
"IKE Log: Sent Notification: authentication failed <phase1 stage2>
Negotiation ID: c489b749c20f14c3-bae774"
VPN-1 settings:
Object FW-VPN1
., Domain: other: Encrypt-Domain
., Encryption schemes defined: IKE
., Turn on Traffic Control Logging
IKE Properties
., Support key exchange encryption with: DES
., Support data integrity with: SHA1
., Support authentication methods: Pre-Shared Secret (vpn =
abc)
., Supports Agressive Mode
Support keys exchange for Subnets
Object FW-PIX
., Domain: other: Encrypt-Domain
., Encryption schemes defined: IKE
., Turn on Traffic Control Logging
IKE Properties
., Support key exchange encryption with: DES
., Support data integrity with: SHA1
., Support authentication methods: Pre-Shared Secret (vpn =
abc)
., Supports Agressive Mode
Support keys exchange for Subnets
general settings
Policy/Properties/Encryption:
., Enable Exportable Skip
., Change SKIP Session Key every 120 seconds or every 10485760 Bytes
., Manual IPSEC: SPI allocation range from h100 to hffff
., IKE: Renegotiate IKE Security Associations every 1440 minutes
., IKE: Renegotiate IPSEC Security Assotiations every 1800 seconds
encryption settings
., IKE
., Transform: Encryption + Data Integrity (ESP)
., Encryption Algorithm: DES
., Data Integrity Algorithm: SHA1
., Allowed Peer Gateway: Any
PIX settings:
.,crypto ipsec transform-set earne esp-des esp-sha-hmac
.,crypto map cmap 10 ipsec-isakmp
.,crypto map cmap 10 match address uta-billbyclick
.,crypto map cmap 10 set peer 145.20.254.210
.,crypto map cmap 10 set transform-set earne
.,crypto map cmap interface outside
.,isakmp enable outside
.,isakmp key *** address 145.20.254.210 netmask 255.255.255.255
.,isakmp identity address
.,isakmp policy 10 authentication pre-share
.,isakmp policy 10 encryption des
.,isakmp policy 10 hash sha
.,isakmp policy 10 group 2
.,isakmp policy 10 lifetime 86400
Thank you for your contribution.
Martin
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================
|
|
