[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Error by openig ipsec-tunnel between Checkpoint VPN-1 and PIX
What version of PIX software are you using? If it's anything below 6.0.x it won't support D/H group 2. Jeffrey Shuron Security Specialist- CCSA, GSEC, CCNA MPR [email protected] www.mprtech.com |--------+----------------------------------------------> | | Juan Concepcion | | | <[email protected]> | | | Sent by: Mailing list for discussion| | | of Firewall-1 | | | <[email protected]| | | point.com> | | | | | | | | | 12/10/2001 09:55 PM | | | Please respond to Mailing list for | | | discussion of Firewall-1 | | | | |--------+----------------------------------------------> >------------------------------------------------------------------------------------------------------------------------| | | | To: [email protected] | | cc: | | Subject: Re: [FW-1] Error by openig ipsec-tunnel between Checkpoint VPN-1 and PIX | >------------------------------------------------------------------------------------------------------------------------| Disable the aggressive mode, I don't believe that the pix supports this mode if I remember correctly. Also the error method indicates that the shared secret between the pix and the firewall are not the same. On Mon, 10 Dec 2001 14:45:47 +0100, Novak Martin <[email protected]> wrote: >Hello group, > >I have a problem by opening a ipsec-tunnel between a Check Point VPN-1 >firewall (our FW) and a Pix (other FW). >By installing the tunnel I used the Check Point white paper "Check Point >VPN-1 and Cisco Pix Gateway to Gateway IKE VPN using Pre-Shared Secrets" >written by David Dietrich. >But the tunnel only works in one direction (from PIX to VPN-1), in the other >direction there comes the following error message: >"IKE Log: Sent Notification: authentication failed <phase1 stage2> >Negotiation ID: c489b749c20f14c3-bae774" > >VPN-1 settings: > Object FW-VPN1 > ., Domain: other: Encrypt-Domain > ., Encryption schemes defined: IKE > ., Turn on Traffic Control Logging > IKE Properties > ., Support key exchange encryption with: DES > ., Support data integrity with: SHA1 > ., Support authentication methods: Pre-Shared Secret (vpn = >abc) > ., Supports Agressive Mode > Support keys exchange for Subnets > > Object FW-PIX > ., Domain: other: Encrypt-Domain > ., Encryption schemes defined: IKE > ., Turn on Traffic Control Logging > IKE Properties > ., Support key exchange encryption with: DES > ., Support data integrity with: SHA1 > ., Support authentication methods: Pre-Shared Secret (vpn = >abc) > ., Supports Agressive Mode > Support keys exchange for Subnets > > general settings > Policy/Properties/Encryption: > ., Enable Exportable Skip > ., Change SKIP Session Key every 120 seconds or every 10485760 Bytes > > ., Manual IPSEC: SPI allocation range from h100 to hffff > > ., IKE: Renegotiate IKE Security Associations every 1440 minutes > > ., IKE: Renegotiate IPSEC Security Assotiations every 1800 seconds > > > encryption settings > ., IKE > ., Transform: Encryption + Data Integrity (ESP) > ., Encryption Algorithm: DES > ., Data Integrity Algorithm: SHA1 > ., Allowed Peer Gateway: Any > >PIX settings: > .,crypto ipsec transform-set earne esp-des esp-sha-hmac > .,crypto map cmap 10 ipsec-isakmp > .,crypto map cmap 10 match address uta-billbyclick > .,crypto map cmap 10 set peer 145.20.254.210 > .,crypto map cmap 10 set transform-set earne > .,crypto map cmap interface outside > .,isakmp enable outside > .,isakmp key *** address 145.20.254.210 netmask 255.255.255.255 > .,isakmp identity address > .,isakmp policy 10 authentication pre-share > .,isakmp policy 10 encryption des > .,isakmp policy 10 hash sha > .,isakmp policy 10 group 2 > .,isakmp policy 10 lifetime 86400 > >Thank you for your contribution. > >Martin > > > > > >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >If you have any questions on how to change your >subscription options, email Ron Alcatraz at: >[email protected] >================================================= > ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|