Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Vpn-1 vs IOSsec

To: [email protected]
Subject: [FW-1] Vpn-1 vs IOSsec
From: Skar <[email protected]>
Date: Thu, 17 Jan 2002 06:14:36 -0800
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,
I'm trying Ipsec con. between Vpn-1 and Cisco IOS.
I've noticed that why it had'nt worked before: Case:
I've tought the configuration as OK(Doubbley
checked)I've used the documentation of Checkpoint IOS
<-> Vpn*1. However, I've noticed on debug of IOS:

xx: validate proposal request 0
xx: IPSEC(validate_transform_proposal): proxy
identities not supported
xx: ISAKMP (0:1): IPSec policy invalidated proposal
xx: ISAKMP (0:1): phase 2 SA not acceptable!
xx: CryptoEngine0: generate hmac context for conn id 1
xx: ISAKMP (0:1): sending packet to yy (R) QM_IDLE
xx: ISAKMP (0:1): purging node xxx
xx: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick
mode failed with pee
xx: ISAKMP (0:1): deleting node xxxxxx error FALSE
reason "IKMP_NO_ERR"

Plus Vpn-1 side log:
"IKE error: no proposal chosen, negotation ID xxxxxx"
"encryption error: error occurred scheme"

IPSec properties are the same. (Des, md-5, etc...)So,
I've checked the access list on the IOS, the only
difference with Vpn-1; is the access lists are based
on the hosts not networks.(Even I want only access
between the hosts ,not the networks) And, Checkpoint
rule is: hostsX <-> hostsY - encrypt.
Question is, what's the effect of IOS ACL based on
hostsx <-> hostsy on IPSEC even if IPSEc policy is
identical on both side? Is there a relationship with
"Support key exchanges for subnets" ?

?

=====
Sick Boy, Oi

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Vpn-1 vs IOSsec
  - From: Volker Tanger <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint FW-1 2000 installation on Windows 2000
Next by Date: [FW-1] SecureClient, W2k, Defender auth.server and SDL.
Previous by thread: [FW-1] AW: [FW-1] Using Cisco IOS firewall feature set
Next by thread: Re: [FW-1] Vpn-1 vs IOSsec
Index(es):
- Date
- Thread