Re: [FW-1] ike vpn question

[Christopher Ferraro <cferraro@FW1-NOSPAMHUBBARDONE.COM>]

Title: Message

yes.  I verified license versions last night, prior to my email. 

 

this config was working previously.  the firewall was rebuilt and since then the problem has existed.

 

 

-----Original Message-----
From: Patrick Coomans [mailto:Patrick.Coomans@4ALL.BE]
Sent: Tuesday, March 19, 2002 2:40 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] ike vpn question

Just a hunch, but are you sure both your CP licenses support the encryption proposal chosen?

e.g. you choose to use 3DES but you only have a license for FWZ.

>>> cferraro@HUBBARDONE.COM 19/03/02 21:22 >>>

Obviously, the most likely scenario is a difference in encryption settings between the endpoints of the VPN.

 

Could be an indication of the VPN module itself not processing the encryption request of the opposite end properly ?  in other words <gasp> could this be a failure of the software on one end ?

 

CF

-----Original Message-----
From: Russell Washington [mailto:russ.washington@VAULTSENTRY.COM]
Sent: Tuesday, March 19, 2002 1:04 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] ike vpn question

Ok, dug this up in RFC2408:

 

   Proposal: A proposal is a list, in decreasing order of preference, of
   the protection suites that a system considers acceptable to protect
   traffic under a given situation.

This translates to me as "encryption settings" on an IPSec-compliant platform.  Shouldn't involve the source/target if "no proposal chosen" is the specific error being reported.

-----Original Message-----
From: Russell Washington [mailto:russ.washington@VAULTSENTRY.COM]
Sent: Tuesday, March 19, 2002 10:23 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] ike vpn question

Could well be, but my recollection is that target/destination stuff in Phase 2 negotiation is a source proxy ID/dest proxy ID issue, not a proposal issue.  On the devices where I've seen 'no proposal chosen' and subnet issues, they've turned up with different errors for each condition (or in the case of a Checkpoint to PIX with a subnet issue, the PIX just didn't answer at all).

 

Doesn't mean he shouldn't check the encryption domains tho.  Really curious over here to hear what he finds.

-----Original Message-----
From: Shah, Nishith [mailto:nshah@CAPITALTHINKING.COM]
Sent: Tuesday, March 19, 2002 9:09 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] ike vpn question

Most likely your encryption domains (subnets defined on firewall) are not identical on both sides.

 

It has to exactly match on both sides.

-----Original Message-----
From: Russell Washington [mailto:russ.washington@VAULTSENTRY.COM]
Sent: Tuesday, March 19, 2002 11:23 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] ike vpn question

"No proposal chosen" means that the encryption settings on each end are not in sync.  Yes, I know you said they're identical, but that's what the error means and I believe it's defined in an RFC somewhere.  As cryptic as it sounds, it's being as precise as it will get without saying something verbose like "it says use DES on this side and 3DES on the other side and so we don't agree."

 

Here's the rundown of settings (cross-platform) that I know will tangle this up:

 

- preshared key vs RSA key vs certificates

- DES vs 3DES vs (who knows what else)

- ESP vs AH vs ESP+AH at the same time

- Perfect forward secrecy (PFS) on vs off

- Diffie-Hellman group for PFS (Group 1?  Group 2?  Group 3?)

 

What I've most often seen overlooked is the PFS/DH stuff.  One side has it on, the other has it off, or the two sides are using different DH groups.

 

Good luck.  I haven't seen one of these yet that didn't boil down to a mismatched setting between the two sides, and that includes the Checkpoint, NetScreen, and Cisco platforms.

-----Original Message-----
From: Christopher Ferraro [mailto:cferraro@HUBBARDONE.COM]
Sent: Tuesday, March 19, 2002 6:51 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] ike vpn question

Gentlemen:

 

I have a question for you regarding a VPN a client of mine is attempting to set up.

 

Both VPNs have identical hardware (nokia 650's), identical software (checkpoint 4.1, sp4).  All encryption settings are identical.

 

However, when the VPN ruleset is built, an error is seen in the log on one end of the VPN that says "IKE log: received notification from peer, no proposal chosen."

 

what is the root of errors of this nature ?

 

I will provide more relevant information as necessary.

 

CF

 

Christopher A. Ferraro
Senior Systems Engineer
Hubbard One
x269
mobile:
www.hubbardone.com