Hi,
I am setting up a tunnel between an AIX server with
the native IPSEC package and a pair of Nokia 330's in high availability mode
(running VRRP) . I've configured the AIX server to use 3des and MD5 and the
same on the checkpoint side. The current issue is that FW-1 sends the Phase-1
proposal and the AIX does not choose one. See tcpdump below where x.x.x.x is the
virtual IP of the Nokia cluster and y.y.y.y is the IP address of the AIX server.
The dump was taken on the Nokia side.
15:18:59.140553 O x.x.x.x.500 > y.y.y.y.500:
isakmp: phase 1 I agg: (sa: doi=ipsec
situation=identity (p: #1
protoid=isakmp
transform=1
(t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value =modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00093a80)))) [|ke]
15:18:59.158846 I y.y.y.y.500 > x.x.x.x.500:
isakmp: phase 1 R inf: (n: doi=ipsec proto=isakmp
type=NO-PROPOSAL-CHOSEN)
-Jeff Pecchio
|