[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Urgent: Trying to get a Netscreen 25 working together with VPN-1 NG
Some ideas: - Perfect Forward Secrecy (PFS) settings (on/off as well as DH group) *must* agree on both sides for both Phase 1 (firewall object IKE properties on the Checkpoint) and Phase 2 (Encryption action properties at the traffic-handling rule). - The NetScreen is a bit more stringent than FW-1 (well, 4.x at least) about specifying target hosts/networks. Your "to" and "from" in each direction *must* match exactly. If they do not, the NS will not complete Phase 2. - Scratch aggressive mode and use main mode. Main is more secure anyway, and you don't have to worry about something getting bogged in trying to be "different". You control this on the firewall object IKE properties on the Checkpoint. I believe it's a gateway property on the NetScreen, but if it's not there I know it's in tunnel-specific setting somewhere. - Make sure that one side or the other isn't trying to use both ESP *and* AH at the same time. If I recall correctly one will support that config but the other won't, just can't recall which is which. >From the log entries proper, though, it looks like you're dying in Phase 1, and that would tend to suggest a PFS disagreement if your encryption settings are identical on each end. FWIW, I'd trim the proposals down to SHA1 and 3DES. They *will* work between a Checkpoint and an NS. Having multiple proposals isn't bad per se, but it will certainly complicate your troubleshooting. Hope this helps. -----Original Message----- From: Nico De Ranter [mailto:[email protected]] Sent: Thursday, April 25, 2002 4:05 AM To: [email protected] Subject: [FW-1] Urgent: Trying to get a Netscreen 25 working together with VPN-1 NG Hi, I'm trying to setup a VPN between a Netscreen 25 and a Checkpoint VPN-1 NG.FP1 firewall. Unfortunately the Netscreen keeps on refusing the connection. In the logs I see something like: 2002-04-25 11:54:43 system info 00536 IKE <x.x.x.x> Phase 1: Discarded a second initial packet, which arrived within 5 seconds. 2002-04-25 11:54:39 system info 00536 IKE <x.x.x.x> Phase 1: Rejected proposals from peer (NO PROPOSAL CHOSEN). Negotiations failed. 2002-04-25 11:54:39 system info 00536 IKE <x.x.x.x> Phase 1: Responder starts aggressive mode negotiations. The Checkpoint firewall tries initiates the VPN. Any idea what might cause the "No Proposal chosen"? Both sides are setup to use 3DES with either MD5 or SHA1 (tried both). Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|