NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] IKE tunnel between 4.1 sp5 and cisco pix.

Title: Message
"No proposal chosen" means that something between the Checkpoint settings and the Cisco settings isn't lining up.  In the context of Phase 1, this probably means that one of the following isn't agreeing on each side:
 
- Encryption (ESP/DES or ESP/3DES)
- Hash (SHA1 or MD5)
- Diffie-Hellmann (DH) group number (for Perfect Forward Secrecy, or PFS)
 
I've set up a couple of 4.1<->PIX VPNs and dealing with the Ciscos is a little tough if you don't have your hands on the PIX yourself.  One bugger to know about, though, is this:  the 4.1 SP5 firewall is going to send two Phase 1 proposals for the Diffie-Hellmann group, by default (I found this out sniffing Cisco debugs the last time I had one of these).  One is going to specify PFS using DH Group 1, the second will specify PFS using DH Group 2.  Incidentally, not only is this non-configurable (without going under the hood), but you won't see any reference to DH or PFS in the GUI in the context of Phase 1.  But it *is* there.
 
Group 2 seems to cause tunnel negotiation and/or stability problems with 4.1 SP5 *if* you are talking to a non-Checkpoint firewall that... well, it works with some, doesn't work with others, and I've never figured out the whys of it all.  When I set up 4.1 --> non-Checkpoint I always try Group 2, and if the tunnel has a hard time negotiating or anything, I drop it down to Group 1.
 
That said, just to get this running, you will want to tell the Cisco config explicitly to use DH Group 1.  I haven't been able to get Group 2 to stay stable when talking to a PIX, if I can even get it to come up at all.
 
You can also wind up with a "No Proposal Chosen" under Phase 2 (not your situation... yet).  If this happens, you have the same basic set of issues listed above.  However, an additional variable is how the communication endpoints (the devices that talk through the tunnel, not the firewalls themselves) are defined.  If one side says "from host A to network B" and the other says "from network B to network C which happens to contain host A," Phase 2 negotiation will fail.
-----Original Message-----
From: Jason Jernigan [mailto:[email protected]]
Sent: Monday, May 13, 2002 7:02 AM
To: [email protected]
Subject: [FW-1] IKE tunnel between 4.1 sp5 and cisco pix.

All,

            I am trying to establish an IKE tunnel between 4.1 sp5 and a cisco pix. I have set up the rules to allow all between the pix and fw-1 and setup incoming and outgoing rules with action encrypt for the networks on each side. When I attempt to test the tunnel, I get a message in the logs saying "key install" as action  "IKE log: Sent Notification no proposal chosen <phase1 stage2> Negotiation Id: " followed by a long hex number, in the info field. Can anyone shed some light on what this message may mean? Thanks in advance for any assistance.

 

Jason Jernigan

[email protected]

Primus Telecommunications

 


  
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.