[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Help with VPN between fw-1 4.0 and Netscreen-100
First thing: Change your setup to use main mode instead of aggressive mode. It's more secure, and while aggressive isn't causing your problem, it's intended for situations where one of the endpoints' IP address is not known. Both of yours are known. So why play it fast and loose? :) Second, the big issue between CP 4.0 and the Netscreen is that CP 4.0 isn't capable of doing Phase 2 negotiation for subnet ranges. All tunnels are host-to-host. At the same time, the NS negotiates for subnet ranges by default and so far as I know, there's no way to turn this off (unlike FW-1 4.1 and NG, where you can give it IP ranges but tell it to negotiate host-to-host for any communications within thos ranges). To work around this, on the NS end, you have to define a policy (or set of policies, if the VPN is bidirectional) for each pair of devices that you want to talk to each other. Yeah, I know, ouch. Trust me, I didn't like it either. It sounds to me like you've got a 3.x flavor of the NS ScreenOS firmware, and with that said I should point out that my experience came under 2.6.x. NS may have added some new trick to the CLI to turn on a host-to-host switch, but I haven't heard of one yet. Hope this helps. -----Original Message----- From: Lonny Schwartz [mailto:[email protected]] Sent: Wednesday, June 12, 2002 9:41 PM To: [email protected] Subject: [FW-1] Help with VPN between fw-1 4.0 and Netscreen-100 Wondering if anyone has any tips or tricks to getting a VPN up between fw-1 4.0 and a Netscreen. From the Netscreen logs I can see that it's completing Phase 1 but not getting past Phase 2 I've setup a similar configuration on my test network except I'm using a fw-1 4.1 and everything works OK. My environment is connecting from my DMZ (public IP) to another sites DMZ (public IPs), so that rules out a NAT issue. Here's my Netscreen log if thats any help: 00536 IKE <Checkpoint IP> Phase 2: Initiated negotiations.(initiator) 00536 Phase 1 (Checkpoint IP) complete, AGGR mode, 28800sec. 00536 IKE <Checkpoint IP> Phase 1: Initiated negotiations in aggressive mode. I'm stuck on why it just hangs, I've had problems with other CP4.1 VPN's but usually it'll give me some clue with an error on a policy/network issue. Thanks! Lonny -- Lonny Schwartz Micromuse Inc. [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|