[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN between PIX 501 and FW1 4.1
On the PIX debug do you see the correct proxies being set up during phase 2. Also, if you do a "show cry isa sa" while the tunnel is trying to come up do you get something like MM_KEY_EXCH under the state heading, or anything besides QM_IDLE? Jeffrey Shuron Security Specialist- CCSA, GSEC, CCNA, MCP MPR [email protected] www.mprtech.com |--------+----------------------------------------------> | | boobe jouke <[email protected]> | | | Sent by: Mailing list for discussion| | | of Firewall-1 | | | <[email protected]| | | point.com> | | | | | | | | | 06/19/2002 12:03 PM | | | Please respond to Mailing list for | | | discussion of Firewall-1 | | | | |--------+----------------------------------------------> >-----------------------------------------------------------------------------------------------------------------------| | | | To: [email protected] | | cc: | | Subject: Re: [FW-1] VPN between PIX 501 and FW1 4.1 | >-----------------------------------------------------------------------------------------------------------------------| I see the attributes "attributes accepted" and "SA has been authenticated". While running debug crypto on my PIX I keep seeing "PEER_REAPER_TIMER" On my FW1 log it say phase 1 is completed but phase 2 negotiation failed. >From: "Roelandts, Guy" <[email protected]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] VPN between PIX 501 and FW1 4.1 >Date: Wed, 19 Jun 2002 08:39:14 +0200 > >What do you mean by "is not working" ? What the Log Viewer tell you, what >do you see in the debugging info on the Cisco ? > >Can you be a bit more explicit, I have been playing with VPN's between >Nokias, running 4.1-SP3 or NG FP1, and Ciscos with IOS 12.1(5) ... it >took me a while to bring the VPN up because you must : > > 1. On the CheckPoint side, be as restrictive as possible : 3Des/SHA1 for > instance > > 2. On the Cisco, be sure to define everything in line with the CheckPoint > side, during testing we found for instance that we had to define >the > DH group, otherwise the negotiation would fail. > >Met vriendelijke groeten - Bien à vous - Kind regards >Guy ROELANDTS >EMEA GS Internet Expertise Centre - CCSE-NG >Compaq BeLux - now part of the New HP >E-mail : [email protected] >Tel: +32(02)729.77.44 (options 3 - 3 - 1) >Fax: +32(02)729.77.65 >========================================================== >This message may contain confidential and/or proprietary information, >and is intended only for the person/entity to whom it was originally >addressed. The content of this message may contain private views and >opinions which do not constitute a formal disclosure or commitment >unless specifically stated. Should you receive this message by mistake >please inform the sender immediately. >========================================================== > > >-----Original Message----- >From: boobe jouke [mailto:[email protected]] >Sent: 18 June 2002 02:55 >To: [email protected] >Subject: [FW-1] VPN between PIX 501 and FW1 4.1 > > >I am trying to setup a VPN between a Pix 501 and a Checkpoint FW1. >I just followed the instructions in the document I found on Cisco site and >this does not work. > >The negotiation of keys stops to Phase 1. > >Please help ? > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp . > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|