[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] IKE failure CP NG-FP3, WatchGuard SOHO 6

To: [email protected]
Subject: Re: [FW-1] IKE failure CP NG-FP3, WatchGuard SOHO 6
From: Vic G <[email protected]>
Date: Wed, 13 Nov 2002 14:59:28 -0500
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Ian and all: some further information was discovered:
It appears that the SOHO box uses regular DES and SHA1 to communicate the
key exchange. The "Intranet" parms as described below must be set to DES,
SHA1, and 768key. The VPN Encryption parameters were set to 3DES and MD5 at
either end in the configs. I did get a sucessful key exchange. Now I can
continue my experimentation.

Thanks guys - I know I'll be back with other problems...
Vic
---------

>I believe the watchguard uses freeswan VPN software so it should work.
>The main caveat I have found linking freeswan with checkpoint is the
>timeout values. Also earlier versions did not support PFS and try to use
>MD5 it does not support DES only 3DES so keep with that.
>
>Hope this helps
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]] On Behalf Of Vic G
>Sent: 13 November 2002 11:31
>To: [email protected]
>Subject: Re: [FW-1] IKE failure CP NG-FP3, WatchGuard SOHO 6
>
>
>Repost...
>Nobody has any idea to help with the problem below?
>-----
>
>Attempting to setup a lab environment with NG-FP3, and WatchGuard SOHO-6
>appliance. I configured both systems to use 3DES, SHA1, and shared key
>is the same. I reboot the watchguard, and see it try to contact the CP
>FW, and I get "IKE - Main Mode failed to match proposal: DES, SHA1,
>Preshared secret, group 1 (768 Bit)", and "IKE - Main Mode sent
>Notification - no proposal chosen". The systems never seem to key
>exchange. I've tried DES, 3DES, SHA1, MD1, checking all the boxes in
>CP-FP3.. If I click on the "mesh" in FP3, I get the MyIntraNet.
>Participating gateways are FW01, and "RemoteGateway". RemoteGateway is
>the external IP address of the SOHO device. VPN shows "MyIntranet", and
>Traditional mode config gives me 3DES, SHA1, and preshared secret of
>FW01 (which is correct). Clicking Advanced gives me Group 1 768bit
>checkbox. Aggressive mode not checked. The only rule in my rule base is
>*ANY *ANY *ANT *ACCEPT LOG.
>
>Over on the SOHO box there isnt much other than VPN Remote Gateway,
>IPSec Gateway is the external addr of CP firewall NG, shared key is same
>as FW1, Authentication is SHA1-HMAC, Encrypt is 3DES-CBC. Remote IP
>network is the inside address (not FW internal or external) as I have
>gateway router on inbound side of FW anyway. If I click on IPSec
>Statistics, I have "no active IPSEC tunnels".
>
>I don't have a license to be able to test CPFW to CPFW with different IP
>address, but I guess I can get one from CP and setup another Win2K FW
>box... I did want to get this applicance box running, though...
>
>Any ideas, or need more info???
>
>Vic
>
>
>
>_________________________________________________________________
>The new MSN 8: smart spam protection and 2 months FREE*
>http://join.msn.com/?page=features/junkmail
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================


_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Blocking web sites
Next by Date: [FW-1] Almost RE: [FW-1] Blocking web sites
Prev by thread: Re: [FW-1] IKE failure CP NG-FP3, WatchGuard SOHO 6
Next by thread: Re: [FW-1] IKE failure CP NG-FP3, WatchGuard SOHO 6
Index(es):
- Date
- Thread