[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN between FP1 FP2. Info: No proposal chosen



Forgot one thing-- DH group is also applicable to Phase 1.
----- Original Message -----
Sent: Monday, December 30, 2002 11:44 AM
Subject: Re: [FW-1] VPN between FP1 FP2. Info: No proposal chosen

No Proposal Chosen means one thing and one thing only:  the settings are *not* the same. :)
 
Specifically, you're not matching on one or more of the following:
 
Phase 1  (Main Mode):
    Encryption (DES, 3DES, etc)
    Hash (SHA1 or MD5)
    Authentication method (preshare IKE or certificate)   
 
I believe all of these are set on the VPN properties of each firewall object (in *each* rulebase).
 
Phase 2 (Quick Mode):
    Encryption (DES, 3DES, etc)
    Hash (SHA1 or MD5)
    Perfect Forward Secrecy (on or off)
    Diffie-Hellman group (Group1, Group 2, or Group 5)
 
    The DH group is applicable to Phase 2 only if PFS is in use.
 
If you have a traditional rule base, all of these are set by using an action of "encrypt" on the applicable rule in the rule base, right-clicking on the action and selecting "Encryption properties" or something to that effect.  If you have a simplified rule base I don't recall off the top of my head where these settings are, but they're in there somewhere... hooked in with VPN communities, I'm sure.
 
If you do not receive any messages about successful completion of Main Mode, then you're bombing out in Phase 1.  If you get Main Mode completed and *then* get your no proposal chosen message, you're bombing out in Phase 2.
 
Good luck. :)
---
Russell Washington, CCSE, CCSA, NCSA
Too many doggoned letters after my name.../
----- Original Message -----
From: zzdeb
Sent: Monday, December 30, 2002 1:27 AM
Subject: [FW-1] VPN between FP1 FP2. Info: No proposal chosen

Hi all

I am triying to build a VPN between a NG FP1 (Intrusion box) and a NG FP2 (Windows NT SP6a).

In the first IKE phase, the firewall log : No proposal chosen.

I have checked that all feautures are the same in both firewalls.

Thanks in advanced



--------------

Regards.

Deb.

 



With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs