| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] IKE failure on W2k...
Okay, I feel like a tard here...
I have setup VPN's with FW-1 to FW-1/SR or to Cisco ManualIPSec, etc etc.
However I now have a requirement to create an IKE VPN between a FW-1 4.1
and a Windows2000 server that is racked at some co-location facility.
They want to use the IP Security policy on the W2k server, but I can't seem to get
it to work. On my FW-1 logs I get an "IKE Log- no proposal chosen" which often
means the pre-shared secrets don't match (they match), and on the W2k side I get
an event log entry that says "IPSec driver failed the oakley negotiation, NO FILTER
EXISTS TO PROTECT PACKETS TO THAT DESTINATION."
Looking at the filters definition for the policy I created, I have a single filter that
has the IP address of the W2k box, the IP address of the FW-1 and it's checked
to "mirror" the src/dest, so it should handle traffic in both directions right?
On the tunnels page they say you "must have 2 filters", but I don't see why if I have
the one checked to mirror src/dest.
I have selected same settings on either side as close as I can tell, ESP, DES, MD5,
perfect forward, main mode negotiation, etc.
I think it's a problem with my setup on the W2k side. On FW-1 side I get initial log
entry of "IKE Log: phase1 completion:DES/MD5/Preshare secr Negotitation id: yadda yadda"
follow by:"IKE Log:recv'd notification from peer: no proposal chosen Negotiation id differentyadda"
Has anyone had similar experience with W2k? Could it be a problem with the key timers
having different settings on either side?
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
