[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] IKE failure on W2k...
Okay, I feel like a tard here... I have setup VPN's with FW-1 to FW-1/SR or to Cisco ManualIPSec, etc etc. However I now have a requirement to create an IKE VPN between a FW-1 4.1 and a Windows2000 server that is racked at some co-location facility. They want to use the IP Security policy on the W2k server, but I can't seem to get it to work. On my FW-1 logs I get an "IKE Log- no proposal chosen" which often means the pre-shared secrets don't match (they match), and on the W2k side I get an event log entry that says "IPSec driver failed the oakley negotiation, NO FILTER EXISTS TO PROTECT PACKETS TO THAT DESTINATION." Looking at the filters definition for the policy I created, I have a single filter that has the IP address of the W2k box, the IP address of the FW-1 and it's checked to "mirror" the src/dest, so it should handle traffic in both directions right? On the tunnels page they say you "must have 2 filters", but I don't see why if I have the one checked to mirror src/dest. I have selected same settings on either side as close as I can tell, ESP, DES, MD5, perfect forward, main mode negotiation, etc. I think it's a problem with my setup on the W2k side. On FW-1 side I get initial log entry of "IKE Log: phase1 completion:DES/MD5/Preshare secr Negotitation id: yadda yadda" follow by:"IKE Log:recv'd notification from peer: no proposal chosen Negotiation id differentyadda" Has anyone had similar experience with W2k? Could it be a problem with the key timers having different settings on either side? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|