[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem
Hi Cedric, if you look in the mailinglist-archive on the tread : [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT you will see a suggestion to solve this problem. I had this exact problem connecting pix and VPN-1 and was not able to solve it. In short the suggestion (from Jim Sweeting) was : --------------------------- The problem is indeed with key lifetime differences. FW-1 typically sets the expiry time for an IKE negotiation to 1 week whereas a Cisco can't go that high !! IPSEC is usually 3600 seconds by default on both. Change the setting in the policy encryption properties from 10800 minutes for IKE to something like 1440 minutes (1 day) and check the Cisco (PIX or Router ) is the same. The checkpoint website has a couple of useful documents in the public configuration docs section for doing this type of VPN but I can't remember if they mention these settings explicitly or not Jim ------------------------------ Please let me(us) know if this solves the problem, I haven't had the time to try this out yet. Regards, Arnor Arnason CCSE,CCSA, [email protected] > Date: Mon, 19 Feb 2001 17:43:43 +0100 > From: Cedric <[email protected]> > Subject: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem > > Hello > > We have a problem with setting up a VPN between FW1 (4.1 SP3 on > Solaris) and a Cisco PIX firewall. > > We see such entries in the logs > "IKE Log: Sent Notification: no proposal chosen <phase1 stage2> > Negotiation Id: 6t3zd51f68z41a5f-cba186ade992a71f" > > I can see two related mails in the archives, one suggest to add > "3DES" in the objects for both entries (we use DES), wthis > completely screwed up the VPN (which might indicate a problem) > We didn't "send" such messages anymore, but the remote > host did (that's what the logs say) > > Anyone know what this "phase1 stage2" actually is ? > How can I solve this problem ? > We have idea how the PIX is set up, but it has been set up > according the CKP pdf documents. > > Thanks in advance for any pointer. > ----------------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|