Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem

To: <[email protected]>
Subject: RE: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem
From: [email protected]
Date: Mon, 19 Feb 2001 22:06:53 -0000
Cc: <[email protected]>
Sender: [email protected]
Thread-index: AcCaq7wLVmzcFyS6R82k8u/KxqL4DgAEojgg
Thread-topic: Firewall-1 Mailinglist Digest V1 #1624

Hi Cedric,

if you look in the mailinglist-archive on the tread :
[FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT
you will see a suggestion to solve this problem.

I had this exact problem connecting pix and VPN-1 and was not able to
solve it.
In short the suggestion (from Jim Sweeting) was :
---------------------------
The problem is indeed with key lifetime differences.

FW-1 typically sets the expiry time for an IKE negotiation to 1 week
whereas
a Cisco can't go that high !! IPSEC is usually 3600 seconds by default
on
both.

Change the setting in the policy encryption properties from 10800
minutes
for IKE to something like 1440 minutes (1 day) and check the Cisco (PIX
or
Router ) is the same.

The checkpoint website has a couple of useful documents in the public
configuration docs section for doing this type of VPN but I can't
remember
if they mention these settings explicitly or not

Jim
------------------------------
Please let me(us) know if this solves the problem, I haven't had the
time to try this out yet.

Regards,
Arnor Arnason
CCSE,CCSA,
[email protected]


> Date: Mon, 19 Feb 2001 17:43:43 +0100
> From: Cedric <[email protected]>
> Subject: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem
>
> Hello
> 
>      We have a problem with setting up a VPN between FW1 (4.1 SP3 on
>      Solaris) and a Cisco PIX firewall.
> 
>      We see such entries in the logs
>      "IKE Log: Sent Notification: no proposal chosen <phase1 stage2>
>       Negotiation Id: 6t3zd51f68z41a5f-cba186ade992a71f"
>       
>      I can see two related mails in the archives, one suggest to add
>      "3DES" in the objects for both entries (we use DES), wthis
>      completely screwed up the VPN (which might indicate a problem)
>           We didn't "send" such messages anymore, but the remote
>           host did (that's what the logs say)
> 
>      Anyone know what this "phase1 stage2" actually is ?
>      How can I solve this problem ?
>      We have idea how the PIX is set up, but it has been set up
>      according the CKP pdf documents. 
> 
>      Thanks in advance for any pointer.
> 
-----------------------------




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Radius Authrentication...
Next by Date: RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT
Previous by thread: [FW1] Radius Authrentication...
Next by thread: RE: [FW1] Radius Authentication...
Index(es):
- Date
- Thread