[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Vpn-1 vs IOSsec
Hi, I'm trying Ipsec con. between Vpn-1 and Cisco IOS. I've noticed that why it had'nt worked before: Case: I've tought the configuration as OK(Doubbley checked)I've used the documentation of Checkpoint IOS <-> Vpn*1. However, I've noticed on debug of IOS: xx: validate proposal request 0 xx: IPSEC(validate_transform_proposal): proxy identities not supported xx: ISAKMP (0:1): IPSec policy invalidated proposal xx: ISAKMP (0:1): phase 2 SA not acceptable! xx: CryptoEngine0: generate hmac context for conn id 1 xx: ISAKMP (0:1): sending packet to yy (R) QM_IDLE xx: ISAKMP (0:1): purging node xxx xx: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with pee xx: ISAKMP (0:1): deleting node xxxxxx error FALSE reason "IKMP_NO_ERR" Plus Vpn-1 side log: "IKE error: no proposal chosen, negotation ID xxxxxx" "encryption error: error occurred scheme" IPSec properties are the same. (Des, md-5, etc...)So, I've checked the access list on the IOS, the only difference with Vpn-1; is the access lists are based on the hosts not networks.(Even I want only access between the hosts ,not the networks) And, Checkpoint rule is: hostsX <-> hostsY - encrypt. Question is, what's the effect of IOS ACL based on hostsx <-> hostsy on IPSEC even if IPSEc policy is identical on both side? Is there a relationship with "Support key exchanges for subnets" ? ? ===== Sick Boy, Oi __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|