Re: [FW-1] Checkpoint NG R55 and PIX 506 des only.....

["Previtera, Sal" <[EMAIL PROTECTED]>]

Yes....I did but it does not help. I have other PIX 501(s) connected to the
Checkpoint NG R55 as site to site VPN using 3DES-MD5 and there are working
fine. Just this one, with DES only I cannot seem to get thru PHASE2.
Thanks,
Sal.

-----Original Message-----
From: fwguru [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 14, 2004 1:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint NG R55 and PIX 506 des only.....

Have you tried turning off "Support Key Exchange for Subnets" in the
firewall object properties under VPN --> Advanced page?




On Thu, 14 Oct 2004 08:27:01 -0500, Previtera, Sal
<[EMAIL PROTECTED]> wrote:
> Here are the errors on the Checkpoint log... on IKE Phase 2 coming from
> remote PIX 506 configured with DES-MD5;
>
---------------------------------------------------------------------------
> Number:                                 438038
> Date:                                   13Oct2004
> Time:                                   15:02:50
> Product:                                VPN-1 & FireWall-1
> Interface:                              daemon
> Origin:                                 My checkpoint Gateway
> Type:                                   Log
> Action:                                 Key Install
> Source:                                 Remote PIX 506
> Destination:                            My Checkpoint Gateway
> Encryption Scheme:              IKE
> VPN Peer Gateway:               Remote PIX 506
> IKE Phase2 Message ID:  819efb4a
> Community:                      WTH-EXTRA-DESonly
> Information:                            IKE: Quick Mode Received
> Notification from Peer: invalid spi
>
----------------------------------------------------------------------------
>
> Number:                                 474424
> Date:                                   13Oct2004
> Time:                                   15:48:38
> Product:                                VPN-1 & FireWall-1
> Interface:                              daemon
> Origin:                                 My Checkpoint Gateway
> Type:                                   Log
> Action:                                 Key Install
> Source:                                 Remote PIX 506
> Destination:                            My Checkpoint gateway
> Encryption Scheme:              IKE
> VPN Peer Gateway:               Remote Pix 506
> IKE Phase2 Message ID:  456e4e3f
> Community:                      WTH-EXTRA-DESonly
> Information:                            IKE: Quick Mode Received
> Notification from Peer: no proposal chosen
>
----------------------------------------------------------------------------
>
> This is the PIX506 config pertinent to the site to site VPN
>
> -----------------------------------------------------------------------
> PIX Version 6.3(1)
> access-list 120 permit ip host (myfirewall) host (internal host behind
> PIX506)
> access-group 120 in interface outside
> crypto ipsec transform-set rtptac esp-des esp-md5-hmac
> crypto map rtprules 20 ipsec-isakmp
> crypto map rtprules 20 match address 120
> crypto map rtprules 20 set peer (myfirewall)
> crypto map rtprules 20 set transform-set rtptac
> crypto map rtprules interface outside
> isakmp enable outside
> isakmp key (sharedkey) address (myfirewall) netmask 255.255.255.255
> isakmp nat-traversal 20
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> -------------------------------------------------------------------------
>
>
>
>
> -----Original Message-----
> From: Previtera, Sal
> Sent: Wednesday, October 13, 2004 2:32 PM
> To: Mailing list for discussion of Firewall-1
> Subject: Checkpoint NG R55 and PIX 506 des only.....
>
> Hello,
> Has anyone able to setup a VPN site to site with a Cisco PIX 506 with
> DES-MD5 only, with shared key?.
>
> I have others PIX 501 already setup with 3DES-MD5, Pre-share and they are
> working fine.
> But I seem to unable to get this one running.
> Any suggestion?.
> Regards,
> Sal.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================