Re: VPN between Checkpoint FW-1 and SonicWall SOHO2
From: Curt Edsall (cedsall@aol.com)Date: 06/21/02
- Next message: Sven: "SonicWALL SOHO3 "nodes""
- Previous message: Leythos: "Re: Tiny 3.0 - is anyone using it?"
- In reply to: : "VPN between Checkpoint FW-1 and SonicWall SOHO2"
- Next in thread: Tommy: "Re: VPN between Checkpoint FW-1 and SonicWall SOHO2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Curt Edsall" <cedsall@aol.com> Date: Fri, 21 Jun 2002 02:28:22 GMT
"Bruce Pennypacker" <bruce@pennypacker.org> wrote in message
news:3D120F97.30309@pennypacker.org...
> Hi all,
>
> Has anybody successfully set up a VPN between a Checkpoint & Sonicwall
> firewall? We have a number of corporate offices that have Checkpoints
> with VPN's between them and I'm trying to set up a VPN between one of
> these and a Sonicwall. I've followed all the instructions on the
> Sonicwall web site and everything looks correct. The Sonicwall tries to
> negotiate an IKE connection with the Checkpoint but the Checkpoint log
> always shows the error message "Received Notification from peer: no
> proposal chosen". Any thoughts as to what this means? I've
> doublechecked that both firewalls are using the same shared secret, same
> levels of encryption & authentication, etc.
>
> -Bruce
>
Hello Bruce,
First off, I'll admit up front that I've never set up a VPN between a
FW-1 and a Sonicwall, but, I've set up a bunch of VPNs between many other
sorts of devices, so...
What your log is telling you is that the two VPN end devices cannot
agree to a common proposal for the VPN setup. Unfortunately the log doesn't
seem to indicate whether the failure is occurring during the key exchange or
during the Phase II exchange.
1. Double check all your settings for the IKE/ISAKMP SA and for the
IPSEC SA. For the key exchange (ISAKMP part) usually you must select the
hash (MD5 or SHA1 generally) the encryption algorithm (DES/3DES/IDEA...),
the Diffie Helman Group (1 or 2) and whether or not to use PFS. The VPN
settings usually include whether you are using AH or ESP, whether you are
using it in tunnel or transport mode, the hash, the encryption algorithm,
and the rekey value in either time or kbytes (check to ensure both firewalls
use the same time increments...if one is using minutes while the other is
using seconds you'll need to get a common setting....). If any of these
values are not matched up you will not get a matching proposal.
2. Check to ensure the proper source/destination networks are
selected for encryption on each end. This is also part of the proposal and
will cause the negotiation to fail if both ends are not set correctly. On
the FW-1 you must set the encryption domain in the firewall object. I've
never seen a Sonicwall so you're on your own there.
3. Check the logs of both devices to see if they give you some
further clue into whether it is the key exchange or the VPN negotiation that
is failing. Usually the log will specify at which point in the exchange the
failure is occurring.
Hope this helps.
Grace & Peace
Curt
- Next message: Sven: "SonicWALL SOHO3 "nodes""
- Previous message: Leythos: "Re: Tiny 3.0 - is anyone using it?"
- In reply to: : "VPN between Checkpoint FW-1 and SonicWall SOHO2"
- Next in thread: Tommy: "Re: VPN between Checkpoint FW-1 and SonicWall SOHO2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
