Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations dencom on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Configuring a SITE to Site VPN on a Checkpoint NGX 1
- Thread starter RegTellis
- Start date
-
1
- #2
- Thread starter
- #3
Hey Stu. Long time no hear from, huh? 
I thought it might be something like that, but I when I configure the VPN and try to initiate a connection to the tunnel again, I get the following:
Number: 117437
Date: 13Jul2006
Time: 11:47:35
Product: VPN-1 Pro/Express
VPN Feature: IKE
Interface: daemon
Origin: GRYPHON (210.125.211.2)
Type: Log
Action: Reject
Reject Reason: IKE failure
Source: 208.178.14.215
Destination: GRYPHON (210.125.211.2)
Encryption Scheme: IKE
VPN Peer Gateway: 208.178.14.215
IKE Initiator Cookie: dc81953d454c324f
Subproduct: VPN
Information: IKE: Main Mode Failed to match proposal: Transform: 3DES, SHA1, Group 2 (1024 bit)
Reason: Wrong value for: Authentication Method
followed by:
Number: 117438
Date: 13Jul2006
Time: 11:47:35
Product: VPN-1 Pro/Express
VPN Feature: IKE
Interface: daemon
Origin: GRYPHON (210.125.211.2)
Type: Log
Action: Key Install
Source: GRYPHON (210.125.211.2)
Destination: 208.178.14.215
Encryption Scheme: IKE
VPN Peer Gateway: 208.178.14.215
IKE Initiator Cookie: dc81953d454c324f
Subproduct: VPN
Information: IKE: Main Mode Sent Notification to Peer: no proposal chosen
I hought that this was maybe because I created the peer GW incorrectly, but you have pretty much verified to me that I created it correctly. I guess my main problem is that I am unsure what these logs are telling me. I have made sure my encryption matches what is stated in the "transform" field, but I still get the same errors.
I thought it might be something like that, but I when I configure the VPN and try to initiate a connection to the tunnel again, I get the following:Number: 117437
Date: 13Jul2006
Time: 11:47:35
Product: VPN-1 Pro/Express
VPN Feature: IKE
Interface: daemon
Origin: GRYPHON (210.125.211.2)
Type: Log
Action: Reject
Reject Reason: IKE failure
Source: 208.178.14.215
Destination: GRYPHON (210.125.211.2)
Encryption Scheme: IKE
VPN Peer Gateway: 208.178.14.215
IKE Initiator Cookie: dc81953d454c324f
Subproduct: VPN
Information: IKE: Main Mode Failed to match proposal: Transform: 3DES, SHA1, Group 2 (1024 bit)
Reason: Wrong value for: Authentication Method
followed by:
Number: 117438
Date: 13Jul2006
Time: 11:47:35
Product: VPN-1 Pro/Express
VPN Feature: IKE
Interface: daemon
Origin: GRYPHON (210.125.211.2)
Type: Log
Action: Key Install
Source: GRYPHON (210.125.211.2)
Destination: 208.178.14.215
Encryption Scheme: IKE
VPN Peer Gateway: 208.178.14.215
IKE Initiator Cookie: dc81953d454c324f
Subproduct: VPN
Information: IKE: Main Mode Sent Notification to Peer: no proposal chosen
I hought that this was maybe because I created the peer GW incorrectly, but you have pretty much verified to me that I created it correctly. I guess my main problem is that I am unsure what these logs are telling me. I have made sure my encryption matches what is stated in the "transform" field, but I still get the same errors.
- Thread starter
- #5
Yes, I am. The pre-shared secret key that we WERE using on my old firewall had to change as the Checkpoint OS would not use it because it was too "soft". I got in touch with the administrator on the other end this morning and we came up with another one. I assume that he put it in correctly, but I can check on that.
- Thread starter
- #6
I am having trouble getting in contact with the admin on the other end( which is NOTHING new, I might add. How they keep a job over there is beyond me), but I did manage to switch the original FW back in place to see if I would get the same types of problems, but it is inconclusive. It could be that the FW on the other end has just collapsed/closed from non-activity at this point, so I suppose I will have to wait for this guy on the other end to show up to verify.
Thanks for all you help.
Thanks for all you help.
- Thread starter
- #7
Well,
It only took me all day Friday, 4 1/2 hours in the office Saturday, 4 hours at home yesterday, a VERY obscure document found on a discontinued Checkpoint forum, but I got my tunnel up and passing encrypted traffic both ways. Now, on to secure client!!
It only took me all day Friday, 4 1/2 hours in the office Saturday, 4 hours at home yesterday, a VERY obscure document found on a discontinued Checkpoint forum, but I got my tunnel up and passing encrypted traffic both ways. Now, on to secure client!!
- Status
Similar threads
- Locked
- Question
- Locked
- Question