From: Hale, Wendy (WRHale@NECBNS.com)
Date: Wed Oct 22 2003 - 15:25:36 GMT-3
Has anyone successfully created a VPN tunnel from a PIX to a CheckPoint
firewall? I'm trying to create a tunnel which allows traffic only between
two specific hosts, not network-to-network as is shown in the examples.
The CheckPoint log shows that the CheckPoint completes Phase 1 negotiations,
but receives a message from the PIX that a proposal has not been selected.
The PIX log shows the following error message:
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= xxx.xxx.xxx.xxx, src=yyy.yyy.yyy.yyy,
dest_proxy= xxx.xxx.xxx.xxx/255.255.255.255/0/0 (type=1),
src_proxy= yyy.yyy.yyy.yyy/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): proxy identities not supported
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
The PIX shows an ISAKMP SA, but no IPSEC SA's.
I looked up the "proxy identities not supported" error message and it says
that the access lists on each peer must match. Well, that makes sense when
you're dealing with two PIXies, but not as much sense with another vendor's
firewall.
The ACL associated with the tunnel restricts the tunnel traffic to one host
on the PIX inside interface. This ACL matches the CheckPoint rules (but
reversed) as far as I can tell.
Any ideas?
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:06 GMT-3