[dreambuddy]

Dear Fellow members,

We are trying to establish VPN tunnel with one of our customer having Netscreen at their end. Ours in NGX R65 with HFA02 & HF_602.

Local encryption domain is 172.20.4.0/28
Remote encryption domain is 10.2.0.0/18

When we tried pinging from one of the machines in local Enc Domain to Remote Enc domain, we see Only phase 1 is coming up, phase 2 is not completing.

CP tracker shows, no Valid SA, whereas Netscreen logs shows No policy exists for the proxy ID received.

I tried all the three option under tunnel management:

1)SA creation per host. ( IKeview logs shows it's perfect, Checkpoint proposes SA for individual hosts only for local Network against remote subnet (10.2.0.0/18).Same is also established from Netscreen logs also, but fails at their end also saying that no policy exists for recd. proxy ID.

2) Similarly tried unique SA per subnet, in this also IKEview shows that for Quick Mode packet 1, it proposes SA creation between 172.20.4.0/28 and 10.2.0.0/18. Netscreen logs too establish that the either encryption domains are perfect, but failing due to no local policy for recd. proxy ID.

In both the cases, Ikeview shows that Checkpoint box hears nothing back from Netscreen end.No Quick Mode packet 2 recd. from peer.

3) If we choose SA between GW to GW, then checkpoint sends local enc domain as 0.0.0.0, hence failing.

Please suggest, how to make it work. It do came up once customer end initiated traffic from his end. Maybe because Checkpoint is loose in checking the network masks.
Could not able to capture logs as we have to stop for the day. Will resume the testing tommorrow.

Your valuable feedback will be highly appreciated.

Regards,
-=KIK=-