Site to Site VPN

[Stephane]

Hello All,
I have some problems to create a Site to Site VPN trough my Edges Firmware 6.0.74x and my NGX VPN-1.
I have created the object in my Dashboard and add all the information to the VPN object.
I got the error message in the Tracker that told me "no proposal chosen". No VPN is working, only through the "Remote Access Client" mode.

Please, can anybody help me? I need also the steps how to create the site to site VPN in the Dashboard becasue I'm not 100% shure that everything is selected and entered in the right way!

Thank you very much un advanced,
Stephane

[melipla]

Hi,

I ripped the text below the --- from the sofaware.com Knowledge Base. Their KB isn't the best...ok its really quite bad, but it may help.

For our VPN communities that include edge devices, I just used the standard options. In the past w/this no proposal chosen error I've seen that it relates to VPN Properties / Advanced VPN properties of the objects + community. Since edge devices don't have these object settings, I'll gvie you my community ones:

IKE Phase 1: AES-256 / SHA1
IKE Phase 2: AES-128 / MD5
Advanced VPN Prop:
IKE Phase 1: Group 2 (1024 bit)
Reneg 1440 minutes
IKE Phase 2: reneg 3600 secs

All other advanced vpn options are unselected. I'm not on the new firmware so I don't know if that's a problem or not.

---
No proposal chosen error message when creating site to site between Check Point VPN-1 module and Edge device

Answer


A VPN connection between Check Point VPN-1 and an Edge device may fail with error message 'No proposal chosen'. This can happen for the following reasons:

* The VPN-1 Edge gateway object is used in a traditional mode rulebase for the VPN (Encrypt) rule. In order to workaround this, you can use the standard Check Point externally managed gateway object instead of the VPN-1 Edge object.
* IP Compression is enabled for the VPN tunnel on SmartDashboard. The VPN-1 Edge gateway does not support IP compression.

[melipla]

More info from CP's SK:

Edge VPN fails with error "No proposal chosen"

Solution ID: #sk26022

Product: VPN-1 Edge
Version: NG, NG AI
Last Modified: 06-Apr-2005
Symptoms

* VPN between VPN-1 Edge and VPN-1 NG with Application Intelligence R55 using certificates cannot establish tunnel.
* Error: "No proposal chosen" in SmartView Tracker

Cause
Date on VPN-1 Edge device is incorrect, causing certificate to be rejected by remote gateway.
Solution
Set correct date on VPN-1 Edge per sk25955.
Applies To:

* R55
* Site-to-site VPN



+++++++++++++++++++++


Setting date and time on VPN-1 Edge appliance

Solution ID: #sk25955

Product: VPN-1 Edge
Version: NG AI, NG
Last Modified: 06-Apr-2005
Solution
Procedure:

1) In VPN-1 Edge GUI, Select Setup.

2) Go to "Tools".

3) Select "Set Time" button.

4) Then "Set the time manually".

5) Enter correct system Time.

6) Save and Exit.
Applies To:

* R55
* Configuration

[Stephane]

Hi Melipla,

thank you for your help. I checked both of your replies and had success. The settings are the standard configuration and I took them.
I think the main solution are the time difference between the Edge and the NGX. The VPN is working since I changed it. The funny thing is that I had no problems with the other NG AI firewalls in my network!
Thank you again for your help,
Stephane

Now , I have an other problem. The user from the remote network behind the Edge are able to connect to my network but I can not connect to their network! Any suggestions?

[melipla]

There could a lot of reasons why it wouldn't make it. Make sure you have GWtoGW rules in place with the proper networks, try some traceroute to see where the traffic actually goes, smartview tracker should give you a good idea of who's dropping the traffic originating from your network to theirs.

HTH

[Stephane]

Hello Melipla and all others.
I found two solutions during the last working days:
1. If the VPN works only for one of the network sites cause that the certificate on the Edge is damaged. I renewed it and the problem was fixed.
2. The Site to Site VPN worked only perfectly when the Edge object is marked as "Externally Managed Gateway" in the Dashboard. The VPN Site should be created manually in the web interface of the Edge. Use as encryption for example AES256/SHA1. The same should be selected in the Dashboard's VPN community and it works fine.

So, all of my Edges working as Site to Site VPN together with the NGX fine.

Thank you and have a nice day,
Stephane

[Izzio]

if the network behind the EDGE is a "trusted" one, than you can set the as managed from your smartcenter and use the "enterprise" VPN profile. This is created automatically inserting the EDGE in a community and pushing the policy on it.
In this way you have central management for the box.

Ciao
Maurizio