VPN Help - Urgent !!!

[robori]

Plz help me with this situation I've got:

Site1

3DES

MD5
SHA1

Group 2 (1024)
Support agressive mode

Site2

3DES

MD5

Group 2 (1024)

I have this VPN scenarion in which site 1 has both MD5 and SHA1 checked and in site 2 is only MD5 Checked. Also on Site1 I have Support Agressive Mode while site 2 doesn't have this option checked.

While trying to communicate there's an error message relating to IKE Phase1 Security Association (SA) Problems.
Could it be because of this configuration mismatch or not ?


Thanks a lot !
Robori

[cpcpc]

Can you paste the error message?

[robori]

ICMP: Echo Request; ICMP Type: 8; ICMP Code: 0; encryption fail reason: Packed is Dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge.

[melipla]

Quote:

Originally Posted by robori

While trying to communicate there's an error message relating to IKE Phase1 Security Association (SA) Problems.
Could it be because of this configuration mismatch or not ?

Absolutely! Ensure that the timing is the same on both sides. Remember, for R60 at least, it's possible that the Gateway Object has different IKE settings then the VPN Community Object, check both. Are both gateways Check Point? FYI I've heard of problems w/Aggressive Mode, you may want to disable it.

Cheers

[robori]

Now the configuration is equal on both gateways. The're R55 gateways and now both of them have SUpport Agressive Mode turned on and both MD5/SHA1 for integrity.

I've changed this on SIte2 to stay the same as Site1 and saved, performed some testes but the error persists.

:(

[chillyjim]

From the command line:

vpn debug ikeon
vpn debug on

then look at the log files in $FWDIR/log and see what they have to say.

[wowtek]

You have corretct topology on booth site?