IPSEC SA Error

[andyproctor]

i'm trying to establish a tunnel between our checkpoint NG+AI to a Juniper/Netscreen firewall.
we have succesfully exchange keys but when i try and access a host on the remote network i see the following error in the cp logs.

"Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

now because we have key exchange i do not understand this error?

[charlesdf23]

This usually means that your encryption domains don't match up. Ensure that you are both using the same thing. (ie hosts and hosts or network and networks). Sometimes building tunnel's to Cisco products you have to uncheck "key exchange for subnets" in order to establish Phase 2

[Huisje]

I was having a problem with a tunnel between a CP FW-1 NG with AI to a Cisco PIX 506E. Traffic from the LAN connected to the PIX to the LAN connected to the CP went through without a problem. The other way arround it was getting blocked by the CP with the "sk19423" error.

Unchecking the "exchange keys for subnets" in the VPN properties of the Interoperable Device fixed it for me. Thanks for the tip!