ISAKMP negotiation error Checkpoint <-> Free S/WAN

Stephane Durette sdurette at TimeStep.com
Wed Sep 15 09:00:05 EDT 1999


Harry,
   Take a look at the security descriptors. For example with CP FW1 to
interoperate with the TimeStep products, CP must initiate communication and
the descriptor " IDENTITY " can not be included in the descriptor file. I've
received the same error message when trying to initiate communications with
CP FW1 products, and by removing this descriptor, have managed to set up the
ISAKMP.

Cheers

Steph
 

axW---------------------------------------------------------------
Stephane Y Durette-  Applications Engineer, TimeStep Corp.
(613) 599-3610 x:4682 Voice          (613) 599-9560 - FAX
mailto:sdurette at timestep.com   http://www.timestep.com
---------------------------------------------------------------------
"Two possibilities exist: either we are alone in the universe or
 we are not. Both are equally terrifying." Arthur C.Clarke
---------------------------------------------------------------------


-----Original Message-----
From: harry at sanwafp.com [mailto:harry at sanwafp.com]
Sent: September 14, 1999 4:09 PM
To: vpn at listserv.secnetgroup.com
Subject: ISAKMP negotiation error Checkpoint <-> Free S/WAN



Hi.

I am configuring a VPN between Checkpoint VPN-1 on Solaris and a Linux
Free S/WAN installation using ISAKMP with a pre-shared secret.

Unfortunately, the Checkpoint seems to provide very little in the way
debugging messages. The error we are getting is:

	ISAKMP Log: Sent Notification: no proposal chosen <phase1 stage1>
         Negotiation ID: blah blah blah

I have a case open with Checkpoint but the most so far they have
indicated is that I may have too many options checked for ISAKMP,
I have tried every combination of reduction/adding them all but
to no avail. What is not clear to me is whether this message indicates
there are not enough parameters in common or two few or if it is 
ambiguous in this regard.

I have tried the config indicated in the very useful site
http://www.opus1.com/vpn/index.html but still don't get any further
than this message.

Any pointers would be greatly appreciated, I am completely new to
this.

Thanks.

-- Harry

--------------------------------
Harry A. Kaplan, Ph.D., Vice President
Sanwa Financial Products Co., LLC
1185 Avenue of the Americas, 19th Floor
New York City, New York 10036
voice     (212) 407-3559
fax       (212) 997-3650
e-mail harry at sanwafp.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list