Do either a dbedit or a guidbedit on the mgmt station and change "ike_use_largest_possible_subnets" under global properties to false. Repush the policy. If this doesn't work, see sk17544 in the knowledge base.
-Will > -----Original Message----- > From: Previtera, Sal [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 19, 2004 1:48 PM > To: [EMAIL PROTECTED] > Subject: [FW-1] Super-netting........with 3rd Party Vendors firewalls. > > Hello, > > Has anyone knows how to disable super-netting on a Checkpoint > R55 NG HFA-09. > > > > The problem I am having is, with a Cisco Pix 506 and what > Checkpoint calls super-netting. > > We able to get a tunnel up as long the traffic is not coming > from subnets....where Checkpoints create SUPER-NETS, > > such as 10.50.x.x, 10.51.x.x, 10.52.x.x (Checkpoint combine it into a > Super-Net) > > > > I wish there was a way to disable this interesting feature in > the Global Properties ( "Checkpoint Developers...please take note") > > > > Solution ID: sk26336 does not work on this version...... > > > > > > Phase two Quick Mode failure occurs due to > configuration/misconfiguration of VPN/encryption domain for > firewalls involved in site to site VPN tunnels. > Typically, this occurs when VPN domain group contains either > numerous networks, or numerous hosts from different > consecutive networks along with network objects. We write all > the relevant network objects, which are networks and included > in the VPN domain of interoperable devices or Check Point > gateways before FP1, to a kernel table called ranges_by_domain_table. > Instead of calculating ranges for these gateways we take the > information for ID payload from this table. By default, when > computing ranges for Quick Mode ID, VPN-1 combines several > subnets into one whenever possible. For example, if the > encryption domain includes two adjacent networks, > 172.30.32.0/22 and 172.30.36.0/22, VPN-1 will negotiate the > QM for one subnet 172.30.32.0/21. > If the peer is a non-Check Point gateway, it will fail the > key exchange because of the unexpected ID, since it computes > the ranges differently.10 Configure > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
