You should change in your global properties to simplified mode policy then create a new policy in simplified mode and recreate all your rules.
Lino -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 4:06 AM To: [email protected] Subject: Re: [FW-1] Simplified & Traditional VPN Ray Thanks again. Site-to-site compression is disabled and not using PFS. The error messages are: On the Edge box: Failed to establish VPN tunnel with x.x.x.x: no proposal chosen In SmartTracker: Rejected by central gateway with this message (central gateway is running Traditional mode policy): IKE: Main Mode Missing IKE configuration for peer (authentication or encryption or hash). Thanks! Huiqi Ray <[EMAIL PROTECTED] IL.COM> To Sent by: Mailing [EMAIL PROTECTED] list for INT.COM discussion of cc Firewall-1 <FW-1-MAILINGLIST Subject @AMADEUS.US.CHECK Re: [FW-1] Simplified & Traditional POINT.COM> VPN 21/09/2005 00:55 Please respond to Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST @AMADEUS.US.CHECK POINT.COM> Make sure you have site-to-site compression disabled and perfect forward secrecy disabled, unless you specifically enabled PFS via the command line interface on the Edge box itself. What's the error messaeg say specifically? Ray >From: [EMAIL PROTECTED] >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] Simplified & Traditional VPN >Date: Tue, 20 Sep 2005 14:24:01 +0100 > >Ray, > >Thanks for the reply. > >I have R55 and all appears to be OK except the VPN: the Edge box >connects to the SmartCentre successfully, and logging appears centrally. > >But VPN doesn't function at all: no proposal chosen showing up on the >Edge reports (the time setting is correct on the Edge box), and on the >central gateway in complains about missing IKE information. > >Any other pointers? > >Thanks! > >Huiqi > > > > > > Ray > <[EMAIL PROTECTED] > IL.COM> To > Sent by: Mailing [EMAIL PROTECTED] > list for INT.COM > discussion of cc > Firewall-1 > <FW-1-MAILINGLIST Subject > @AMADEUS.US.CHECK Re: [FW-1] Simplified & Traditional > POINT.COM> VPN > > > 17/09/2005 15:04 > > > Please respond to > Mailing list for > discussion of > Firewall-1 > <FW-1-MAILINGLIST > @AMADEUS.US.CHECK > POINT.COM> > > > > > > >SmartCenter on R54 needs to have the Sofaware AddIn installed to manage >Edge boxes. It comes pre-installed with R55. You also need 4.1 Backward >Compatibily installed on R54 or R55. > >After you get on a compatible version of SmartCenter, Edge will pull >the certificate from SmartCenter. SmartCenter will be set up as the >Edge's "Service Center." > >Note that an Edge does not understand Perfect Forward Secrecy or >Site-to-Site IP COmpression, so they must be disabled in the community. >It can be made to understand PFS but only via a CLI command, not the web GUI. > >HTH, > >Ray > > >From: [EMAIL PROTECTED] > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Simplified & Traditional VPN > >Date: Fri, 16 Sep 2005 14:40:10 +0100 > > > >Thank you all for the replies on this. > > > >The problem is I think I've done pretty much everything as suggested >(apart > >from upgrading to the latest version - the box is relatively new, and the > >version is 5.0.73x). > > > >I manage the box and the box logs to the management server but when >trying > >to establish a VPN I got > > > >On the Edge box: > > > >Failed to establish VPN tunnel with x.x.x.x: no proposal chosen > > > >In SmartTracker: > > > >Rejected by central gateway with this message: > > > >IKE: Main Mode Missing IKE configuration for peer (authentication or > >encryption or hash). > > > >I have checked and double-checked the IKE properties: all set to > >various combinations on both ends (the one I want to work is 3DES and SHA1). > > > >Any suggestions? > > > >Thanks, > > > >Huiqi Liu > > > > > > > > > > Bob Grabbe > > <[EMAIL PROTECTED] > > U> >To > > Sent by: Mailing >[EMAIL PROTECTED] > > list for INT.COM > > discussion of >cc > > Firewall-1 > > <FW-1-MAILINGLIST >Subject > > @AMADEUS.US.CHECK Re: [FW-1] Simplified & >Traditional > > POINT.COM> VPN > > > > > > 16/09/2005 14:06 > > > > > > Please respond to > > Mailing list for > > discussion of > > Firewall-1 > > <FW-1-MAILINGLIST > > @AMADEUS.US.CHECK > > POINT.COM> > > > > > > > > > > > > > >Your answer confirms my worst fears. > >Support has expired on my firewall and I think I might have to pay > >for >help > > > >with it. I've inserted the reasons below. > >Thanks, though, for the help so far. > >Bob Grabbe > >[EMAIL PROTECTED] > > > >----- Original Message ----- > >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]> > >To: <[email protected]> > >Sent: Thursday, September 15, 2005 12:42 PM > >Subject: Re: [FW-1] Simplified & Traditional VPN > > > > > > > > >>Try www.sofaware.com there are configuration documents and > > >>knowlegde > >base > > >>that will help you. > >I did loook in their faqs, but the only docs I cvould find had to do with > >connecting two edge boxes, to a cisco firewall, and I think one to a > >Windows server. > > > > >>The things you should check un your edge are this Check the > > >>correct time > >Have done this, and it's correct. > > >>Update to the current versión. > >Might not be an option, my contract is up and I don't know if I can > >get clearance to pay for more support. > > > > >>I can tell you that first your management has to have a valid IP >address > > >>because you edge device looks for it and tries to connect to it. > >It does. > > > > >>For the configuration is like this Enter to the smartcenter server > > >>Create a profile for the Edge (new checkpoint->profile->vpn-1edge > > >>) > >This I don't get. When I go to create->Checkpoint I don't have the option > >to > >create a profile. I can create either a new Gateway or an Embedde3d >Device, > > > >but the only type of Embedded Device I can create is a Nokia 5X. I'd >figure > > > >that I should be creating a new Gateway, though. > > > > >>The create a new VPN-1 Edge Gateway, associate the profile to it, > > >>set >up > > >>the > > >>Registration Key (like a password) do not check Externally > > >>managed, >set > >it > > >>up if it will have dynamic or static Ip and the press ok, the > >certificate > > >>then will be generated, then enter to the gateway again and in the vpn > >tab > > >>there's a certficiate list right click it and then export it to a >file. > >I think if I can get the registration key, though, I might be able to > >do this. Just having a hard time getting it from the vendor. So far, > >they haven't given me the Gateway ID and Registration Key to connect > >to the Sofaware User Center. Hopefully getting this will help. > > >> This certificate should be automatically imported to your gateway >when > > >> you > > >>connect it to your service center (smart center server). If not import > >it > > >>manually. > > > > >>When you want to install a rule policy to the edge you'll have to > >install > > > > >>It > > >>in the profile. The edge every 20 min updates it's policy and > > >>looks >for > > >>this > > >>profilein the smartcenter. Also look in the install on tab on your > >rules, > > >>you'll have to specify to install on your cluster or in your edge > >profile, > > >>if you don't do this there will be errors on your policy and it > > >>won't install. > > > > > >Best Regards, > > > > > >Lino E. Avila > > > > > >-----Original Message----- > >From: Mailing list for discussion of Firewall-1 > >[mailto:[EMAIL PROTECTED] On Behalf Of Bob >Grabbe > >Sent: Thursday, September 15, 2005 10:59 AM > >To: [email protected] > >Subject: Re: [FW-1] Simplified & Traditional VPN > > > >Along these same lines, I have a firewall R54 running Secure Platform. >I'm > >trying to add an Edge X16 box for a remote site, but having problems > >getting the two to communicate. > >I think one of the problems I'm having is that I've been unable to > >find >how > >to export a certificate from the splat platform to import on to the > >Edge box. > >If anyone has any pointers to any documentation on how to set up a > >site >to > >site vpn between these two, I'd appreciate it. Everything I can find > >so >far > >is between two platforms of the same type, i.e. edge to edge, or such. >I'm > >relatively new to the Checkpoint community, so the more simplistic it > >is the better. > >Thanks > >Bob Grabbe > >[EMAIL PROTECTED] > > > >----- Original Message ----- > >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]> > >To: <[email protected]> > >Sent: Thursday, September 15, 2005 11:41 AM > >Subject: Re: [FW-1] Simplified & Traditional VPN > > > > > > > You don't have to change your community, you have to configure in > >global > > > properties the simplified mode and then create a new policy so > > > you'll > >have > > > your policy in simplified mode and then you create the rules you > > > previously have plus the new rules for the edge. > > > > > > Best regards > > > > > > Lino > > > > > > > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Thursday, September 15, 2005 6:07 AM > > > To: [email protected] > > > Subject: [FW-1] Simplified & Traditional VPN > > > > > > Currently all my VPNs are in traditional mode. I have a "star" > >topology: > > > one central management station, one central gateway, a number of >remote > > > gateways. All running NG AI R55. > > > > > > I now have a VPN-1 Edge box which I'd like to manage from the same > > > SmartCentre, and build a VPN between the Edge box and the central > >gateway. > > > I understand that this new policy needs to be in simplified mode. > > > However, > > > does it mean that I have to convert my central gateway into simplified > > > mode, > > > if I want to build a VPN between the two? Or can the central > > > gateway > >stay > > > in traditional mode? > > > > > > Thanks! > > > > > > Huiqi Liu > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email [EMAIL PROTECTED] > > > ================================================= > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
