What if you use a traditional mode policy in NGX? Isn't that possible? Chris
-----Original Message----- From: David S. Barker [mailto:[EMAIL PROTECTED] Sent: Wed Nov 09 23:38:47 2005 To: [email protected] Subject: Re: [FW-1] VPN stop working after upgrading from NG FP3 to NGX R60 Bernard Jen, I've seen this problem many times. Mostly it's because Pre-NGX the option for "support key exchange for subnets" was a property that was set on the interoperable device. In NGX this property is removed from the interoperable device/gateway properties and now exists in the VPN community as Tunnel Management -> VPN Tunnel Sharing. This property is *NOT* transferred correctly durring an upgrade_import. Basically all VPN communities are set to "One VPN tunnel per subnet pair" which would be the same as "support key exchange for subnets" in PRE-NGX land. Judging that your vpn is no longer working, I'd say you need to change the community settings to "One VPN tunnel per each pair of hosts" the equivalent to an unchecked "support key exchange for subnets." Here's the kicker.. Prior to NGX you could have multiple vpn partners in a Star topology community with this setting being different on different interoperable devices. Now you'd have to build two different communities for each interoperable device that supports this property differently. Hope that's it. Compuquip TECHNOLOGIES "Providing Solutions Since 1980" David Barker Senior Security Engineer Internet Security Division Phone: 305.436.7272 X 1364 Fax: 305.436.9149 email:[EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Bernard Jen Sent: Tuesday, November 08, 2005 8:11 PM To: [email protected] Subject: [FW-1] VPN stop working after upgrading from NG FP3 to NGX R60 After we upgrade from NG FP3 to NGX R60, the site to site VPN stop working. We exported the rules from the old firewall and imported back to the new firewall. All the objects and rules are untouched. When we tried to ftp to our VPN partner, the phase 1 complete okay.(Mail mode completion) But the phase 2, the actual ftp traffic drop. The log said something like NO valid SA ............. Please HELP!! Thank you in advanced for answers. Bernard Jen ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** This email was scanned for viruses, vandals and malicious content. ** ************************************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
