Looks like some phase2 mismatch to me. Recheck the settings. Sometimes different vendors use different names for the same option. I have to admit that I don't know the checkpoint but maybe if you post some screenshots of the admin interface concerning the tunnelsettings I could try to guess.
Holger > -----Ursprüngliche Nachricht----- > Von: dogbert [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 2. Februar 2006 11:59 > An: support@pfsense.com > Betreff: Re: AW: [pfSense Support] VPN tunnel between PfSense and > CheckpointNG > > > Holger Bauer wrote: > > Some logs would be helpful. > > > > Holger > > > >> -----Ursprüngliche Nachricht----- > >> Von: dogbert [mailto:[EMAIL PROTECTED] > >> Gesendet: Donnerstag, 2. Februar 2006 11:39 > >> An: support@pfsense.com > >> Betreff: [pfSense Support] VPN tunnel between PfSense and > >> Checkpoint NG > >> > >> > >> Hi everyone, > >> > >> I'm having trouble creating a VPN tunnel between my > >> Checkpoint NG R56 cluster > >> and a pfsense box. > >> > >> I successfully create a tunnel in the reverse direction, e.g. > >> a client behind > >> pfsense can connect via IPSEC tunnel to a client protected by > >> checkpoint. I > >> still have problem the other way around. > >> > >> Both firewall has been configured with 3DES and MDS for both > >> phase 1 and 2 and > >> PFS (perfect forward secrecy) and the same shared secret > (obviously). > >> I've created successfully the same scenario with a SmoothWall > >> box with Openswan > >> patch and vpnpack. > >> > >> Does anyone has any idea ? > >> > >> Thanks > >> Riccardo > >> > >> > > sure... > this is the log from pfsense: > > Feb 2 11:45:51 racoon: ERROR: failed to pre-process packet. > Feb 2 11:45:51 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:51 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:51 racoon: INFO: respond new phase 2 negotiation: > XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0] > Feb 2 11:45:49 racoon: ERROR: failed to pre-process packet. > Feb 2 11:45:49 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:49 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:49 racoon: INFO: respond new phase 2 negotiation: > XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0] > Feb 2 11:45:47 racoon: ERROR: failed to pre-process packet. > Feb 2 11:45:47 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:47 racoon: ERROR: failed to get sainfo. > Feb 2 11:45:47 racoon: INFO: respond new phase 2 negotiation: > XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0] > > while this is the log from checkpoint: > > Number: 591705 > Date: 2Feb2006 > Time: 11:43:29 > Product: VPN-1 & FireWall-1 > Interface: daemon > Origin: der-fw1b (YYY.YYY.YYY.YYY) > Type: Log > Action: Key Install > Source: der-fw1b (YYY.YYY.YYY.YYY) > Destination: FW_TEST (XXX.XXX.XXX.XXX) > Encryption Scheme: IKE > VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX) > IKE Initiator Cookie: e9b87140d007eded > IKE Responder Cookie: 33ef3658619d621c > Encryption Methods: 3DES + MD5, Pre shared secrets > Information: IKE: Main Mode completion. > > > Number: 593262 > Date: 2Feb2006 > Time: 11:44:05 > Product: VPN-1 & FireWall-1 > Interface: daemon > Origin: der-fw1b (YYY.YYY.YYY.YYY) > Type: Log > Action: Reject > Reject Reason: IKE failure > Protocol: ip > Rule: 0 - Implied Rules > Encryption Scheme: IKE > VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX) > Information: encryption failure: no response from peer. > > > Number: 594109 > Date: 2Feb2006 > Time: 11:44:28 > Product: VPN-1 & FireWall-1 > Interface: qfe1 > Origin: der-fw1b (YYY.YYY.YYY.YYY) > Type: Log > Action: Drop > Source: CLIENT_A (aaa.aaa.aaa.aa) > Destination: CLIENT_B (bbb.bbb.bbb.bbb) > Protocol: icmp > Rule: 75 > NAT rule number: 39 > NAT additional rule number: 0 > Destination Key ID: 0x00000000 > XlateSrc: DER-Cluster-EXT (YYY.YYY.YYY.YYY) > Encryption Scheme: IKE > VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX) > Encryption Methods: ESP: 3DES + MD5 + PFS > Information: ICMP: Echo Request > ICMP Type: 8 > ICMP Code: 0 > > encryption fail reason: Packet is > dropped because there is no valid SA - please refer to > solution sk19423 in > SecureKnowledge Database for more information > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
