Site-to-site VPN with Check Point

dear guru,

Just wondering if you have tried to build site-to-site from my concentrator 3000 with CP fw-1 NGR55.

We have everything set up as per instructed

formatting link
We have several subnets, the VPN seems working when connecting from net-1, however, it said "no proposal chosen" from ping from net-2. Both net-1 & net-2 have been defined as encryption domain on both CP & concentrator.

Any ideas will be appreciated.

Thx Nick

Reply to
Nick Brandson
Loading thread data ...

Hello Nick,

I found this, maybe it gives you a hint:

Peer Address X.X.X.X Not Found This error message normally appears with the corresponding VPN 3000 Concentrator error message Message: No proposal chosen(14). This is a result of the connections being host-to-host. The router configuration has the IPsec proposals in an order where the proposal chosen for the router matches the access list, but not the peer. The access list has a larger network that includes the host that intersects traffic. In order to correct this, make the router proposal for this concentrator-to-router connection first in line. This allows it to match the specific host first.

20:44:44: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest=, src=, dest_proxy= (type=1), src_proxy= (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 20:44:44: IPSEC(validate_transform_proposal): peer address not found


Reply to
helpdesk Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.