Solved

Checkpoint Express Gateway to Gateway IPSEC VPN

Posted on 2004-08-04
3
917 Views
Last Modified: 2013-11-16
I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters:

- Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1)
- Remote Gateway must be configured as an Interoperable device
- IKE and pre-shared key

Is there any documentation available anywhere that would give me some detailed instructions on how this is done?  I have attempted using documentation from Checkpoints website, but that doesn't seem to help.  I also have the latest Checkpoint NG book (Phoneboy's) but the specific example doesn't work for me. This must be relatively simple, but I am not having much luck.
0
Comment
Question by:anamops
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721250
- Remote Gateway must be configured as an Interoperable device

Why ?  This is only for other IPSEC equipment, like Cisco PIX, Netscreen, Nortel etc.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11725531
tim_holman is right, you just set it up as another checkpoint device, running 4.1
I think there are some issues with Diffie Hellman keys, if you are using Perfect Forward Secrecy on Phase 2 IPSEC.
I believe 4.1 using DH keys 2 (which you cannot change), NG defaults to DH 1 though. You can change this though to DH 2.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 11763656
As Tim and Yokel mentioned already, on each FW have the Interoperable-device definition of the peer removed, redifine them as 'externally managed' - in 4.1 there's a checkbox somewhere to make the module 'external'.
Make sure to have a pre-shared secret defined in NG - it's not the default - I think it's done with "set traditional IKE parameters".
On each Firewall have it's peer's pre-shared secret defined (they must be equal), and the most important part make all IKE parameters equal - especially DH groups (set to group 2 (== 1024 bits) - thanks to yokel), and lifetimes.
Notice that phase 2 parameters are set in the policy 'encrypt' rule in 4.1, as opposed to the gateway's/communitie's definition in NG.

When this is done, install policies and read the logs - especially the NG ones.

Good luck,
d
P.S.: if this doesn't work, please mention whether you're using traditional or simplified policy in NG
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question