Solved

Checkpoint Express Gateway to Gateway IPSEC VPN

Posted on 2004-08-04
3
891 Views
Last Modified: 2013-11-16
I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters:

- Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1)
- Remote Gateway must be configured as an Interoperable device
- IKE and pre-shared key

Is there any documentation available anywhere that would give me some detailed instructions on how this is done?  I have attempted using documentation from Checkpoints website, but that doesn't seem to help.  I also have the latest Checkpoint NG book (Phoneboy's) but the specific example doesn't work for me. This must be relatively simple, but I am not having much luck.
0
Comment
Question by:anamops
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721250
- Remote Gateway must be configured as an Interoperable device

Why ?  This is only for other IPSEC equipment, like Cisco PIX, Netscreen, Nortel etc.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11725531
tim_holman is right, you just set it up as another checkpoint device, running 4.1
I think there are some issues with Diffie Hellman keys, if you are using Perfect Forward Secrecy on Phase 2 IPSEC.
I believe 4.1 using DH keys 2 (which you cannot change), NG defaults to DH 1 though. You can change this though to DH 2.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 11763656
As Tim and Yokel mentioned already, on each FW have the Interoperable-device definition of the peer removed, redifine them as 'externally managed' - in 4.1 there's a checkbox somewhere to make the module 'external'.
Make sure to have a pre-shared secret defined in NG - it's not the default - I think it's done with "set traditional IKE parameters".
On each Firewall have it's peer's pre-shared secret defined (they must be equal), and the most important part make all IKE parameters equal - especially DH groups (set to group 2 (== 1024 bits) - thanks to yokel), and lifetimes.
Notice that phase 2 parameters are set in the policy 'encrypt' rule in 4.1, as opposed to the gateway's/communitie's definition in NG.

When this is done, install policies and read the logs - especially the NG ones.

Good luck,
d
P.S.: if this doesn't work, please mention whether you're using traditional or simplified policy in NG
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now