Solved

Checkpoint Express Gateway to Gateway IPSEC VPN

Posted on 2004-08-04
3
934 Views
Last Modified: 2013-11-16
I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters:

- Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1)
- Remote Gateway must be configured as an Interoperable device
- IKE and pre-shared key

Is there any documentation available anywhere that would give me some detailed instructions on how this is done?  I have attempted using documentation from Checkpoints website, but that doesn't seem to help.  I also have the latest Checkpoint NG book (Phoneboy's) but the specific example doesn't work for me. This must be relatively simple, but I am not having much luck.
0
Comment
Question by:anamops
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721250
- Remote Gateway must be configured as an Interoperable device

Why ?  This is only for other IPSEC equipment, like Cisco PIX, Netscreen, Nortel etc.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11725531
tim_holman is right, you just set it up as another checkpoint device, running 4.1
I think there are some issues with Diffie Hellman keys, if you are using Perfect Forward Secrecy on Phase 2 IPSEC.
I believe 4.1 using DH keys 2 (which you cannot change), NG defaults to DH 1 though. You can change this though to DH 2.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 11763656
As Tim and Yokel mentioned already, on each FW have the Interoperable-device definition of the peer removed, redifine them as 'externally managed' - in 4.1 there's a checkbox somewhere to make the module 'external'.
Make sure to have a pre-shared secret defined in NG - it's not the default - I think it's done with "set traditional IKE parameters".
On each Firewall have it's peer's pre-shared secret defined (they must be equal), and the most important part make all IKE parameters equal - especially DH groups (set to group 2 (== 1024 bits) - thanks to yokel), and lifetimes.
Notice that phase 2 parameters are set in the policy 'encrypt' rule in 4.1, as opposed to the gateway's/communitie's definition in NG.

When this is done, install policies and read the logs - especially the NG ones.

Good luck,
d
P.S.: if this doesn't work, please mention whether you're using traditional or simplified policy in NG
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question