Solved

Checkpoint Express Gateway to Gateway IPSEC VPN

Posted on 2004-08-04
3
898 Views
Last Modified: 2013-11-16
I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters:

- Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1)
- Remote Gateway must be configured as an Interoperable device
- IKE and pre-shared key

Is there any documentation available anywhere that would give me some detailed instructions on how this is done?  I have attempted using documentation from Checkpoints website, but that doesn't seem to help.  I also have the latest Checkpoint NG book (Phoneboy's) but the specific example doesn't work for me. This must be relatively simple, but I am not having much luck.
0
Comment
Question by:anamops
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721250
- Remote Gateway must be configured as an Interoperable device

Why ?  This is only for other IPSEC equipment, like Cisco PIX, Netscreen, Nortel etc.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11725531
tim_holman is right, you just set it up as another checkpoint device, running 4.1
I think there are some issues with Diffie Hellman keys, if you are using Perfect Forward Secrecy on Phase 2 IPSEC.
I believe 4.1 using DH keys 2 (which you cannot change), NG defaults to DH 1 though. You can change this though to DH 2.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 11763656
As Tim and Yokel mentioned already, on each FW have the Interoperable-device definition of the peer removed, redifine them as 'externally managed' - in 4.1 there's a checkbox somewhere to make the module 'external'.
Make sure to have a pre-shared secret defined in NG - it's not the default - I think it's done with "set traditional IKE parameters".
On each Firewall have it's peer's pre-shared secret defined (they must be equal), and the most important part make all IKE parameters equal - especially DH groups (set to group 2 (== 1024 bits) - thanks to yokel), and lifetimes.
Notice that phase 2 parameters are set in the policy 'encrypt' rule in 4.1, as opposed to the gateway's/communitie's definition in NG.

When this is done, install policies and read the logs - especially the NG ones.

Good luck,
d
P.S.: if this doesn't work, please mention whether you're using traditional or simplified policy in NG
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now