Solved

Checkpoint Express Gateway to Gateway IPSEC VPN

Posted on 2004-08-04
3
907 Views
Last Modified: 2013-11-16
I am attempting to configure Checkpoint Express Gateway to Gateway IPSEC VPN with the following parameters:

- Both sites are using Checkpoint (Local: Checkpoint Express NG, remote: Checkpoint Firewall1/VPN1 4.1)
- Remote Gateway must be configured as an Interoperable device
- IKE and pre-shared key

Is there any documentation available anywhere that would give me some detailed instructions on how this is done?  I have attempted using documentation from Checkpoints website, but that doesn't seem to help.  I also have the latest Checkpoint NG book (Phoneboy's) but the specific example doesn't work for me. This must be relatively simple, but I am not having much luck.
0
Comment
Question by:anamops
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11721250
- Remote Gateway must be configured as an Interoperable device

Why ?  This is only for other IPSEC equipment, like Cisco PIX, Netscreen, Nortel etc.
0
 
LVL 3

Expert Comment

by:yokel
ID: 11725531
tim_holman is right, you just set it up as another checkpoint device, running 4.1
I think there are some issues with Diffie Hellman keys, if you are using Perfect Forward Secrecy on Phase 2 IPSEC.
I believe 4.1 using DH keys 2 (which you cannot change), NG defaults to DH 1 though. You can change this though to DH 2.
0
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 11763656
As Tim and Yokel mentioned already, on each FW have the Interoperable-device definition of the peer removed, redifine them as 'externally managed' - in 4.1 there's a checkbox somewhere to make the module 'external'.
Make sure to have a pre-shared secret defined in NG - it's not the default - I think it's done with "set traditional IKE parameters".
On each Firewall have it's peer's pre-shared secret defined (they must be equal), and the most important part make all IKE parameters equal - especially DH groups (set to group 2 (== 1024 bits) - thanks to yokel), and lifetimes.
Notice that phase 2 parameters are set in the policy 'encrypt' rule in 4.1, as opposed to the gateway's/communitie's definition in NG.

When this is done, install policies and read the logs - especially the NG ones.

Good luck,
d
P.S.: if this doesn't work, please mention whether you're using traditional or simplified policy in NG
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question