Solved

Cisco 1760 IPSec tunnel to Checkpoint

Posted on 2006-07-13
6
621 Views
Last Modified: 2012-05-05
Hi All,

What a nightmare! <insert endless moaning here>

Anyway, I have a Cisco 1760 here, that has recently acquired the ability to support IPSec Tunnels - See here >> http:Q_21914514.html

Flash version is -> c1700-advsecurityk9-mz.124-8.bin

Now, I expect that the other end is going to be giving me information to configure our end (it seems logical, and hope is on my side) but they are asking some questions that I would prefer to answer correctly (than look stupid :))

So, they want to know the following information, and I am not certain what it means;

Encryption Domain -> they have provided a 134.x.x.x IP address, which has totally lost me
Subnet Mask -> this makes me think that maybe Encryption domain is my internal address range???
IPSec Gateway Address -> I assume this is the external address my router (they provide 155.x.x.x)
Test IPSec Gateway -> Once again, lost (they provide another 155.x.x.x number)
IPSec / Firewall Make -> this one I do know!
Version -> semi obvious
Encryption Method -> I am assuming this will be 3DES (that is what they provided)
Transforms -> I was just going to put what they had, ESP 3DES
Shared Secret -> also seems pretty obvious
Hash Method -> there is something besides MD5 (joking, kind-of)
DH Group -> no idea (they have Group 2)
ISA Timers -> no idea, was going to put what they had - IKE=7200 IPSEC=3600

Writing this down seems to have made it a little clearer (i am not going to edit it above)

Encryption domain is my internal range
Ipsec gateway address is my external router ip
test ipsec gateway isn't necessary
and DH Group will become apparent when I actually configure the router

Am I close?

Thanks in advance

-red
0
Comment
Question by:redseatechnologies
  • 3
  • 3
6 Comments
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17097855
Oh yeah, should I ask another question about how to actually configure the router to connect to the other end as well?  I was planning on adding that here, but want to reward you all for your time fairly!

-red
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17098456
You've pretty much got it, but here's some clarification.

Transforms = encryption + hash.  3DES-MD5 | 3DES-SHA | AES-MD5, etc
  Assume you will use 3DES-MD5
Hash Method = MD5 or SHA This matches your transform and both ends are the same
DH Group = Diffie Helmen group 2 = 1024bit. It will just be "group 2" under your IPSEC policy
ISA Timers = IKE and IPSEC lifetimes. Cisco's defaults are 28800 and 84600 respectively so these will need to be adjusted in your router config.
One other thing you need to know is whether or not they use ISAKMP keepalives - and what timer settings
And you need to know if PFS should be enabled or not.


0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17098707
Spectacular,

Thanks for that lrmoore, i don't know what is more exciting - having the answer for my superiors tomorrow, or knowing that I had the right idea :)

-red
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17098801
Take it a step further and show them this document - step by step to configure IPSEC from router to Checkpoint
Checkpoint 4.1
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ac4.shtml
Or Checkpoint NG
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b4b40.shtml
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17098835
Dude, you are a star.

I saw that first link, but the second one looks like GOLD!

Thank you so much for your help, again :)

-red
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17098879
Glad to be here!
Good luck!
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 routers, one cable modem 10 105
Is WiFi half-duplex or Full -duplex 4 61
Draytek (Site to Site VPN using IPSec) 6 41
Syslog-ng works. Now what? How to filter and manage? 8 64
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question