Solved

Cisco 1760 IPSec tunnel to Checkpoint

Posted on 2006-07-13
6
612 Views
Last Modified: 2012-05-05
Hi All,

What a nightmare! <insert endless moaning here>

Anyway, I have a Cisco 1760 here, that has recently acquired the ability to support IPSec Tunnels - See here >> http:Q_21914514.html

Flash version is -> c1700-advsecurityk9-mz.124-8.bin

Now, I expect that the other end is going to be giving me information to configure our end (it seems logical, and hope is on my side) but they are asking some questions that I would prefer to answer correctly (than look stupid :))

So, they want to know the following information, and I am not certain what it means;

Encryption Domain -> they have provided a 134.x.x.x IP address, which has totally lost me
Subnet Mask -> this makes me think that maybe Encryption domain is my internal address range???
IPSec Gateway Address -> I assume this is the external address my router (they provide 155.x.x.x)
Test IPSec Gateway -> Once again, lost (they provide another 155.x.x.x number)
IPSec / Firewall Make -> this one I do know!
Version -> semi obvious
Encryption Method -> I am assuming this will be 3DES (that is what they provided)
Transforms -> I was just going to put what they had, ESP 3DES
Shared Secret -> also seems pretty obvious
Hash Method -> there is something besides MD5 (joking, kind-of)
DH Group -> no idea (they have Group 2)
ISA Timers -> no idea, was going to put what they had - IKE=7200 IPSEC=3600

Writing this down seems to have made it a little clearer (i am not going to edit it above)

Encryption domain is my internal range
Ipsec gateway address is my external router ip
test ipsec gateway isn't necessary
and DH Group will become apparent when I actually configure the router

Am I close?

Thanks in advance

-red
0
Comment
Question by:redseatechnologies
  • 3
  • 3
6 Comments
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17097855
Oh yeah, should I ask another question about how to actually configure the router to connect to the other end as well?  I was planning on adding that here, but want to reward you all for your time fairly!

-red
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17098456
You've pretty much got it, but here's some clarification.

Transforms = encryption + hash.  3DES-MD5 | 3DES-SHA | AES-MD5, etc
  Assume you will use 3DES-MD5
Hash Method = MD5 or SHA This matches your transform and both ends are the same
DH Group = Diffie Helmen group 2 = 1024bit. It will just be "group 2" under your IPSEC policy
ISA Timers = IKE and IPSEC lifetimes. Cisco's defaults are 28800 and 84600 respectively so these will need to be adjusted in your router config.
One other thing you need to know is whether or not they use ISAKMP keepalives - and what timer settings
And you need to know if PFS should be enabled or not.


0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17098707
Spectacular,

Thanks for that lrmoore, i don't know what is more exciting - having the answer for my superiors tomorrow, or knowing that I had the right idea :)

-red
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17098801
Take it a step further and show them this document - step by step to configure IPSEC from router to Checkpoint
Checkpoint 4.1
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ac4.shtml
Or Checkpoint NG
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b4b40.shtml
0
 
LVL 39

Author Comment

by:redseatechnologies
ID: 17098835
Dude, you are a star.

I saw that first link, but the second one looks like GOLD!

Thank you so much for your help, again :)

-red
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17098879
Glad to be here!
Good luck!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now