Checkpoint to Gauntlet VPN Configuration

Patrick Ethier patrick at SECUREOPS.COM
Mon May 15 18:25:08 EDT 2000 

Hi Troy,

 I'm by no means a Checkpoint Specialist but I do remember having an issue
when I was doing compatibility testing with CheckPoint's FW-1 4.0 back in
late November. I was never able to get it working. If I recall correctly,
logs kept showing that that it didn't support the IPV4_ADDR_SUBNET type.
That meant that our IKE Phase 1 would complet with no problem but it would
never be able to establish the Phase 2 (IPsec portion) of the connection.
This means that LAN to LAN configurations wouldn't work.

Apparently, this was corrected in 4.1.

I'm not sure if this is the problem you are experiencing but that was what I
learned from the experience. IPsec is a fairly new standard and FW-1 hadn't
implemented the whole standard at that point.


I never got around to testing the 4.1 to see if this was corrected or not.


Regards,

Patrick Ethier
patrick at secureops.com

-----Original Message-----
From: Dechant, Troy [mailto:tdechant at FIRSTAM.COM]
Sent: Monday, May 15, 2000 3:54 PM
To: VPN at SECURITYFOCUS.COM
Subject: Checkpoint to Gauntlet VPN Configuration


Hello All !!!

I have been tasked with setting up a VPN tunnel between a Checkpoint v4.0
SP3 (my side) and a Gauntlet v5.5 firewall (the customer's side).  I have
taken a first stab at it and still have had no success.

I have configured both objects in Checkpoint as having the following
encryption properties -

ISAKMP/OAKLEY
3DES
MD5 Hash
Pre-shared secrets
Supports Aggressive Mode option disabled
ESP Transform enabled
Use Perfect Forward Secrecy disabled

The Gauntlet firewall configuration is as follows -

IPSEC with IKE
Pre-shared secrets
3DES
MD5
DH Group 1024
Perfect Forward Secrecy disabled

In addition to the normal Checkpoint VPN ports (ESP protocol type 50 &
TCP/264), I have also opened up AH (protocol type 51) and ISAKMP (UDP/500)
between the two firewalls.

When I attempt to establish the VPN tunnel, the only thing that shows up in
my logs is an accept from the Gauntlet firewall on the ISAKMP port
(UDP/500).  No traffic is seen by the firewall as being encrypted.  A snoop
of the external interface only shows traffic on UDP/500.  The Checkpoint
logs never record anything and encryption never appears.

Any help would be greatly appreciated.  I have searched the Internet and am
having problems locating any configuration examples for the above scenarios.
Thanks in advance for any help that you can provide !!

> Troy Dechant
> Sr. Technical Specialist Network Design
> First American Real Estate Information Services, Inc.
> tdechant at firstam.com
>
>
>
>
>
>

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list