Checkpoint to Gauntlet VPN Configuration

Jose Muniz MuniX-1 at PACBELL.NET
Tue May 16 22:50:30 EDT 2000 

Try seting the lifetime to 0 on the checkpoint and if it does not work
then
set the checkpiont to 28800 secs and the Gauntlet to 0 secs. give it a
shot both ways
if it does not work which probably it should, then you basically need to
upgrade to Checkpoint 4.1 sp 1 and this works!

Jose Muniz.

Patrick Ethier wrote:
>
> Hi Troy,
>
>  I'm by no means a Checkpoint Specialist but I do remember having an issue
> when I was doing compatibility testing with CheckPoint's FW-1 4.0 back in
> late November. I was never able to get it working. If I recall correctly,
> logs kept showing that that it didn't support the IPV4_ADDR_SUBNET type.
> That meant that our IKE Phase 1 would complet with no problem but it would
> never be able to establish the Phase 2 (IPsec portion) of the connection.
> This means that LAN to LAN configurations wouldn't work.
>
> Apparently, this was corrected in 4.1.
>
> I'm not sure if this is the problem you are experiencing but that was what I
> learned from the experience. IPsec is a fairly new standard and FW-1 hadn't
> implemented the whole standard at that point.
>
> I never got around to testing the 4.1 to see if this was corrected or not.
>
> Regards,
>
> Patrick Ethier
> patrick at secureops.com
>
> -----Original Message-----
> From: Dechant, Troy [mailto:tdechant at FIRSTAM.COM]
> Sent: Monday, May 15, 2000 3:54 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Checkpoint to Gauntlet VPN Configuration
>
> Hello All !!!
>
> I have been tasked with setting up a VPN tunnel between a Checkpoint v4.0
> SP3 (my side) and a Gauntlet v5.5 firewall (the customer's side).  I have
> taken a first stab at it and still have had no success.
>
> I have configured both objects in Checkpoint as having the following
> encryption properties -
>
> ISAKMP/OAKLEY
> 3DES
> MD5 Hash
> Pre-shared secrets
> Supports Aggressive Mode option disabled
> ESP Transform enabled
> Use Perfect Forward Secrecy disabled
>
> The Gauntlet firewall configuration is as follows -
>
> IPSEC with IKE
> Pre-shared secrets
> 3DES
> MD5
> DH Group 1024
> Perfect Forward Secrecy disabled
>
> In addition to the normal Checkpoint VPN ports (ESP protocol type 50 &
> TCP/264), I have also opened up AH (protocol type 51) and ISAKMP (UDP/500)
> between the two firewalls.
>
> When I attempt to establish the VPN tunnel, the only thing that shows up in
> my logs is an accept from the Gauntlet firewall on the ISAKMP port
> (UDP/500).  No traffic is seen by the firewall as being encrypted.  A snoop
> of the external interface only shows traffic on UDP/500.  The Checkpoint
> logs never record anything and encryption never appears.
>
> Any help would be greatly appreciated.  I have searched the Internet and am
> having problems locating any configuration examples for the above scenarios.
> Thanks in advance for any help that you can provide !!
>
> > Troy Dechant
> > Sr. Technical Specialist Network Design
> > First American Real Estate Information Services, Inc.
> > tdechant at firstam.com
> >
> >
> >
> >
> >
> >
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list