Good luck...I had major issues with symantec end-points......
No static routing within Voyager or the Cisco.....The routes should be created
on the end point automatically as per encryption rule.
things to check:
aggressive/main mode. are the settings the same both ends...
PFS On/OFF check both ends
SA timeouts......most common problem.....they need to be the same try 28800
and 3600
cheers
On Friday 27 Feb 2004 15:34, David Wellington wrote:
> Hi All
>
>
> We are looking to setup a preshared site to site tunnel between a
> Symantec Firewall (Raptor) and Checkpoint NG FP3 running on Nokia
> box. On the Checkpoint Side, we have created the checkpoint
> Firewall object, an interoperatble object for the Raptor
> firewall, created VPN communities, enabled 3DES and the
> encryption algorithm been optional between MD5 and SHA1. We are
> using tradional mode, so we have specified the same level of
> encryption within IKE mode properties on the Checkpoint
> Properties.
>
>
> Apart from the Firewall objects for both sites we have created
> Subnet network objects for both sites, which, but from the
> checkpoint side we have made the remote subnet a member of its
> encryption domain, within interoperable properties for the Raptor
> firewall, on topology we defined the internal and external
> interface of the Raptor Firewall. And have manually defined
> remote subnet.
>
>
> We have rules from the checkpoint firewall - Raptor Firewall-
> IPSEC - accept
> Raptor Firewall - checkpoint Firewall - IPSEC -accept
>
>
> we also have rules to and from both subnets allowing encrypted
> traffic, on the encrypt properties
> on the checkpoint Firewall rule base we have specified 3DES, MD5,
> selected the raptor firewall as peer gateway, no compression
>
>
> Note we have quite a number of machines with static routing in
> the encryption domain, i read this might be a problem getting
> this VPn site to site working??
>
>
> We have hide NAT from the checkpoint Side, hide all internal
> network behind the checkpoint firewall, and so i have put in a
> manual nat rule from the
> checkpoint sides subnet to the remote subnet - original -original
> ( to prevent NAT )
>
>
> traffic does seem to go through at all
>
>
> the question is do we have to do static routing within Voyager,
> do we have to add static routes to the cisco router etcetra
>
>
> Pls could anyone let me know why this isn't working and if there
> are there's something i'm missing
>
>
> Regards,
>
>
> Ad
>
>
>
> This message was sent using Go4.it Webmail. To register your own
> FREE Go4.it Webmail account, please Click Here!
>
> Go4.it is the UK's fastest growing Search Engine with an
> integrated Business Search facility and extensive Travel Portal.
> We also provide UK Broadband at incredibly competetive prices.
>
> Visit Go4.it now >> www.Go4.it.
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
