Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and Raptor

from David Wellington [Permanent Link]
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and Raptor
From: David Wellington <justneed2 AT GO4 DOT IT>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Sat, 28 Feb 2004 22:20:30 -0000 
Hi Ian

something's just popped to my mind,from the checkpoint side, we
have a 10.0.0.0/8 address designated for our remote offices,
thisnetwork object hasbeen created and is part of the encryption
domain, the connection with this office is by frame relay.
Now the question is since we are trying toset up site to site
with this other so called partner,where the Raptor firewall is
sitting, and they have a 10.44.23.0/22 address too.
We on the checkpoint side like imentioned earlier use the 1.0.0.0
address, which wehidebehind ourcheckpoint firewall

hope these will not cause problems

cheers

Ad


--- Original Message ---
From: Ian Gilfillan
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: 28 Feb 04, 1:29 pm
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
Checkpoint and Raptor

PFS can be found in the "Encrypt" properties of the VPN Rule.
SA Liftimes are your phase1 and phase 2 SA lifetimes....phase1
can be
found in the firewall properties under VPN and Phase2 can be
found on
the same page as your PFS settings.....

As for NAT you did the right thing at first which stated

"> We have hide NAT from the checkpoint Side, hide all internal
> network behind the checkpoint firewall, and so i have put in a
> manual nat rule from the
> checkpoint sides subnet to the remote subnet - original
-original
> ( to prevent NAT )"

but you will need to do the same on both ends....I am only
assuming this
as I have limited exposure to Raptors....

so you are on the right road....the fact that you are seeing no
traffic
going through is worrying though.....are you seeing any traffic
hit the
inside of the firewall.

Which end are you at checkpoint or raptor? What does it say on
the
other end if you try to generate vpn traffic from there?



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
David
Wellington
Sent: 27 February 2004 19:17
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
Checkpoint
and Raptor

Hi thanks for your reply,

this is actually the first time i'm implementing this,i knowfor
sure weare not using aggressive mode, but whatis PSF and SA's and
where do you tweak these on the checkpoint Firewall side,what
sort of logs should i expect, do i not need anyNAT rule because
the remotesubnet actually has a 10.x.y.z which isNAT behind
itsfirewall, and we use a 1.t.x.q nated behind our firewall

thanks



--- Original Message ---
From: ian gilfillan
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: 27 Feb 04, 4:35 pm
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
Checkpoint and Raptor

Good luck...I had major issues with symantec end-points......

No static routing within Voyager or the Cisco.....The routes
should be created
on the end point automatically as per encryption rule.

things to check:

aggressive/main mode. are the settings the same both ends...
PFS On/OFF check both ends

SA timeouts......most common problem.....they need to be the same
try 28800
and 3600

cheers



On Friday 27 Feb 2004 15:34, David Wellington wrote:
> Hi All
>
>
> We are looking to setup a preshared site to site tunnel between
a
> Symantec Firewall (Raptor) and Checkpoint NG FP3 running on
Nokia
> box. On the Checkpoint Side, we have created the checkpoint
> Firewall object, an interoperatble object for the Raptor
> firewall, created VPN communities, enabled 3DES and the
> encryption algorithm been optional between MD5 and SHA1. We are
> using tradional mode, so we have specified the same level of
> encryption within IKE mode properties on the Checkpoint
> Properties.
>
>
> Apart from the Firewall objects for both sites we have created
> Subnet network objects for both sites, which, but from the
> checkpoint side we have made the remote subnet a member of its
> encryption domain, within interoperable properties for the
Raptor
> firewall, on topology we defined the internal and external
> interface of the Raptor Firewall. And have manually defined
> remote subnet.
>
>
> We have rules from the checkpoint firewall - Raptor Firewall-
> IPSEC - accept
> Raptor Firewall - checkpoint Firewall - IPSEC -accept
>
>
> we also have rules to and from both subnets allowing encrypted
> traffic, on the encrypt properties
> on the checkpoint Firewall rule base we have specified 3DES,
MD5,
> selected the raptor firewall as peer gateway, no compression
>
>
> Note we have quite a number of machines with static routing in
> the encryption domain, i read this might be a problem getting
> this VPn site to site working??
>
>
> We have hide NAT from the checkpoint Side, hide all internal
> network behind the checkpoint firewall, and so i have put in a
> manual nat rule from the
> checkpoint sides subnet to the remote subnet - original
-original
> ( to prevent NAT )
>
>
> traffic does seem to go through at all
>
>
> the question is do we have to do static routing within Voyager,
> do we have to add static routes to the cisco router etcetra
>
>
> Pls could anyone let me know why this isn't working and if
there
> are there's something i'm missing
>
>
> Regards,
>
>
> Ad
>
>
>
> This message was sent using Go4.it Webmail. To register your
own
> FREE Go4.it Webmail account, please Click Here!
>
> Go4.it is the UK's fastest growing Search Engine with an
> integrated Business Search facility and extensive Travel
Portal.
> We also provide UK Broadband at incredibly competetive prices.
>
> Visit Go4.it now >> http://www.Go4.it.
>
>
>
> ================> To set vacation, Out-Of-Office, or away
messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> ================> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================> If you have any questions on how to change
your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> ===============================To set vacation, Out-Of-Office, or away 
> messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
================To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
================If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
================ This message was
sent using Go4.it Webmail. To register your own FREE Go4.it
Webmail account, please Click Here!

Go4.it is the UK's fastest growing Search Engine with an
integrated Business Search facility and extensive Travel Portal.
We also provide UK Broadband at incredibly competetive prices.

Visit Go4.it now >> http://www.Go4.it.



================================================To set vacation, Out-Of-Office, 
or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
================================================To unsubscribe from this 
mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================If you have any questions on 
how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
================================================
================================================To set vacation, Out-Of-Office, 
or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
================================================To unsubscribe from this 
mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================If you have any questions on 
how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
================================================ This message was
sent using Go4.it Webmail. To register your own FREE Go4.it
Webmail account, please Click Here!

Go4.it is the UK's fastest growing Search Engine with an
integrated Business Search facility and extensive Travel Portal.
We also provide UK Broadband at incredibly competetive prices.

Visit Go4.it now >> www.Go4.it.



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Counting number of Secure Client licenses used, Ray Pesek
Next by Date:  Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and Raptor, Ray Pesek
Previous by Thread:  Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and Raptor, David Wellington
Next by Thread:  Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and Raptor, Ian Gilfillan
Indexes:  [Date] [Thread] [Top] [All Lists]