Well, that's good in that the routing is correct (it's heading to your
firewall and not your remote office). From your desktop, can you ping the
internal interface of their firewall?
Ray Pesek, CISSP
From: David Wellington <justneed2 AT GO4 DOT IT>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn Checkpoint and
Raptor
Date: Sun, 29 Feb 2004 16:04:46 -0000
Hi Ray,
i have done a traceroute to a machine in the remote subnet on the
raptor side, from the checkpoint end,from my desktop,this doesn't
get far at all
traceroute first gets to the default gateway on the checkpoint
side, then to the internal interaface of the firewall, and
itkeeps bouncing between the two hops, or sometimes times out, so
we're not reaching the remote subnet at all
--- Original Message ---
From: Ray Pesek
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Sent: 29 Feb 04, 3:44 am
Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
Checkpoint and Raptor
If you try to traceroute from your desktop to one of their IPs,
does it head
to the firewall or to your remote office? That will tell you if
it is the
problem.
Ray Pesek, CISSP
>From: David Wellington
>Reply-To: Mailing list for discussion of Firewall-1
>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
Checkpoint and
>Raptor
>Date: Sat, 28 Feb 2004 22:20:30 -0000
>
>Hi Ian
>
>something's just popped to my mind,from the checkpoint side, we
>have a 10.0.0.0/8 address designated for our remote offices,
>thisnetwork object hasbeen created and is part of the encryption
>domain, the connection with this office is by frame relay.
>Now the question is since we are trying toset up site to site
>with this other so called partner,where the Raptor firewall is
>sitting, and they have a 10.44.23.0/22 address too.
>We on the checkpoint side like imentioned earlier use the
1.0.0.0
>address, which wehidebehind ourcheckpoint firewall
>
>hope these will not cause problems
>
>cheers
>
>Ad
>
>
>--- Original Message ---
>From: Ian Gilfillan
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Sent: 28 Feb 04, 1:29 pm
>Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
>Checkpoint and Raptor
>
>PFS can be found in the "Encrypt" properties of the VPN Rule.
>SA Liftimes are your phase1 and phase 2 SA lifetimes....phase1
>can be
>found in the firewall properties under VPN and Phase2 can be
>found on
>the same page as your PFS settings.....
>
>As for NAT you did the right thing at first which stated
>
>"> We have hide NAT from the checkpoint Side, hide all internal
> > network behind the checkpoint firewall, and so i have put in
a
> > manual nat rule from the
> > checkpoint sides subnet to the remote subnet - original
>-original
> > ( to prevent NAT )"
>
>but you will need to do the same on both ends....I am only
>assuming this
>as I have limited exposure to Raptors....
>
>so you are on the right road....the fact that you are seeing no
>traffic
>going through is worrying though.....are you seeing any traffic
>hit the
>inside of the firewall.
>
>Which end are you at checkpoint or raptor? What does it say on
>the
>other end if you try to generate vpn traffic from there?
>
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
>David
>Wellington
>Sent: 27 February 2004 19:17
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
>Checkpoint
>and Raptor
>
>Hi thanks for your reply,
>
>this is actually the first time i'm implementing this,i knowfor
>sure weare not using aggressive mode, but whatis PSF and SA's
and
>where do you tweak these on the checkpoint Firewall side,what
>sort of logs should i expect, do i not need anyNAT rule because
>the remotesubnet actually has a 10.x.y.z which isNAT behind
>itsfirewall, and we use a 1.t.x.q nated behind our firewall
>
>thanks
>
>
>
>--- Original Message ---
>From: ian gilfillan
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Sent: 27 Feb 04, 4:35 pm
>Subject: Re: [FW-1] Site to Site VPN preshared secrets btwn
>Checkpoint and Raptor
>
>Good luck...I had major issues with symantec end-points......
>
>No static routing within Voyager or the Cisco.....The routes
>should be created
>on the end point automatically as per encryption rule.
>
>things to check:
>
>aggressive/main mode. are the settings the same both ends...
>PFS On/OFF check both ends
>
>SA timeouts......most common problem.....they need to be the
same
>try 28800
>and 3600
>
>cheers
>
>
>
>On Friday 27 Feb 2004 15:34, David Wellington wrote:
> > Hi All
> >
> >
> > We are looking to setup a preshared site to site tunnel
between
>a
> > Symantec Firewall (Raptor) and Checkpoint NG FP3 running on
>Nokia
> > box. On the Checkpoint Side, we have created the checkpoint
> > Firewall object, an interoperatble object for the Raptor
> > firewall, created VPN communities, enabled 3DES and the
> > encryption algorithm been optional between MD5 and SHA1. We
are
> > using tradional mode, so we have specified the same level of
> > encryption within IKE mode properties on the Checkpoint
> > Properties.
> >
> >
> > Apart from the Firewall objects for both sites we have
created
> > Subnet network objects for both sites, which, but from the
> > checkpoint side we have made the remote subnet a member of
its
> > encryption domain, within interoperable properties for the
>Raptor
> > firewall, on topology we defined the internal and external
> > interface of the Raptor Firewall. And have manually defined
> > remote subnet.
> >
> >
> > We have rules from the checkpoint firewall - Raptor Firewall-
> > IPSEC - accept
> > Raptor Firewall - checkpoint Firewall - IPSEC -accept
> >
> >
> > we also have rules to and from both subnets allowing
encrypted
> > traffic, on the encrypt properties
> > on the checkpoint Firewall rule base we have specified 3DES,
>MD5,
> > selected the raptor firewall as peer gateway, no compression
> >
> >
> > Note we have quite a number of machines with static routing
in
> > the encryption domain, i read this might be a problem getting
> > this VPn site to site working??
> >
> >
> > We have hide NAT from the checkpoint Side, hide all internal
> > network behind the checkpoint firewall, and so i have put in
a
> > manual nat rule from the
> > checkpoint sides subnet to the remote subnet - original
>-original
> > ( to prevent NAT )
> >
> >
> > traffic does seem to go through at all
> >
> >
> > the question is do we have to do static routing within
Voyager,
> > do we have to add static routes to the cisco router etcetra
> >
> >
> > Pls could anyone let me know why this isn't working and if
>there
> > are there's something i'm missing
> >
> >
> > Regards,
> >
> >
> > Ad
> >
> >
> >
> > This message was sent using Go4.it Webmail. To register your
>own
> > FREE Go4.it Webmail account, please Click Here!
> >
> > Go4.it is the UK's fastest growing Search Engine with an
> > integrated Business Search facility and extensive Travel
>Portal.
> > We also provide UK Broadband at incredibly competetive
prices.
> >
> > Visit Go4.it now >> http://www.Go4.it.
> >
> >
> >
> > ================> To set vacation, Out-Of-Office, or away
>messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > ================> To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ================> If you have any questions on how to change
>your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > ===============================To set vacation,
Out-Of-Office, or away
>messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>================To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>================If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>================ This message was
>sent using Go4.it Webmail. To register your own FREE Go4.it
>Webmail account, please Click Here!
>
>Go4.it is the UK's fastest growing Search Engine with an
>integrated Business Search facility and extensive Travel Portal.
>We also provide UK Broadband at incredibly competetive prices.
>
>Visit Go4.it now >> http://www.Go4.it.
>
>
>
>================================================To set vacation,
>Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>================================================To unsubscribe
from this
>mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>================================================If you have any
questions
>on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>===============================================>================================================To
set vacation,
>Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>================================================To unsubscribe
from this
>mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>================================================If you have any
questions
>on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>================================================ This message
was
>sent using Go4.it Webmail. To register your own FREE Go4.it
>Webmail account, please Click Here!
>
>Go4.it is the UK's fastest growing Search Engine with an
>integrated Business Search facility and extensive Travel Portal.
>We also provide UK Broadband at incredibly competetive prices.
>
>Visit Go4.it now >> http://www.Go4.it.
>
>
>
>================================================>To set vacation,
Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>================================================>To unsubscribe from this
mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>================================================>If you have any
questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>================================================
_________________________________________________________________
Get fast, reliable access with MSN 9 Dial-up. Click here for
Special Offer!
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/
================================================To set vacation,
Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
================================================To unsubscribe from this
mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================If you have any questions
on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
================================================ This message was
sent using Go4.it Webmail. To register your own FREE Go4.it
Webmail account, please Click Here!
Go4.it is the UK's fastest growing Search Engine with an
integrated Business Search facility and extensive Travel Portal.
We also provide UK Broadband at incredibly competetive prices.
Visit Go4.it now >> www.Go4.it.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
Stay informed on Election 2004 and the race to Super Tuesday.
http://special.msn.com/msn/election2004.armx
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
