cisco4ng wrote:
Hi gurus,
Please help me with this problem.
I am setting a site-to-site vpn between a Checkpoint NG firewall and a Cisco IOS
device.
The dude on the Cisco side keeps insisting that the IPSec phase II key re-negotiation
be data-limit instead of of timeout limit. I know how to do that on Cisco
device.
For example:
set security-association lifetime kilobytes 57193933
How can I achieve this in Checkpoint? In Checkpoint Simplified mode, I can only
specify the timeout setting for IPSec phase II.
FWIW, specifying the lifetime in time or byte count or both at once all
MUST be supported according to the standard.
Going straight to the Checkpoint database, I see the following,
:isakmp.phase2_rekeying_kbytes (50000)
:isakmp.phase2_rekeying_time (3600)
:isakmp.phase2_use_rekeying_kbytes (false)
As attributes of IPsec endpoints. Names seem self explanatory. Can't
say if they actually work. Dunno how to access them through the
"Dashboard" or whatever they're calling it for now. You may need to
edit the database with DBedit or the ol' 'vi objects_5_0.C'.
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
