Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possib

Subject:	Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?
From:	Alan Choyna <achoyna AT PATHF DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 26 Jun 2006 10:36:00 -0500

Thanks cicso4ng,

Would the mods mentioned in part 1 of the "keep in mind" list affectother VPN tunnels we have active?

Also, forgive my ignorance, what is "gui-bdedit"? and what is thesytax for adding the networks to $FWDIR/lib/user.def?


Thanks,

Alan

At 05:19 AM 6/26/2006, cisco4ng wrote:

A few things to keep in mind when doing IPSec between checkpoint andPix devices:

1) Checkpoint tends to "suppernet" the network so be carefulabout this becausethis will cause problem and Quick Mode (aka phase II) willfail. To fix this, set"IKE_largest_possible_subnet" via gui-dbedit from true tofalse. Furthermore,you can modify the file $FWDIR/lib/user.def and include everynetwork on the

  checkpoint side to prevent the suppernet situation

2) make sure that you have the timeout setting match on both CPand Cisco Pix.The default timeout for CP is 86400 sec and 3600 sec for phase Iand phase II,respectively. On the pix, the default timeout setting is 86400and 28800 for phase I

  and phase II, respectively.  To change this on the Pix, do this:
  crypto map xxx set security-association lifetime seconds 3600

Other than that, you site-to-site VPN should work without issuesregardless, you

  have Nokia or SPLAT.

  HTH

  cisco4ng
  CCIE Security


Edouard Zorrilla <ezorrilla AT TSF.COM DOT PE> wrote:
  Hi Alan,

I have done it before with a NG AI and Cisco PIX 6.3 IOS, so I guess it
should work in a SPLAT like yours,

Regards
----- Original Message -----
From: "Alan Choyna"
To:
Sent: Sunday, June 25, 2006 9:32 PM
Subject: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515
possible?


>l have been asked to investigate the potential of creating a VPN tunnel
>between one of our SPLAT R55 (HFA09) firewall clusters and a Cisco Pix 515.
>
> The sys admin who manages the Cisco says it is not possible. Does anyone
> know if it is possible? If so are there any gotcha's? Is the a standard
> config l should use?
>
> Thanks in advance.
>
> Al
>
>
> Alan C. Choyna
> Director of Infrastructure
>
> Pathfinder Associates, LLC
>
> http://www.pathfinderassoc.com
> Internet Strategy Business Consultants
> mailto:achoyna AT pathf DOT com
> Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



---------------------------------
How low will we go? Check out Yahoo! Messenger's low  PC-to-Phone call rates.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Edouard Zorrilla Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, Alan Choyna <= Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng

Previous by Date:	[FW-1] FW-1 Cluster between locations, Larson, Todd (LNG-DAY)
Next by Date:	Re: [FW-1] Solaris upgrade, Lino Eduardo Avila Rodríguez
Previous by Thread:	Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng
Next by Thread:	Re: [FW-1] VPN tunnel between R55 simplified mode & Cisco Pix 515 possible?, cisco4ng
Indexes:	[Date] [Thread] [Top] [All Lists]