The key is do not do PFS and ensure that you manually bypass the NAT on the
check point side. the config on the PIX side is like this. if you have
access-list 80 permit ip 10.10.corp.inside 255.255.255.0 host
172.16.other.inside
access-list 200 permit ip 10.10.corp.inside 255.255.255.0 host
172.16.other.inside
nat (inside) 0 access-list 80
crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto map ptp 5 ipsec-isakmp
crypto map ptp 5 match address 200
crypto map ptp 5 set peer 192.168.other.outside
crypto map ptp 5 set transform-set basic
isakmp enable outside
isakmp key ******** address 192.168.other.outside netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity hostname
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash md5
isakmp policy 2 group 1
isakmp policy 2 lifetime 28800
Check point has a good Documents on how to do both the PIX and Checkpoint
side
when the connection is made errors will occur but it will still work.
-----Original Message-----
From: Miller, Ari [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 06, 2001 1:51 PM
To: [EMAIL PROTECTED]
Subject: PIX to Checkpoint VPN
I understand that, theoretically, Checkpoint and PIX should have no problems
establishing (and keeping) an IPSec tunnel between each other, but what are
the caveats? Do certain versions of one vendor not work with a specific
version of the other?
Can anyone point me to some documentation that points out the problems? Or,
better yet, has anyone had problems that they can document for me?
Thanks,
Ari
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
