Hi, Iam using Checkpoint NG with AI - R55. Thanks for the Cisco config.....I have the latest hotfixes for CheckPoint installed. Any other thoughts please...
thanks.. On 2/14/06, no-need to-list <[EMAIL PROTECTED]> wrote: > > Here is a PIX configuration that you may use as base....I have more than > 100 Cisco Pix working with Checkpoint FW > > I hope this help all the people having problems with Checkpoint and Cisco > PIX VPN > > PS...Checkpoint side latest HFA applied, PIX latest code used... > > > > BASIC PIX Configuration > > ------------------------------------ > assign names to networks and hosts > ------------------------------------ > name 192.168.0.0 your-192-168-x-x > name 111.111.111.111 yourFWCLUSTER > name 10.0.0.0 your-10-x-x-x > > ---------------------------------------------------- > define the VPN networks reachable behind the Checkpoint FW > by creating a group > ----------------------------------------------------- > object-group network your-vpn-dom > description your-vpn-domain > network-object your-10-x-x-x 255.0.0.0 > network-object your-192-168-x-x 255.255.0.0 > -------------------------------------------------- > access list to disable SPLIT-Tunneling > -------------------------------------------------- > access-list 101 permit ip host yourFWCLUSTER any > access-list 101 permit ip (yourpixinternalnet) 255.255.255.0 any > access-list 101 permit ip host pixexternal object-group your-vpn-dom > access-list nonat permit ip host yourFWCLUSTER any > access-list nonat permit ip (yourpixinternalnet) 255.255.255.0 any > access-list nonat permit ip host (yourpixexternaladdress) object-group > your-vpn-dom > > --------------------------------------- > gobal nat command > --------------------------------------- > global (outside) 1 interface > nat (inside) 0 access-list nonat > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > > --------------------------------------------- > define the crypto map, transform-sets and assign the access list > ---------------------------------------------- > > sysopt connection permit-ipsec > crypto ipsec transform-set rtptac esp-3des esp-md5-hmac > crypto map rtprules 10 ipsec-isakmp > crypto map rtprules 10 match address 101 > crypto map rtprules 10 set peer yourFWCLUSTER > crypto map rtprules 10 set transform-set rtptac > crypto map rtprules interface outside > ------------------------------------------------------- > define the ISAKMP parameters to macth the Checkpoint FW > --------------------------------------------------------- > > isakmp enable outside > isakmp key (your-shared-key-here) address yourFWCLUSTER netmask > 255.255.255.255 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash md5 > isakmp policy 1 group 2 > isakmp policy 1 lifetime 86400 > > > > Vasudevan Chetty Padmanabhan < [EMAIL PROTECTED]> wrote: > Hi Ramakrishan, > > Were you able to setup the site-to-to tunnel working. Iam also in the same > boat. I did the following, > 1.Verified the encryption domain and the settings at both the end.(Cisco > Pix > 515E & CP R55). > 2.Unchecked the "Support key Exchange for Subnets" > 3. # dbedit (This should be done on the Mgmt Server) > Enter Server name (Enter for Local Host) > User Name / Password > dbedit> modify properties firewall_properties > ike_use_largest_possible_subnets false > > dbedit> update properties firewall_properties > firewall_properties updated successfully. > > dbedit> quit > 4. Install the Policy > > Still no progress. Please let me know if something helped you.... > > Regards, > Vasu > > > > On 12/16/05, Ramakrishnan Pillai wrote: > > > > Hi Oliver, > > > > Yes. I did uncheck it and try. It didn't help...Ramakrishnan > > > > >>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>> > > > > Hi Ramakrishnan, > > My suggestion was "uncheck" the box for "Support key > > Exchange for Subnets", NOT "check". (only in the > > interoperable device) > > Next, install the policy. > > did you try that? > > > > Regards, > > Oliver. > > > > > > --- Ramakrishnan Pillai > > escribió: > > > > > Thanks. Will check supernetting option. As per > > > another suggestion, I tried matching the encryption > > > domains on both end. The PIX end is simple with two > > > networks. But Checkpoint end encryption domain is > > > common for all site-to-site and remote access > > > clients and is a huge list of all IPs/networks > > > inside the network which need to be accessed over > > > VPN from outside. Hence it is difficult to match > > > the encryption domain on both sides of the vpn > > > tunnel. Any ideas on this? > > > > > > Thanks, > > > Ramakrishnan > > > > > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>> > > > disable SUPERNETTING on the Checkpoint side....Check > > > Knowledge base for > > > "how to" instructions. > > > It may solve your problem. > > > Regards > > > > > > Ramakrishnan Pillai > > > wrote: > > > Thanks. Compared all the properties of PIX and > > > R55. The "Support key Exchange for Subnets" is > > > already checked. Still no luck. Same message...RK > > > > > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>> > > > In SmartDashboard, go to the interoperable device > > > object Properties (representing PIX), look for VPN - > > > VPN Advanced and uncheck the box: "Support key > > > Exchange for Subnets" > > > I hope that helps. > > > > > > Regards, > > > > > > Oliver. > > > > > > > > > --- Ramakrishnan Pillai > > > escribió: > > > > > > > Thanks for the detailed reply. Let me cross check > > > > everything...RK > > > > > > > > >>> [EMAIL PROTECTED] 12/14/2005 > > > > 10:45:06 AM >>> > > > > Parameters are not identical. I've run into this > > > > many times. For example, if policy on PIX ends up > > > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the > > > > Interoperable Device representing the PIX has been > > > > set up for 3DES/SHA1, it will fail. You got to > > > match > > > > exactly, not just have a match. Painful, but there > > > > you have it. Also check DH-groups, timeouts, > > > > PFS-or-not for Phase-2, and ideally don't choose > > > > Aggressive. > > > > No proposal chosen is likely Phase-1 settings. If > > > it > > > > was encrypt domain, you'd see "no valid SA". Could > > > > also be encrypt settings Phase-2, but that's less > > > > common - transform sets are specific to a tunnel, > > > so > > > > control is better. Policies are not, and that > > > leads > > > > to a "VPNs are like a box of chocolates" > > > situation. > > > > > > > > If you are being supported by a CSP, run vpn debug > > > > trunc, get the handy ike.elg, and have them run it > > > > through IkeView. That will show you exactly what's > > > > going on and make short work of this issue. Could > > > > also use tcpdump and ethereal for phase-1 issues, > > > > but that's only get you halfway through the > > > exchange > > > > - once encryption starts, you're blind. Ethereal > > > > won't help with Phase-2; IkeView will. > > > > > > > > Good news is: This will come up once parameters > > > > match 100% on both sides. > > > > > > > > > > > > -----Original Message----- > > > > From: Mailing list for discussion of Firewall-1 > > > > > > > > > [mailto:[EMAIL PROTECTED] > > > > Behalf Of > > > > Ramakrishnan Pillai > > > > Sent: Wednesday, December 14, 2005 10:15 AM > > > > To: [email protected] > > > > Subject: [FW-1] VPN between R55 and PIX > > > > > > > > > > > > While doing a site-to-site between R55 and PIX we > > > > are getting "Message from peer: No proposal > > > choosen" > > > > at checkpoint end. Using preshared secret and all > > > > parameters are identical. Any idea where to check > > > > for. > > > > > > > > Thanks in advance. > > > > RK > > > > > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > Please note that: > > > > > > > > 1. This e-mail may constitute privileged > > > > information. If you are not the intended > > > recipient, > > > > you have received this confidential email and any > > > > attachments transmitted with it in error and you > > > > must not disclose, copy, circulate or in any other > > > > way use or rely on this information. > > > > 2. E-mails to and from the company are monitored > > > for > > > > operational reasons and in accordance with lawful > > > > business practices. > > > > 3. The contents of this email are those of the > > > > individual and do not necessarily represent the > > > > views of the company. > > > > 4. The company does not conclude contracts by > > > email > > > > and all negotiations are subject to contract. > > > > 5. The company accepts no responsibility once an > > > > e-mail and any attachments is sent. > > > > > > > > http://www.integralis.com > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to > > > [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > > > > __________________________________________________ > > > Correo Yahoo! > > > Espacio para todos tus mensajes, antivirus y > > > antispam ¡gratis! > > > Regístrate ya - http://correo.espanol.yahoo.com/ > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > > > === message truncated === > > > > > > __________________________________________________ > > Correo Yahoo! > > Espacio para todos tus mensajes, antivirus y antispam ¡gratis! > > Regístrate ya - http://correo.espanol.yahoo.com/ > > > > ============================================3D===== > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > --------------------------------- > Yahoo! Mail > Use Photomail to share photos without annoying attachments. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
