Hi there,
Changing the IKE_largest_possible_subnet from true to "false" is only the
first step.
What you need to do is to basically include all the IP networks of the
checkpoint
encryption domain in the $FWDIR/lib/user.def file. For example, I have 3
networks,
so the user.def file will look something like this below:
// User defined INSPECT code
//
max_subnet_for_range = {
<192.168.10.0, 192.168.10.255; 255.255.255.0>,
<192.168.11.0, 192.168.11.255; 255.255.255.0>,
<192.168.13.0, 192.168.13.255; 255.255.255.0>
};
#endif /* __user_def__ */
Install the policy and it will work. It has nothing to do with phase II PFS.
In R55 and
higher, you can have PFS on the pix side and no PFS on the checkpoint side and
it still works. I deal with these everyday. NG Feature Pack 3 is another
matter.
Good luck!. If you still have problems, please repost.
cisco4ng
Vasudevan Chetty Padmanabhan <[EMAIL PROTECTED]> wrote:
Hi,
Iam using Checkpoint NG with AI - R55. Thanks for the Cisco config.....I
have the latest hotfixes for CheckPoint installed. Any other thoughts
please...
thanks..
On 2/14/06, no-need to-list wrote:
>
> Here is a PIX configuration that you may use as base....I have more than
> 100 Cisco Pix working with Checkpoint FW
>
> I hope this help all the people having problems with Checkpoint and Cisco
> PIX VPN
>
> PS...Checkpoint side latest HFA applied, PIX latest code used...
>
>
>
> BASIC PIX Configuration
>
> ------------------------------------
> assign names to networks and hosts
> ------------------------------------
> name 192.168.0.0 your-192-168-x-x
> name 111.111.111.111 yourFWCLUSTER
> name 10.0.0.0 your-10-x-x-x
>
> ----------------------------------------------------
> define the VPN networks reachable behind the Checkpoint FW
> by creating a group
> -----------------------------------------------------
> object-group network your-vpn-dom
> description your-vpn-domain
> network-object your-10-x-x-x 255.0.0.0
> network-object your-192-168-x-x 255.255.0.0
> --------------------------------------------------
> access list to disable SPLIT-Tunneling
> --------------------------------------------------
> access-list 101 permit ip host yourFWCLUSTER any
> access-list 101 permit ip (yourpixinternalnet) 255.255.255.0 any
> access-list 101 permit ip host pixexternal object-group your-vpn-dom
> access-list nonat permit ip host yourFWCLUSTER any
> access-list nonat permit ip (yourpixinternalnet) 255.255.255.0 any
> access-list nonat permit ip host (yourpixexternaladdress) object-group
> your-vpn-dom
>
> ---------------------------------------
> gobal nat command
> ---------------------------------------
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> ---------------------------------------------
> define the crypto map, transform-sets and assign the access list
> ----------------------------------------------
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
> crypto map rtprules 10 ipsec-isakmp
> crypto map rtprules 10 match address 101
> crypto map rtprules 10 set peer yourFWCLUSTER
> crypto map rtprules 10 set transform-set rtptac
> crypto map rtprules interface outside
> -------------------------------------------------------
> define the ISAKMP parameters to macth the Checkpoint FW
> ---------------------------------------------------------
>
> isakmp enable outside
> isakmp key (your-shared-key-here) address yourFWCLUSTER netmask
> 255.255.255.255
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 86400
>
>
>
> Vasudevan Chetty Padmanabhan < [EMAIL PROTECTED]> wrote:
> Hi Ramakrishan,
>
> Were you able to setup the site-to-to tunnel working. Iam also in the same
> boat. I did the following,
> 1.Verified the encryption domain and the settings at both the end.(Cisco
> Pix
> 515E & CP R55).
> 2.Unchecked the "Support key Exchange for Subnets"
> 3. # dbedit (This should be done on the Mgmt Server)
> Enter Server name (Enter for Local Host)
> User Name / Password
> dbedit> modify properties firewall_properties
> ike_use_largest_possible_subnets false
>
> dbedit> update properties firewall_properties
> firewall_properties updated successfully.
>
> dbedit> quit
> 4. Install the Policy
>
> Still no progress. Please let me know if something helped you....
>
> Regards,
> Vasu
>
>
>
> On 12/16/05, Ramakrishnan Pillai wrote:
> >
> > Hi Oliver,
> >
> > Yes. I did uncheck it and try. It didn't help...Ramakrishnan
> >
> > >>> [EMAIL PROTECTED] 12/16/2005 10:46:51 AM >>>
> >
> > Hi Ramakrishnan,
> > My suggestion was "uncheck" the box for "Support key
> > Exchange for Subnets", NOT "check". (only in the
> > interoperable device)
> > Next, install the policy.
> > did you try that?
> >
> > Regards,
> > Oliver.
> >
> >
> > --- Ramakrishnan Pillai
> > escribió:
> >
> > > Thanks. Will check supernetting option. As per
> > > another suggestion, I tried matching the encryption
> > > domains on both end. The PIX end is simple with two
> > > networks. But Checkpoint end encryption domain is
> > > common for all site-to-site and remote access
> > > clients and is a huge list of all IPs/networks
> > > inside the network which need to be accessed over
> > > VPN from outside. Hence it is difficult to match
> > > the encryption domain on both sides of the vpn
> > > tunnel. Any ideas on this?
> > >
> > > Thanks,
> > > Ramakrishnan
> > >
> > > >>> [EMAIL PROTECTED] 12/15/05 9:23 PM >>>
> > > disable SUPERNETTING on the Checkpoint side....Check
> > > Knowledge base for
> > > "how to" instructions.
> > > It may solve your problem.
> > > Regards
> > >
> > > Ramakrishnan Pillai
> > > wrote:
> > > Thanks. Compared all the properties of PIX and
> > > R55. The "Support key Exchange for Subnets" is
> > > already checked. Still no luck. Same message...RK
> > >
> > > >>> [EMAIL PROTECTED] 12/14/05 5:37 PM >>>
> > > In SmartDashboard, go to the interoperable device
> > > object Properties (representing PIX), look for VPN -
> > > VPN Advanced and uncheck the box: "Support key
> > > Exchange for Subnets"
> > > I hope that helps.
> > >
> > > Regards,
> > >
> > > Oliver.
> > >
> > >
> > > --- Ramakrishnan Pillai
> > > escribió:
> > >
> > > > Thanks for the detailed reply. Let me cross check
> > > > everything...RK
> > > >
> > > > >>> [EMAIL PROTECTED] 12/14/2005
> > > > 10:45:06 AM >>>
> > > > Parameters are not identical. I've run into this
> > > > many times. For example, if policy on PIX ends up
> > > > offering you DES/3DES/MD5/SHA1 (Phase-1), but the
> > > > Interoperable Device representing the PIX has been
> > > > set up for 3DES/SHA1, it will fail. You got to
> > > match
> > > > exactly, not just have a match. Painful, but there
> > > > you have it. Also check DH-groups, timeouts,
> > > > PFS-or-not for Phase-2, and ideally don't choose
> > > > Aggressive.
> > > > No proposal chosen is likely Phase-1 settings. If
> > > it
> > > > was encrypt domain, you'd see "no valid SA". Could
> > > > also be encrypt settings Phase-2, but that's less
> > > > common - transform sets are specific to a tunnel,
> > > so
> > > > control is better. Policies are not, and that
> > > leads
> > > > to a "VPNs are like a box of chocolates"
> > > situation.
> > > >
> > > > If you are being supported by a CSP, run vpn debug
> > > > trunc, get the handy ike.elg, and have them run it
> > > > through IkeView. That will show you exactly what's
> > > > going on and make short work of this issue. Could
> > > > also use tcpdump and ethereal for phase-1 issues,
> > > > but that's only get you halfway through the
> > > exchange
> > > > - once encryption starts, you're blind. Ethereal
> > > > won't help with Phase-2; IkeView will.
> > > >
> > > > Good news is: This will come up once parameters
> > > > match 100% on both sides.
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Mailing list for discussion of Firewall-1
> > > >
> > >
> > [mailto:[EMAIL PROTECTED]
> > > > Behalf Of
> > > > Ramakrishnan Pillai
> > > > Sent: Wednesday, December 14, 2005 10:15 AM
> > > > To: [email protected]
> > > > Subject: [FW-1] VPN between R55 and PIX
> > > >
> > > >
> > > > While doing a site-to-site between R55 and PIX we
> > > > are getting "Message from peer: No proposal
> > > choosen"
> > > > at checkpoint end. Using preshared secret and all
> > > > parameters are identical. Any idea where to check
> > > > for.
> > > >
> > > > Thanks in advance.
> > > > RK
> > > >
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to
> > > [EMAIL PROTECTED]
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [EMAIL PROTECTED]
> > > > =================================================
> > > >
> > > >
> > > > Please note that:
> > > >
> > > > 1. This e-mail may constitute privileged
> > > > information. If you are not the intended
> > > recipient,
> > > > you have received this confidential email and any
> > > > attachments transmitted with it in error and you
> > > > must not disclose, copy, circulate or in any other
> > > > way use or rely on this information.
> > > > 2. E-mails to and from the company are monitored
> > > for
> > > > operational reasons and in accordance with lawful
> > > > business practices.
> > > > 3. The contents of this email are those of the
> > > > individual and do not necessarily represent the
> > > > views of the company.
> > > > 4. The company does not conclude contracts by
> > > email
> > > > and all negotiations are subject to contract.
> > > > 5. The company accepts no responsibility once an
> > > > e-mail and any attachments is sent.
> > > >
> > > > http://www.integralis.com
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to
> > > [EMAIL PROTECTED]
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [EMAIL PROTECTED]
> > > > =================================================
> > > >
> > > >
> > > >
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to
> > > [EMAIL PROTECTED]
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [EMAIL PROTECTED]
> > > > =================================================
> > > >
> > >
> > >
> > > __________________________________________________
> > > Correo Yahoo!
> > > Espacio para todos tus mensajes, antivirus y
> > > antispam ¡gratis!
> > > Regístrate ya - http://correo.espanol.yahoo.com/
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > >
> > === message truncated ===
> >
> >
> > __________________________________________________
> > Correo Yahoo!
> > Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> > Regístrate ya - http://correo.espanol.yahoo.com/
> >
> > ============================================3D=====
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
> >
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
>
> ---------------------------------
> Yahoo! Mail
> Use Photomail to share photos without annoying attachments.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new
and used cars.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
