I've been told by both CP and Cisco TAC that using certificated-based VPN between Cisco and Checkpoint is NOT supported by either vendors. How do you load the CP certificate from CP onto a Cisco IOS router? I would like to know how you can accomplish this. To my knowledge, to load a certificate onto a Cisco IOS device, you have to use SCEP (Simple Certificate Enrollment Protocol). That's the only way I know how. In the past, I tried to make site-2-site VPN to work between Checkpoint and Cisco IOS via Microsoft Certificate but never had any success. Checkpoint and Cisco TAC told me that this configuration is not supported so I gave up after that. Any more ideas? Thanks. cisco4ng
Sergio Alvarez <[EMAIL PROTECTED]> wrote: I haven't had much experience with devices with dynamic IPs, but when you create a new object as Interoperable Device, you can select the option of "Dynamic Address" and then create an interface in the Topology section as dynamically assigned, which tells me you can in fact make it work. The deal is that, as far as I can see while doing some testing, you must work with certificates and seems like pre-shared keys is not an accepted method, as after creating such a dynamic object, I keep getting messages about the requirement of choosing a CA. Although it is a lot more complicated to do in Cisco IOS than using plain preshared keys, you could in fact generate a certificate from the CheckPoint ICA and load it on the router. Regards On 1/15/07, cisco4ng wrote: > > Hi All, > > Wondering if someone can help me with this? > > I have a customer that recently migrated from a Cisco IOS router aththe > HQ over to > Checkpoint NGx firewall. On the IOS router, they have a site-2-site VPN > between this IOS > router and another IOS router at a remote branch. The IOS router at the > remote branch gets > its IP address from the ISP via DHCP so it IP address changes every > couple days or so. > > On the IOS router at the HQ, I setup the VPN to accept ISAKMP and ESP > from "any" > via "isakmp key xxxx address 0.0.0.0 netmask 0.0.0.0". I make the > pre-share key to be > 200 characters long so if the pre-share and the encryption domain > matches, the VPN will > work and it works. > > When the customer migrates over to NGx Firewall at the HQ, I don't know > how to make > it work with "isakmp key xxxx address 0.0.0.0 netmask 0.0.0.0" in IOS > router with NGx > firewall at the HQ. > > Can someone help me with this? In other words, I want the NGx to accept > isakmp/esp > from "any" and have the vpn tunnel up and running once the pre-share and > encryption > domain matches. > > Thanks. > > cisco4ng > > > --------------------------------- > Never miss an email again! > Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Want to start your own business? Learn how on Yahoo! Small Business. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
