Re: [FW-1] Cisco to Check Point VPN

Tue, 07 Jan 2003 12:48:10 -0800

Title: RE: [FW-1] Cisco to Check Point VPN

Here is what I did for a Cisco Router/PIX to a CheckPoint NG FP3 w/HotFix 1

http://www.thenall.com/vpn/index.htm

Maybe it will give you an idea that you have not thought of yet...



-----Original Message-----
From: Leonardo Boulton [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] Cisco to Check Point VPN


Hi lads,
I've been trying to configure a VPN between a Check Point NG (FP1 and
FP3) to Cisco Concentrator 3000 VPN. Finally, I was able to establish the tunnel. I had the following problem:


   |-------[CP NG FP3]----Internet----[Cisco]----|
Net 1                                          Net 2

When I ping (as in access anything at all) from Net 2 to net 1, everything is fine.... when you try to ping from net 1 to net 2 only phase 1 is completed but phase 2 isn't. The message that I get in both logs is that the Cisco is sending a "delete SA" message to the Check Point peer. After some research, I found out that this is due to the Cisco peer: both encryption domains must be set exactly alike. I mean, both Encryption domains must be configured as the same subnetwork... it is not posible for you to have a Class B encryption domain defined for the Check Point (in the Check Point object) and a class C encryption domain defined in the Cisco side (for the Check Point encryption domain).

I configured the same subnet as the Check Point encryption domain in both peers, and everything worked fine.

Now, I have the following question for you guys.... what if I have a group defined in the Check Point side as the encryption domian?. It is not posible to configure a group on the Cisco side... it has like a field that you can fill with a subnet and a mask (I don't know that much of the Cisco concentrator, actually, I don't know anything at all!, that's why I came to you....). Is it posible to define like a group, or a list, as an encryption domain?.

What should/can I do?.

Cheers, nd thanks,

LB

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================

Reply via email to