Any checkpoint experts?

L33

L33

Permabanned
Joined
1 Apr 2003
Posts
1,872
I know a few of you guys that regular the boards are also CCNA/Ps, but not sure if there are any checkpoint experts out there?

Basically, I've got to set up a s2s vpn. One end is a PIX 515E and t'other (my end) is a Nokia IP350 running Checkpoint NG R55.
Piece of cake, right? Not so....
I know what I'm doing when it comes to IOS/PIX devices, but only used checkpoint devices a couple of times before.
Setting up a 'standard' VPN is no problem, the issue here is that the same subnets are used behind each firewall (10.10.10.0/24). Neither ends are able/willing to change so I've natted select IP pools at both ends which was a bit of a last resort really. I've configured up the cisco no problem, but the checkpoint is giving me a hard time.
To cut a long story short, there are multiple subnets behind the CP, which seems to like to supernet them all together and cause the tunnel to drop at stage 1 (IKE), 'no valid SA', which after turning on crypto debug on the pix is indeed due to a encryption domain mismatch.
I've tried everything I've found on the net, as well as calling checkpoint support and this god damn thing does NOT want to present my natted ip pool alone.

Other options which are not going to happen due to 'politics'
- SA negotiation per-host
- adding ACLs to make the pix accept the CPs supernetted enc domain
- making my natted ip pool/network the 'only' presented sub for all VPN traffic (other active VPNs access other networks behind the CP). Note that this is an option on the CP, whereas making it the default only for that one VPN is not... annoyingly

If anyone has any suggestions/advice it'd be much appreciated :)
 
Yeah, I discovered that CP will summarise networks - there's probably an option to turn this off from the default on. It would fail for phase 2, don't know why it fails for you at "stage 1".
My suggestion is don't use CP for the VPN termination. We spent the best part of 2 years waiting for CP to properly support VLAN interfaces and get VPN operation working in a load sharing multicast cluster setup (Sun/Solaris/R55, not the appliance) and in the end got Cisco VPN 3000 concentrators. We still use CP for the firewalling but don't have it touch any VPN connections.

Get yourself another PIX, connect it in parallel to the firewall, terminate the VPN on it, configure it for the over-lapping networks and save yourself wasting time and money on getting CP to work as you want it.
 
Back
Top Bottom