I know a few of you guys that regular the boards are also CCNA/Ps, but not sure if there are any checkpoint experts out there?
Basically, I've got to set up a s2s vpn. One end is a PIX 515E and t'other (my end) is a Nokia IP350 running Checkpoint NG R55.
Piece of cake, right? Not so....
I know what I'm doing when it comes to IOS/PIX devices, but only used checkpoint devices a couple of times before.
Setting up a 'standard' VPN is no problem, the issue here is that the same subnets are used behind each firewall (10.10.10.0/24). Neither ends are able/willing to change so I've natted select IP pools at both ends which was a bit of a last resort really. I've configured up the cisco no problem, but the checkpoint is giving me a hard time.
To cut a long story short, there are multiple subnets behind the CP, which seems to like to supernet them all together and cause the tunnel to drop at stage 1 (IKE), 'no valid SA', which after turning on crypto debug on the pix is indeed due to a encryption domain mismatch.
I've tried everything I've found on the net, as well as calling checkpoint support and this god damn thing does NOT want to present my natted ip pool alone.
Other options which are not going to happen due to 'politics'
- SA negotiation per-host
- adding ACLs to make the pix accept the CPs supernetted enc domain
- making my natted ip pool/network the 'only' presented sub for all VPN traffic (other active VPNs access other networks behind the CP). Note that this is an option on the CP, whereas making it the default only for that one VPN is not... annoyingly
If anyone has any suggestions/advice it'd be much appreciated
Basically, I've got to set up a s2s vpn. One end is a PIX 515E and t'other (my end) is a Nokia IP350 running Checkpoint NG R55.
Piece of cake, right? Not so....
I know what I'm doing when it comes to IOS/PIX devices, but only used checkpoint devices a couple of times before.
Setting up a 'standard' VPN is no problem, the issue here is that the same subnets are used behind each firewall (10.10.10.0/24). Neither ends are able/willing to change so I've natted select IP pools at both ends which was a bit of a last resort really. I've configured up the cisco no problem, but the checkpoint is giving me a hard time.
To cut a long story short, there are multiple subnets behind the CP, which seems to like to supernet them all together and cause the tunnel to drop at stage 1 (IKE), 'no valid SA', which after turning on crypto debug on the pix is indeed due to a encryption domain mismatch.
I've tried everything I've found on the net, as well as calling checkpoint support and this god damn thing does NOT want to present my natted ip pool alone.
Other options which are not going to happen due to 'politics'
- SA negotiation per-host
- adding ACLs to make the pix accept the CPs supernetted enc domain
- making my natted ip pool/network the 'only' presented sub for all VPN traffic (other active VPNs access other networks behind the CP). Note that this is an option on the CP, whereas making it the default only for that one VPN is not... annoyingly
If anyone has any suggestions/advice it'd be much appreciated
