[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 to PIX VPN
A lot of folks have asked about this scenario over the last several months. We finally got it to work in production under the following conditions and are attempting to reproduce it in our lab. Start with the white papers available from Check Point and Cisco. Hope this helps. Cisco PIX: PIX 515, OS ver 5.2 Check Point: Nokia 330, IPSO 3.2.1, VPN-1 v4.1 SP1 Encryption: DES, MD5, Pre-shared secrets, Aggressive mode, supports subnets Set the PIX so that it knows the Check Point encryption domain is ALL subnets on all segments of the Check Point firewall. Set the Check Point so that it knows the Cisco encryption domain is only the specific hosts/subnets you need included on the PIX side. (Result: Too big of an encryption domain on one side, but just right on the other.) NAT occurs before encyption. Use manual NAT rules at the top of the rulebase to ensure traffic between the two encryption domains is NOT being NATed in any fashion. Don't just test using ping - use other protocols (FTP, command-line SMTP, etc.). Daniel R. Mengel, MCSE, CCSE Lead Technologist - Data Security Info Systems, Inc. - www.infosysinc.com Baltimore/Washington - Dover - Philadelphia - Wilmington -----Original Message----- From: Amin Tora [mailto:[email protected]] Sent: Saturday, January 06, 2001 9:59 PM To: [email protected] Subject: RE: [FW1] FW-1 to PIX VPN ... make sure you double check: -encryption algorithm (des,3des,etc..) -whether you're using (md5,sha-1,etc..) -encasulation (ESP or AH headers...) -time and time zone on systems... :) Amin Tora ePlus Technology http://www.eplus.com -----Original Message----- From: Jon Vandiveer [mailto:[email protected]] Sent: Saturday, January 06, 2001 6:40 PM To: [email protected] Subject: [FW1] FW-1 to PIX VPN Did you get it working ? From: Net Secure [mailto:[email protected]] Sent: Friday, 5 January 2001 11:27 a.m. To: [email protected] Subject: [FW1] FW-1 to PIX VPN Does anyone know of an issue creating a VPN from FW-1 to PIX. The PIX is version 5.23 the firewall is a Nokia 440 fw 4.0 sp4 ipso 3.2.1. I have followed the documentation from Check Point and get the following errors: If the VPN is attempted from the FW-1 side; no proposal chosen. >From the PIX; fails on the 2nd stage of key negotiation. Thanks, - -Greg ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|