| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] VPN with Sonicwall
Hi,
There are some thing you must take care of when you set up a tunnel between
CheckPoint and SonicWALL :
1/ If you are using NAT : As usual, because CheckPoint FW-1 performs NAT
before encryption, you need an extra NAT-rule so that traffic between the 2
sites doesn't get encrypted, or change your NAT-rules so they won't NAT the
traffic between the sites.
2/ I've noticed that CheckPoint Firewall-1 sometimes fragments his
IPSec-packets. I've seen this behaviour when the properties (under the
VPN-tab) of the firewall-1 object included DES, as well as 3DES, MD5 as
well as SHA-1. When this occurs, all you have to do, is :
a/ on CheckPoint Firewall-1 : limit the encryption-options on the
firewall-1 object to the ones you really need
or : b/ on SonicWALL : under the VPN-tab, under Summary, "Global IPSec
Settings", activate the option "Enable Fragmented Packet Handling"
Kind Regards,
--------------------------------------------------------------------------------------------
Philippe Verdonck
Sr System Engineer
Erudict Antwerpen NV
Desguinlei 250
B-2018 Antwerp
Belgium
--------------------------------------------------------------------------------------------
"Kondisetty, Sudhir"
<[email protected]> To: "'[email protected]'"
Sent by: <[email protected]>
[email protected] cc:
kpoint.com Subject: [FW1] VPN with Sonicwall
31/05/01 20:14
Hello all,
Has anyone ever tried to setup a VPN between a CheckPoint and Sonicwall
firewall? I'm running CheckPoint 4.1 SP2 and have attempted to do this.
I've gotten so far as to have the firewalls exchange keys and establish an
encrypted connection. But when I try an FTP to the client's FTP server, it
times out. The Sonicwall firewall drops the packet and reports illegal
host. The CheckPoint firewall says it recieves a message that the packet
is
malformed.
The client claims they have a VPN setup with another CheckPoint firewall
and
it must be in my configuration. But I've duplicated their setup to no
avail. I'm using IKE, DES, MD5.
Any ideas?
Sudhir Kondisetty
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
__________________________________________________
The information in this Internet e-mail is confidential and may be legally
privileged. It is intended solely for the addressee.
Access to this Internet e-mail by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it,
is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this Internet e-mail are subject to the
terms and conditions expressed in any applicable governing LCI Technology
Group terms of business or client engagement letter.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
