[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] VPN with Sonicwall
Hi, There are some thing you must take care of when you set up a tunnel between CheckPoint and SonicWALL : 1/ If you are using NAT : As usual, because CheckPoint FW-1 performs NAT before encryption, you need an extra NAT-rule so that traffic between the 2 sites doesn't get encrypted, or change your NAT-rules so they won't NAT the traffic between the sites. 2/ I've noticed that CheckPoint Firewall-1 sometimes fragments his IPSec-packets. I've seen this behaviour when the properties (under the VPN-tab) of the firewall-1 object included DES, as well as 3DES, MD5 as well as SHA-1. When this occurs, all you have to do, is : a/ on CheckPoint Firewall-1 : limit the encryption-options on the firewall-1 object to the ones you really need or : b/ on SonicWALL : under the VPN-tab, under Summary, "Global IPSec Settings", activate the option "Enable Fragmented Packet Handling" Kind Regards, -------------------------------------------------------------------------------------------- Philippe Verdonck Sr System Engineer Erudict Antwerpen NV Desguinlei 250 B-2018 Antwerp Belgium -------------------------------------------------------------------------------------------- "Kondisetty, Sudhir" <[email protected]> To: "'[email protected]'" Sent by: <[email protected]> [email protected] cc: kpoint.com Subject: [FW1] VPN with Sonicwall 31/05/01 20:14 Hello all, Has anyone ever tried to setup a VPN between a CheckPoint and Sonicwall firewall? I'm running CheckPoint 4.1 SP2 and have attempted to do this. I've gotten so far as to have the firewalls exchange keys and establish an encrypted connection. But when I try an FTP to the client's FTP server, it times out. The Sonicwall firewall drops the packet and reports illegal host. The CheckPoint firewall says it recieves a message that the packet is malformed. The client claims they have a VPN setup with another CheckPoint firewall and it must be in my configuration. But I've duplicated their setup to no avail. I'm using IKE, DES, MD5. Any ideas? Sudhir Kondisetty ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ __________________________________________________ The information in this Internet e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Internet e-mail by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Internet e-mail are subject to the terms and conditions expressed in any applicable governing LCI Technology Group terms of business or client engagement letter. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|