[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.
Should
work; Lars is correct to note that you must allow IP Protocol 50 (preferrably
bi-directionally); on the PIX, this is "permit esp <src> <src_mask>
<dst> <dst_mask>". I played with this before, as it stretched
my understanding of how ESP is implemented in Check Point. As it turns out
(same in most other vendor implementations as well), AH is implemented within
ESP, meaning that the packet only has to get copied once (more efficient).
A side effect (benefit/detriment, depending on your perspective), is that the
outermost IP header is not authenticated, meaning that ESP can traverse NAT
without issues for site-to-site VPNs. I didn't pay super-close attention
at the time to main vs. aggressive mode; I predict that agressive mode for IKE
will also increase your likelihood of success, as this will bypass the
identity-verfication step of IKE.
HTH
Dan
Hitchcock
CCNP, CCSE, MCSE Security Operations Technical Lead Breakwater Security Associates, Inc. "Safe Harbor for Your Business" dhitchcock (at) breakwatersecurity (dot) com http://www.breakwatersecurity.com work The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at dhitchcock (at) breakwatersecurity (dot) com
|