[c-nsp] VPN connection between 7206 and checkpoint

Johnson, Neil M neil-johnson at uiowa.edu
Fri Aug 25 13:16:27 EDT 2006


I had an issue between a PIX and a checkpoint.

The admin of the checkpoint had to disable a default option for the VPN
config.

I don't remember the exact option (It's been over year and I'm working
somewhere else). I believe it had something to do with enabling strict
enforcement some part of the key exchange.

As soon as he disabled the enforcement we were the tunnel came up.

Sorry, I can't remember more. Hopefully it will set you in the right
direction.

--
Neil Johnson
Telecommunications and Network Services
The University of Iowa
319 384-0938 (Work)
319 330-2235 (Cell)


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
Sent: Tuesday, August 22, 2006 4:33 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPN connection between 7206 and checkpoint

Has anyone a config example of 7206 to do vpn tunnel with a checkpoint
firewall with this requirements?/

VPN encryption scheme: IKE
Authentication Method: Pre-Shared secret
Encapsulation: ESP
Encryption algorithm: AES-256
Data Integrity: SHA1
Diffie-Hellman group (IKE phase 1): Group 2 (1024 bit)
Renegotiate IKE (phase 1): 1440 minutes
Renegotiate IKE (phase 2): 3600 seconds
Supports key exchange for subnets: YES
Perfect Forward Secrecy? NO


Just to make sure for my config.Thats it
crypto isakmp policy 2
 authentication pre-share
 group 2

crypto isakmp key preshared address <other side>

crypto ipsec transform-set vpn esp-des esp-md5-hmac

crypto map teste 5 ipsec-isakmp
 set peer <other side>
 set transform-set vpn
 match address 117

access-list 117 permit gre host <my side> host <other side>

interface FastEthernet5/1
 description OUT
 ip address xx.xx.xx.xx xx.xx.xx.xx
 load-interval 30
 duplex full
 no cdp enable
 hold-queue 1024 in
 hold-queue 256 out
 crypto map teste
I know that my current IOS does not supporte AES, but if the crypto was DES,
the config it was OK??


Tks in advance,

Everton
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20060825/a0fee4d3/attachment.bin 


More information about the cisco-nsp mailing list