[fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesn't

From: Northrup, Tyler (tnorthru_at_usd.edu)
Date: 12/12/03

  • Next message: Petreski, Samuel: "RE: [fw-wiz] Open Source Personal Firewall?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 12 Dec 2003 08:13:28 -0600

    I have a Checkpoint NG FP3 at one site and a Cisco 3030 concentrator at the
    other. There is a hardware-based ipsec tunnel between the checkpoint and
    concentrator with network lists allowing 5 systems to communicate between
    the networks (see below). This tunnel works fine.

    Server1 - |
    Server2 - - - CHECKPOINT <> CONCENTRATOR - - - Server1
    Server3 - | | | - Server2
                    software vpn

    However, since configuring this tunnel, I have not been able to initiate
    software vpn connections from behind the checkpoint to the concentrator
    (worked previously). These connections originate on separate network off
    the checkpoint to the cisco concentrator. It worked fine prior to
    implementation of the IPSEC tunnel. I know the traffic gets to the
    checkpoint, but it either does not leave, or it leaves via the tunnel (which
    it should not as these systems are not part of the network lists / rules)
    and gets dropped.

    I adminster the concentrator, but do not directly support the Checkpoint.
    Any direction would be appreciated as I am working with the other
    administrator to solve the issue.


    Tyler Northrup
    IT Security Officer
    The University of South Dakota
    firewall-wizards mailing list

  • Next message: Petreski, Samuel: "RE: [fw-wiz] Open Source Personal Firewall?"

    Relevant Pages

    • RE: [fw-wiz] Checkpoint to Cisco - Hardware VPN works, software d oesnt
      ... Is the Checkpoint performing NAT on the software VPN's internal IP address? ... does that translation equate to the IP address that your Concentrator ... This tunnel works fine. ...
    • RE: frequent vpn tunnel drops
      ... Ensure that the subnets you are trying to route through the VPN tunnel are ... Attached is the log of the concentrator,sometimes it ... > Received remote IP Proxy Subnet data in ID Payload: ...
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... Aggressive mode is listed as a SHOULD ... implement, but most vendors seem to support it, not just Checkpoint ... > We saw something similar where a tunnel was made from a Cisco ...
    • IPSEC / VPN question
      ... The VPN is set between an OpenBSD 4.0 GENERIC and a Checkpoint NG FP3. ... When I etablish the tunnel all is okay for a while. ... The problem appear to come from the OpenBSD side and that for 3.9 and 4.0. ... The Checkpoint side has 3DES/SHA/GRP2 with PRE-SHARED Secret for Phase 1 and 3DES/SHA for Phase2 enabled. ...