Re: Checkpoint 4.0 and NG VPN --- Matter of life and Death

From:
Date: 07/18/02 

Date: Thu, 18 Jul 2002 17:34:52 +0100

The answer probably depends on the licensing and software build of the
4.0 firewall.

Try checking the following commands:

# fw ver -k
# fw printlic

This should tell you about what versions and licenses you have (DON'T
post the information back here, if you want to email it to me
privately I will be happy to assist you a little more).

You should be able to set up a VPN between 4.0 and NG as long as you
have the following:

EITHER:

4.0 [FWZ + DES] (even better if you have + 3DES too) software and a
license for that machine that includes encrryption.

OR

4.0 [FWZ] and an encryprtion license and you run either NG FP-1 or NG
FP-2 with the FWZ hack.

If you can use IKE, you will need some fairly simple IPSEC rules
between the firewall external addresses and then some ENCRYPT rules
for the internal host-host connectivity. You may need to disable
subnet support on the NG firewall for the 4.0 VPN.

If you use FWZ, you should again make some gateway-gateway rules for
the FWZ key exchanges, and then your ENCRYPT rules.

The rules you need should still be available from the knowledgebase at
www.checkpoint.com, the ports you need are the same regardless of the
version of software.

Feel free to email me directly for more help.

NetMonkey

===============================

On 1 Jul 2002 00:43:12 -0700, chethan@newwavecomputing.com (chethan)
wrote:

>Hi,
>
>I have two firewalls, one a CP 4.0 and the other CP NG. Both have VPN
>modules.
>We are trying to establish a VPN between the two. Checkpoint says that
>they have withdrawn support for 4.0 and are refusing to respond.
>
>Is this possible, if so, how? Has anyone done this before. What are
>the urls that i can use to get detailed instructions on how to do
>this?
>
>Matter of life and death. The product has already been purchased.
>
>I cannot upgrade the 4.0 now, because of the cost implication and
>also that is in full production mode. HELP!!!!

Relevant Pages

  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)
  • Re: Firewall Info/Recommendations?
    ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
    (Firewall-Wizards)
  • Re: two winxp home machines, varied results
    ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...
    (microsoft.public.windowsxp.network_web)