Re: CheckPoint SecureClient to Cisco PIX

How to configure an IPSec tunnel between a PIX Firewall and a
Checkpoint Firewall.

To set up the IPSec VPN tunnel, perform these steps:

Step 1: Configure the Internet Key Exchange (IKE) proposal on both
devices.

Step 2: Configure the IPSec parameters on both devices.

Step 3: Specify network ranges on both devices for passing traffic
across the proposed tunnel.

For assistance with the configuration settings, resolving an IPSec
tunnel between a PIX Firewall and Checkpoint Firewall as well as
specific debug setting information, refer to:

Configuring an IPSec Tunnel - Cisco Secure PIX Firewall to Checkpoint
4.1 Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

Step 4: Once the tunnel has been configured, attempt to pass traffic
from a workstation on one side of the connection to a workstation on
the other side of the connection.

If you are able to ping, the tunnel is functioning properly.

If you are not able to ping, determine the state of the connection by
issuing the

show crypto isakmp sa

and

show crypto ipsec sa

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fd881.html

commands on the PIX Firewall.

Step 5: If in the output of the show crypto isakmp sa command the state
shows anything other than QM_IDLE, phase 1 (Internet Security
Association and Key Management Protocol [ISAKMP]) has not been properly
negotiated and should be examined.

The results should resemble this example:

cisco_endpoint# show crypto isakmp sa

dst
172.18.124.157

src
172.18.124.35

state
QM_IDLE

pending
0

created
2

Issuing the show crypto ipsec sa command identifies information about
phase 2 of the connection (IPSec).

Step 6: The proper peer and local endpoint for the tunnel should be
identified.

Furthermore, if traffic has been passed across the tunnel, the counters
for both pkts encaps and pkts decaps should be incrementing.

If either value is not incrementing, a determination can usually be
made as to which side of the tunnel is having difficulty.

This is a portion of the command output:

cisco_endpoint#show crypto ipsec sa

interface: outside

Crypto map tag: rtpmap, local addr. 172.18.124.158

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 172.18.124.157

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0

#send errors 0, #recv errors 0

-------------------------------------

For information on tunnels between a PIX Firewall and Checkpoint New
Generation (NG) Firewall, refer to:

Configuring an IPSec Tunnel Between a Cisco Secure PIX Firewall and a
Checkpoint NG Firewall

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

For more information in resolving the PIX Firewall passing traffic on
an established IPSec tunnel, refer to:

Troubleshooting the PIX to Pass Data Traffic on an Established IPSec
Tunnel

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

Hope this helps.

Brad Reese
BradReese.Com - Cisco Network Engineer Directory
http://www.bradreese.com/network-engineer-directory.htm
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
Website: http://www.bradreese.com/contact-us.htm

.

Relevant Pages

  • Re: Wifi ipsec freebsd
    ... I too have set up a ipsec secured wireless network and this article ... Tunnel vs. transport mode was something I never fully understood. ... connection over wifi between a FreeBSD gateway and a Windows laptop. ...
    (freebsd-questions)
  • Re: freebsd-security Digest, Vol 201, Issue 2
    ... freebsd vpn server behind nat dsl router ... which allows IPSec tunnels to be established if there is some NAT ... I have created an esp tunnel between my two sites, ...
    (FreeBSD-Security)
  • RE: IPSec vs. IPSec/L2TP
    ... The reason people use L2TP is due the need to provide login mechanism ... logging and the rest of the session would be using IPSec. ... > L2TP/IPSec tunnelling instead of a good old IPSec tunnel. ... Earn your MS in Information Security ONLINE ...
    (Security-Basics)
  • Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoontroubles, help please ...]
    ... The IPSEC peer gateway is also defined for each spdadd so ... peer gateways are actually defined by the private tunnel interface end ... I have attached my config script as an example. ...
    (FreeBSD-Security)
  • Re: IPSEC config
    ... >> I'm trying to setup a IPSec tunnel and am having trouble. ... >> for a transport between the two machines it works fine, ... >> I'm following the IPsec mini-HOWTO from January 2001 daemonnews. ...
    (FreeBSD-Security)
Quantcast