VPN between Cisco and Checkpoint NG AI R55

[bvanniekerk]

Hi All

I've gone through all the documentation available on the Cisco site related to setting up a VPN between the two devices.
Most of the docs refer to a network object sitting behind the Checkpoint interface.
Herein lies my question:

I have multiple network objects sitting behind one interface. The group object is configured as listed to prevent anti-spoofing drops.
When creating the Workstation object and specifying the network / group behind the interface, on the PIX side is fine. The Checkpoint side is a bit worrying.
The checkpoint interface and all the networks behind it are already configured. I only need to encrypt some of the traffic on the interface, not all.
1. Do I re-specify the network/group object behind the workstation interface or do I leave it as is?
2. Would this mean that all the traffic will be encrypted if I leave the group object as is?
3. Is there any advise regarding implementation from those who have done it successfully that you may want to share?

Thank you.
rgrds
b

[maverick]

I'v recently setup a Site-to-Site VPN between a Cisco 2600 and a Nokia gateway running NGAIR55

I can offer these suggestions:

Use a Interoperable device to define the cisco router/PIX
Create network objects/groups for the networks behind the PIX [VPN Domain]
Make sure that your IKE Phase I and II encryption and hashing algorithms match exactly. Same thing for PFS, timeouts, and DH groups
For ease, use pre-shared keys instead of digital certificates {althought possible, and more secure}
Use a meshed topology for a point-to-point configuration

VPN domains control what can get encrypted (Crypto ACL's on the Cisco side). They should be MIRROR images of each other (source/destinations reversed).

The access rules controls what will be allowed through the gateway interface, so use your VPN domain to specify what can get encrypted (networks or even hosts), then create an access rule.

Use SmartTracker to monitor the IKE events
and these cisco commands:

show crypto map
show crypto isakmp sa
show crypto ipsec sa
and of course debug crypto

[bvanniekerk]

Thanks.
I got the same advise yesterday from an Expert.

The VPN domain setup looks like a great option. The Cisco to CheckPoint docs explain LAN-to-LAN IPSec tunnel setup. Does not however explain VPN Domains on CP.

Thanks again. Appreciated.

Rgrds
b

[nicholla]

B.

You talking about me ?


S-w-e-e-t.

[Naresh]

Hi We have setup the site to site VPN between Cisco 3030 and Checkpoint NG R 55. The tunnel is up and running fine as well as I am able to access the host on another LAN side.
One peculiar problem what I am facing is that I am not able to reach some of the host on same VLAN. While I do the Trace. I am able to reach upto my firewall and after that it drops.All these hosts are UP and running.we have checked for duplicate routes as well host. but nothing is there.
Please help me.


Thanks

Naresh

[seanmac1904]

Hi

we had issues between a Cisco 3030 and our cluster running NG R55

the problem was that the cluster members would each create their own SPI with the 3030 using the same address. when the 3030 saw the new SPI from the second cluster member to connect it would remove the first one. after that any traffic coming via the first cluster member would be dropped with an invalid SPI message.

depending on which cluster member routed the traffic depended on whether the client would get a connect. we had four hosts at the other site and usually one or two would connect and the others wouldnt

with other VPNs the other end seems to keep tracl of both SPIs so their is no issue.
I have tried this with PIX, IOS ,and some Enterasys VPN device.

our fixed ended up being that the guys at the other end ditched their 3030 and went for an IOS based device. No issues since then.

Apparently in NGX it has "enable stick descision function" I imagine that this could be congured to make all traffic go through one cluster member and keep the 3030 happy.

hope this information is of some use

cheers

Sean

[bvanniekerk]

Hi All

The saga continues...

Has anybody got this working with PIX v7 and R55 yet?

At this point I'm just looking for a straight answer.
I've tried again a few weeks ago and still get the same drops...and this is after we made sure there is no nat involved...

HELP!?
b

[bvanniekerk]

How!

picked this up...

http://www.icsalabs.com/icsa/labnote.php?cid=a655$e404da4b-399e61a1$59e3-4b1900e2

Please review, may help.
Find something strange though. As per document, under Action i should have option to Encrypt...not there. Licence does however indicate 3des...?

Any suggestions?

[dbedit]

Encrypt option is only available when you use traditional mode setup. Most likely you are using simplified mode. Check/modify in smartdash, policy; convert to-->

[bvanniekerk]

Hi

Option not available with Convert to -->, only simplified mode checked in global properties.
If I enable Traditional mode, will I have any hassles. VPN Communities have never worked, so no risk there.
Once Traditional mode config is enabled, should I be able to use existing documentation to configure VPN, ie. Cisco VPN Conc to CP ?

Thanks in advance.

Regards
B

[similhom]

Hi,

I think that Simplified mode should be used only for CP-to-CP VPNs using VPN communities.
You must use Traditional mode to make it work with other vendors.
In your rulebase you need to have the same rules (src-dst-services) as you have as an access-list in the PIX (but Mirror!) then you put the Encrypt action.

As maverick said :

Use a Interoperable device to define the cisco router/PIX
Create network objects/groups for the networks behind the PIX [VPN Domain]
Make sure that your IKE Phase I and II encryption and hashing algorithms match exactly. Same thing for PFS, timeouts, and DH groups
For ease, use pre-shared keys instead of digital certificates {althought possible, and more secure}
Use a meshed topology for a point-to-point configuration

VPN domains control what can get encrypted (Crypto ACL's on the Cisco side). They should be MIRROR images of each other (source/destinations reversed).

Good luck!

[detsh]

Hi,

we have active vpn's with checkpoint ai R55 and Cisco 1721 Routers IOS 12.4(8). Configured in traditional mode.

Our problem is the interruption of the vpn, at the installation of a new policy on the checkpoint.

In the location, connected by cisco router, are many employees with telnet sessions to the host in the headquarter, secured by checkpoint. This telnet sessions breakdown, when the policy is installing. Is there a way, to hold the vpn, when policy is installing?

Thanks

Detsh

[melipla]

Quote:

Originally Posted by detsh

In the location, connected by cisco router, are many employees with telnet sessions to the host in the headquarter, secured by checkpoint. This telnet sessions breakdown, when the policy is installing. Is there a way, to hold the vpn, when policy is installing?

This setting will have an impact on connections when you push policies.

SmartDashboard -> Gateway Object -> Properties -> Advanced -> Connection Persistence

[Acidio]

Maverick's advice is good. Stick with the simplified mode policy, they work. I have many site-to-site VPN's from CP to Cisco, Nortel, Watchguard etc and all are under simplified mode policies. Also, simplified mode is the way Check Point are moving, traditional mode won't be an option to use in the future - not sure when, but this is information I have from my Check Point contacts.

There are a number of things to try. Try using MD5 and then test, if that doens't work, try SHA1. I've had instances where one will work but the other won't. It it imperative you have the Cisco encryption domain set correctly, Check Point is far more forgiving in this area than Cisco. Also, try setting all the traditional mode options in the gateway objects to match. While this is not strictly required in a simplified mode policy they may help.