VPN Between FireWall-1 (prior to NG) and Cisco

[roadrunner]

VPN Between FireWall-1 (prior to NG) and Cisco
How do I configure a Cisco VPN device and a Firewall-1 version 4.1?




Answer


--------------------------------------------------------------------------------
(Credit goes to Ken Carvel for providing me this information, which appears relevant for FireWall-1 4.1 and earlier.)
On the Cisco Router:


!***Setup the ISAKMP policy using triple DES and a preshared key
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key sharedkey address (firewall external IP here)
!
!
!***Define authentication and encryption settings
!
crypto ipsec transform-set ciscofw1 esp-3des esp-md5-hmac
!
!***The actual map
!
crypto map fw1 10 ipsec-isakmp
set peer (firewall external IP here)
set transform-set ciscofw1
!
!***When something matches access-list 100, encyrpt it
!
match address 100
!
!***Assign the map to the external interface
!
interface Ethernet0/0
ip address 192.168.202.254 255.255.255.0
crypto map fw1
ip nat outside
!
!***We used NAT on our internal interface
!
interface Ethernet0/1
description Internal LAN Interface
ip address 192.168.201.254 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
!*** Encrypt anything going to the 192.168.203 network
!
access-list 100 permit ip host 192.168.202.254 192.168.203.0 0.0.0.255
access-list 101 permit ip 192.168.201.0 0.0.0.255 any

On the Check Point FW-1:

Add an object for the router and set up it's VPN encryption properties for IKE. Edit the IKE properties to match the router's crypto settings. Use preshared secret for the authentication method and set the secret key.

We added two rules, one for traffic coming from the Cisco and one for traffic going to the Cisco. They allow all traffic and the action is set to encrypt. Match the encrypt action's properties with the crypto settings on the router.



--------------------------------------------------------------------------------
User Comments:
--------------------------------------------------------------------------------
In setting up the following VPNs I've observed that the successful use of Diffie-Hellmann Group 2 has been sporadic at best:
FW-1 4.1 Cisco VPN Concentrator 3000 (3DES) FW-1 4.1 Cisco PIX 520 (3DES) FW-1 NG FP1 Cisco IOS (3DES)

In these combinations, in spite of getting negotiation up and running, the tunnel eventually came back down. Although it resembled a lifetime-related problem, troubleshooting the lifetimes resulted in no change. Dropping from DH Group 2 to DH Group 1 always resolved the issue.

Phase 2 negotiations appeared to be more sensitive with regard to the DH groups; however, attempts to use DH Group 2 in Phase 1 and DH Group 1 in Phase 2 met with mixed results, ultimately resulting in a decision not to use Phase 2.



--------------------------------------------------------------------------------


-- RobertGraham - 08 Jan 2004


FAQForm
FAQs.Class: EncryptionFAQs
FAQs.OS:
FAQs.Version: