vpn between checkpoint and cisco pix

[ibur99]

hey,

i have a very simple question, i have been asked to setup a vpn between a pix and a checkpoint running on a nokia box. I have been told that on the cisco side the vpn can be setup without a problem, but i have been asked to configure the vpn on the checkpoint side. Now i have my ccsa but have never actually created a vpn before using checkpoint.

My question (s) is simple:

Firstly what info do i need to know before hand eg, version of cp,nokia box hardware, etc?

Secondly how do i set up the vpn? What do i need to setup on the checkpoint side? Basically how do i do it!?!?!?

Any help greatly appreciated

[kva.kva]

1'st search on forum
http://cpug.org/forums/showthread.ph...ighlight=cisco
http://cpug.org/forums/showthread.ph...ighlight=cisco

http://cpug.org/forums/showthread.php?t=1417 - http://updates.checkpoint.com/filese...perability.pdf

[ibur99]

Thanks kva.kva

I did have a search on the forum but was hoping someone could just type in the steps that i need to take so its all nice and easy for me!?

I kinda understand what i need to configure at the checkpoint end, but what info do i need to know from the cisco end? ip addresses, encryption, etc?

Sorry if i sound dumb but ccsa doesnt really incorporate much on vpn's and i've never set one up before!?

Anymore help would be great mate

[dbedit]

Here is an old paper. Should get you on the way.
It's based on 4.1:-) but should not matter if you configure traditional mode VPN's.
Good luck!

Cheerz,

L.

http://www.cisco.com/warp/public/110/cp-p.html

[Sergej]

Here is the NG instruction http://www.cisco.com/en/US/tech/tk58...800ef796.shtml

Use Advanced Search forum for keywords Cisco or PIX and author Sergej. I'm already post about 5 times how to do this ;)

In short: www.cisco.com/go/pix -> Configure -> Configuration Examples and TechNotes -> CheckPoint

[cqliuke]

I have just configured Checkpoint NGX R61 with Pix 506E IOS712

Pix 506E与2台Checkpoint NGX间的VPN互连-原

从朋友处拿了个Pix 506E的防火墙，在电脑城找了个128M的内存加上去，把IOS升级到了IOS712，由于Flash空 间不够，ASDM就用不了。不过感觉还挺好用。另外安装了两台Checkpoint NGX R61的机器，完成基本配置后。做了个VPN。Checkpoint的配置过程比较难得写。主要贴上Pix 506E的配置过程。

以下是在配置过程,一边操作一边查帮助搞的。如直接贴上配置好的内容，不便于查看，学习！！

环境如下：
PIX 506E：E1:10.10.10.1/24,E0:210.21.xx.19/255.255.252.0
Checkpoint1 eth1:192.168.10.252 eth0:211.155.xx.115/255.255.255.192
Checkpoint2 eth1:192.168.0.10 eth0:211.155.xx.67/255.255.255.192


开始配置
pix1(config)# isakmp ?

configure mode commands/options:
am-disable Disable inbound aggressive mode connections
client Set client configuration policy (DEPRECATED - see 'help
isakmp')
disconnect-notify Enable disconnect notification to peers
enable Enable ISAKMP on the specified interface
identity Set identity type (address, hostname or key-id)
ipsec-over-tcp Enable and configure IPSec over TCP
keepalive Set keepalive interval (DEPRECATED - see 'help isakmp')
key Set pre-shared key for remote peer (DEPRECATED - see 'help
isakmp')
nat-traversal Enable and configure nat-traversal
peer Set xauth and config mode exemption for the specified peer
(DEPRECATED - see 'help isakmp')
policy Set ISAKMP policy suite
reload-wait Wait for voluntary termination of existing connections
before reboot

pix1(config)# isakmp enable ?

configure mode commands/options:
Current available interface(s):
inside Name of interface Ethernet1
outside Name of interface Ethernet0

pix1(config)# isakmp enable outside

pix1(config)# isakmp policy ?

configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
pix1(config)# isakmp policy 10 ?

configure mode commands/options:
authentication Set authentication method (pre-share or rsa-sig or dsa-sig)
encryption Set encryption algorithm (des, 3des, aes-128, aes-192, or
aes-256)
group Set Diffie-Hellman group (1,2,5 or 7)
hash Set hash algorithm (md5 or sha)
lifetime Set ISAKMP SA lifetime (seconds)

pix1(config)# isakmp policy 10 authentication ?

configure mode commands/options:
dsa-sig set auth dsa-sig
pre-share set auth pre-share
rsa-sig set auth rsa-sig
pix1(config)# isakmp policy 10 authentication pre-share

pix1(config)# isakmp policy 10 encryption ?

configure mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption

pix1(config)# isakmp policy 10 encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
pix1(config)# isakmp policy 10 encryption aes
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
pix1(config)# isakmp policy 10 encryption des


pix1(config)# isakmp policy 10 group ?

configure mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7
pix1(config)# isakmp policy 10 group 2

pix1(config)# isakmp policy 10 hash ?

configure mode commands/options:
md5 set hash md5
sha set hash sha
pix1(config)# isakmp policy 10 hash md5

pix1(config)# isakmp policy 10 lifetime ?

configure mode commands/options:
<120-2147483647> Lifetime in seconds
none Disable rekey and allow an unlimited rekey period
pix1(config)# isakmp policy 10 lifetime 86400


pix1(config)# isakmp key netexpert address 211.155.xx.115 netmask 255.255.255.192

IKE 1阶段
isakmp具体配置
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 211.155.xx.115 type ipsec-l2l
tunnel-group 211.155.xx.115 ipsec-attributes pre-shared-key *

IKE 2阶段
pix1(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

pix1(config)# crypto ipsec ?

configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
security-association Set security association lifetime
transform-set Define transform and settings

pix1(config)# crypto ipsec transform-set ?

configure mode commands/options:
WORD < 64 char Transform set tag
pix1(config)# crypto ipsec transform-set myset ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

pix1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac

access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

pix1(config)# crypto map mymap 20 ?

configure mode commands/options:
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings

pix1(config)# crypto map mymap 20 match address ?

configure mode commands/options:
WORD Access-list name
pix1(config)# crypto map mymap 20 match address 101


pix1(config)# crypto map mymap 20 set ?

configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
inheritance Specify inheritance(data or acl rule) to be used while
initiating a connection based on this entry
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
phase1-mode Specify mode(main or aggressive) to be used while
initiating a connection based on this entry
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
transform-set Specify list of transform sets in priority order
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry

pix1(config)# crypto map mymap 20 set peer 211.155.xx.115


pix1(config)# crypto map mymap 20 set transform-set ?

configure mode commands/options:
WORD Proposal tag
pix1(config)# crypto map mymap 20 set transform-set myset ?

configure mode commands/options:
WORD Proposal tag
<cr>
pix1(config)# crypto map mymap 20 set transform-set myset

pix1(config)# crypto map mymap interface outside
IKE 2阶段具体配置

1）Static VPN配置方法

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 211.155.xx.115
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp policy 10 encryption des


注：这两种方法都需要配置Access-list
access-list nonat extended permit ip 172.29.131.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat

结果显示

pix1# show crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 211.155.xx.115
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 211.155.xx.67
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
pix1#

pix1# show crypto ipsec sa
interface: outside
Crypto map tag: mymap, seq num: 100, local addr: 210.21.xx.19

access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255 .0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 211.155.xx.67

#pkts encaps: 1544, #pkts encrypt: 1544, #pkts digest: 1544
#pkts decaps: 1516, #pkts decrypt: 1516, #pkts verify: 1516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1544, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 1, #recv errors: 0

local crypto endpt.: 210.21.xx.19, remote crypto endpt.: 211.155.xx.67

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 030C3E24

inbound esp sas:
spi: 0x0BDCF94A (199031114)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824882/27619)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x030C3E24 (51133988)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824886/27616)
IV size: 8 bytes
replay detection support: Y

Crypto map tag: mymap, seq num: 10, local addr: 210.21.xx.19

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 211.155.xx.115

#pkts encaps: 1035, #pkts encrypt: 1035, #pkts digest: 1035
#pkts decaps: 918, #pkts decrypt: 918, #pkts verify: 918
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1035, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 210.21.xx.19, remote crypto endpt.: 211.155.xx.115

path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 931CCC41

inbound esp sas:
spi: 0x895BAC62 (2304486498)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824946/27605)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x931CCC41 (2468138049)
transform: esp-des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (3824939/27605)
IV size: 8 bytes
replay detection support: Y

pix1#

[cqliuke]

以下是PIX 506E VPN的配置内容

: Saved
: Written by enable_15 at 15:35:21.676 GMT Fri Jul 14 2006
!
PIX Version 7.1(2)
!
hostname pix1
domain-name cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 210.21.xx.19 255.255.252.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT 8
dns server-group DefaultDNS
domain-name cisco.com
access-list acl_out extended permit icmp any any
access-list 101 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 110 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
asdm location 192.168.0.108 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 210.21.56.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password 3USUcOPFUiMCO4Jk encrypted
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.0.254 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 211.155.xx.115
crypto map mymap 10 set transform-set myset
crypto map mymap 100 match address 102
crypto map mymap 100 set peer 211.155.xx.67
crypto map mymap 100 set transform-set myset
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 211.155.xx.115type ipsec-l2l
tunnel-group 211.155.xx.115ipsec-attributes
pre-shared-key netexpert
tunnel-group 211.155.xx.67type ipsec-l2l
tunnel-group 211.155.xx.67ipsec-attributes
pre-shared-key netexpert
telnet 192.168.0.108 255.255.255.255 inside
telnet 192.168.0.254 255.255.255.255 inside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 60
management-access inside
tftp-server inside 192.168.0.108 asdm-512.bin
Cryptochecksum:e892d34a9552c89fce96e80ec566874d
: end