CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > VPN's (Virtual Private Networks)
VPN between SonicWall and NG AI VPN between SonicWall and NG AI
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-01-15
Junior Member
  
Join Date: 2006-01-15
Posts: 1
Rep Power: 0
chrisc has an average reputation (10+)
Default VPN between SonicWall and NG AI
Hi

I'm having problems configuring a site to site VPN working between a Checkpoint (NG AI 54, running on SPLAT) and a SonicWall (SonicOS Standard 3.1.0.2-62s) firewall. The Checkpoint is configured for traditional mode VPN.

The closest that I can get gives me an error "IKE: Main Mode No matching encryption methods between myself and the peer". What exactly does this mean?

Is there a way to debug IKE, something like the Cisco IOS command 'debug crypto isakmp'? I've tried a tcpdump -vv filtering on the remote gateway, but it doesn't show me anything useful.

Thanks in advance for your help.
Chris
Reply With Quote
  #2 (permalink)  
Old 2006-01-17
Member
  
Join Date: 2005-11-17
Location: Italy
Posts: 82
Rep Power: 4
maurox has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Try with this:
http://www.vpn-technology.com/Intero...eckPointNG.pdf
Maurox
Reply With Quote
  #3 (permalink)  
Old 2006-01-18
Junior Member
  
Join Date: 2005-12-02
Location: France
Posts: 27
Rep Power: 0
Peter has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
The command to begin IKE debug is 'vpn debug ikeon'. To stop debugging use 'vpn debug ikeoff'. Log file is ike.elg. To see it you need ikeview.exe (works under Windows).

In your case probably you have the problem of IKE Phase 1 negotiations. Check SA TTL and GH Group.
Reply With Quote
  #4 (permalink)  
Old 2006-02-06
Junior Member
  
Join Date: 2005-11-28
Posts: 2
Rep Power: 0
jonas has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Where you able to build a tunnel with the SonicWall??

I'm undertaking the same thing - I'm seeing in tracker:

IKE: Main Mode Sent Notification: Responder Lifetime
IKE: Main Mode Received Notification from Peer: Initial Contact
IKE: Main Mode completion.
IKE: Phase1 Received Notification from Peer: invalid cookie
IKE: Quick Mode Received Notification from Peer: invalid id information

The peer (SonicWall) is seeing "invalid cookie"

What I'm going to try next is copy the document that maurox recommends.(
http://www.vpn-technology.com/Inter...heckPointNG.pdf)

Any other recommendations will be appreciated!



Thanks
ADV
Reply With Quote
  #5 (permalink)  
Old 2006-02-09
Member
  
Join Date: 2006-01-07
Posts: 32
Rep Power: 0
philofish has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Its definitley Phase 1 of IPSEC that isn't correctly setup

Make sure that all SA's are configured correctly
Reply With Quote
  #6 (permalink)  
Old 2006-02-10
Senior Member
  
Join Date: 2005-08-22
Location: Ottawa, Canada
Posts: 347
Rep Power: 4
Lackie has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Make sure that you are not Natting when going through the tunnel. If you are using communities, you can do this with the checkbox Disable nat within the community or if you are using traditonal mode then you can put in a 'no-nat' rule at the top of your address translation page.
Reply With Quote
  #7 (permalink)  
Old 2006-02-10
Junior Member
  
Join Date: 2005-11-28
Posts: 2
Rep Power: 0
jonas has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Philofish / Lackie

Thank you for the response!

I’m using a Star Community, I tried the Traditional mode and I was getting nothing, seems like using Simplified I get something.

Anyway, I’m setting IKE (Phase 1) to renegotiate IKE security associations every 30 minutes. - Do you have any suggestions?

I Disable NAT inside the VPN community and I have no Address Translation going on with this gateway.


Getting back to the Phase 1 issue – I did start playing with the renegotiate time, but nothing!

At this point, I look like my 2 year old in front of a keyboard.


Thanks,
ADV
Reply With Quote
  #8 (permalink)  
Old 2006-10-19
Junior Member
  
Join Date: 2006-05-24
Posts: 2
Rep Power: 0
2Legit has an average reputation (10+)
Default Re: VPN between SonicWall and NG AI
Where can I get IKEView.exe to view ike.elg files?
Reply With Quote
  #9 (permalink)  
Old 2006-10-19
Senior Member
  
Join Date: 2005-08-29
Location: Upstate NY
Posts: 1,670
Rep Power: 5
chillyjim has an average reputation (10+)
Send a message via AIM to chillyjim Send a message via Skype™ to chillyjim
Default Re: VPN between SonicWall and NG AI
Quote:
Originally Posted by 2Legit View Post
Where can I get IKEView.exe to view ike.elg files?
From TAC or your Check Point SE. It is a tool that is normaly restricted to CSP's for reasons I've never understood.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 00:44.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0