CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 8 of 8

Thread: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

  1. #1
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Hi Guys,

    I am setting up VPN with Cisco router and debug shows CheckPoint Firewall is sending 0.0.0.0/0.0.0.0 as Domain encryption domain and not sure why!!

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,041
    Rep Power
    12

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Quote Originally Posted by blason View Post
    Hi Guys,

    I am setting up VPN with Cisco router and debug shows CheckPoint Firewall is sending 0.0.0.0/0.0.0.0 as Domain encryption domain and not sure why!!
    You have "one VPN tunnel per gateway pair" set on the VPN Tunnel Sharing screen of your VPN community, or on the VPN Advanced screen of the Cisco Interoperable Device object.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2007-06-04
    Posts
    3,230
    Rep Power
    15

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Going to make an educated guess that the Community is set to be 1 VPN Tunnel per Gateway pair, or possibly under VPN advanced on the Gateway then is set to Custom Settings and then One VPN tunnel per Gateway pair.

    Is usually where seen this happening. The VPN setting being 1 tunnel then that phase 2 tunnel has to cover ALL possible IP hence the 0.0.0.0/0.0.0.0 that is sent.

  4. #4
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Yeah may that was it!! I am disabling and pushing the policy lets see. Setting up VPN with Cisco is really pain at least I feel. I really felt so many challenges with Cisco-CP VPN

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,041
    Rep Power
    12

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Quote Originally Posted by blason View Post
    Yeah may that was it!! I am disabling and pushing the policy lets see. Setting up VPN with Cisco is really pain at least I feel. I really felt so many challenges with Cisco-CP VPN
    Check Point to Cisco Interoperable VPN is the easiest combination to get working in my experience. Much easier than doing one with Juniper/Fortinet/Sonicwall which are ridiculously picky about Phase 2 subnet/Proxy-ID proposals...
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  6. #6
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Yeah I corrected that but now I not at all seeing P2 in ikeview just P1 with All OK.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,041
    Rep Power
    12

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Quote Originally Posted by blason View Post
    Yeah I corrected that but now I not at all seeing P2 in ikeview just P1 with All OK.
    What is the error after Phase1 Main mode completes? No proposal chosen?
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  8. #8
    Join Date
    2007-06-04
    Posts
    3,230
    Rep Power
    15

    Default Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Quote Originally Posted by ShadowPeak.com View Post
    Check Point to Cisco Interoperable VPN is the easiest combination to get working in my experience. Much easier than doing one with Juniper/Fortinet/Sonicwall which are ridiculously picky about Phase 2 subnet/Proxy-ID proposals...
    Always find pretty easy as well.

    Agree on what using for the P1 and P2 settings in terms of encryption, ie AES-256/SHA1 etc DH Group to use, PFS or not. Agree the subnets used for P2, edit the user.def file to force the correct subnet masks to be used. Works like a charm

Similar Threads

  1. problem sending Checkpoint logs to syslog server
    By ddganti in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2014-01-28, 10:07
  2. Cisco VPN client through CheckPoint to Cisco PIX
    By MatsB in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2010-10-14, 14:38
  3. Can you use Checkpoint UTM as a proxy server?
    By geordie_t in forum Content Security/Security Servers/CVP/UFP
    Replies: 3
    Last Post: 2008-04-28, 08:07
  4. CheckPoint and Proxy Based Firewalls
    By diago in forum Miscellaneous
    Replies: 4
    Last Post: 2007-04-23, 02:01
  5. Request to proxy other than next proxy resource http://proxy.foo.com
    By roadrunner in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-14, 12:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •