Firewall Wizards mailing list archives

Pix to Checkpoint VPN Connectivity

From: cs 2004 <cskb2004 () yahoo com>
Date: Wed, 26 May 2004 14:14:09 -0700 (PDT)

Richard,
 
Am not sure if you have had luck in resolving this. I have worked on checkpoints, netscreen, cisco 
router/pix/concentrators.
 
Important things to remember:
======================
1) Make sure UDP 500 is open to peers on both ends.
2) Pre-shared key is defined correctly on both peers.
3) Phase-1 proposals match on both ends including the lifetimes
4) Phase-2 proposals match on both sides including the lifetimes
4) IPSEC ACL should match the policies on Checkpoint.
5) Make sure Perfect Forward Secrecy is set to match on both ends. By default it is disabled on the Pix. If checkpoint 
is defined for DH Group1 or Group2 , 
<crypto map <name> <> set pfs group<>>

From the debug logs, there are mulitples instances of failed IKE negotiations and IPSEC negotiations. Make sure you 
make changes coordinating with the engineer on the remote end. It wont do a whole good making changes on one side.

 
Hope this helps.
 
--Chandan

                
---------------------------------
Do you Yahoo!?
Friends.  Fun. Try the all-new Yahoo! Messenger

Current thread:

Pix to Checkpoint VPN Connectivity Richard Worwood (May 10)
- <Possible follow-ups>
- RE: Pix to Checkpoint VPN Connectivity mlists (May 10)
- Pix to Checkpoint VPN Connectivity cs 2004 (May 27)