My experience is that simplified mode more relates to checkpoint at the
other end. Traditional mode config is used with other vendors. It is
ideal that we set both similarly and also matching the other end
configuration....Ramki
cisco4ng wrote:
Hi everyone,
I guess I should have elaborated a little more in the previous thread.
I know how to do that in traditional mode. However, according to both
Nokia and checkpoint documentation, whatever changes are being made
in traditional has NO effects in Simplified mode, especially simplified
VPN configuration (vpn community). Furthermore, according to Nokia,
changes made in the traditional mode tab is NOT supported if the vpn
is configured in simplified mode.
I guess bottom line is that it is not supported in simplified mode. Thanks again
everyone.
cisco4ng
Christopher Hoff <[EMAIL PROTECTED]> wrote:
You can change the settings on a per node gateway by editing the
traditional mode settings and going to the advanced settings.
Thank you,
____________________________________________
Christopher Hoff
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Crist
Clark
Sent: Wednesday, January 18, 2006 4:45 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Urgent please help. VPN issue
cisco4ng wrote:
Hi gurus,
Please help me with this problem.
I am setting a site-to-site vpn between a Checkpoint NG firewall and
a Cisco IOS
device.
The dude on the Cisco side keeps insisting that the IPSec phase II
key re-negotiation
be data-limit instead of of timeout limit. I know how to do that on
Cisco device.
For example:
set security-association lifetime kilobytes 57193933
How can I achieve this in Checkpoint? In Checkpoint Simplified
mode, I can only
specify the timeout setting for IPSec phase II.
FWIW, specifying the lifetime in time or byte count or both at once all
MUST be supported according to the standard.
Going straight to the Checkpoint database, I see the following,
:isakmp.phase2_rekeying_kbytes (50000)
:isakmp.phase2_rekeying_time (3600)
:isakmp.phase2_use_rekeying_kbytes (false)
As attributes of IPsec endpoints. Names seem self explanatory. Can't
say if they actually work. Dunno how to access them through the
"Dashboard" or whatever they're calling it for now. You may need to
edit the database with DBedit or the ol' 'vi objects_5_0.C'.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
