For the benefit of the members on the list server, I have summarized below
the responses received to my request for information regarding setting up a
Gauntlet to Checkpoint VPN (the original request is at the end)...
Essentially, as I understand it, the problem that I am having relates to the
way that Checkpoint implemented their IKE Phase 2 negotiation. It looks as
if they didn't follow the IPSEC standard. I have heard thru several sources
that this has been corrected in v4.1 (I am not sure if it's the base
release, Hotfix 41603, or SP1/CK2000). Additionally, there is a reference
below to the http://www.tis.com/support site. I took a look at this and
there is a reference in the notes for Hotfix 7 for Gauntlet v5.5 that
addresses this issue (http://www.tis.com/support/patchnt55.html). However,
the business partner that owns the Gauntlet firewall said that he was
already at this hotfix. Finally, I found the Word document below to be a
great 'How To' step-by-step guide.
I am now looking into the feasibility of taking the 'Leap of Faith' from
Checkpoint v4.0 to v4.1...Wish me Luck !!
Thanks again for all of the great responses !! I know of no other method
for gaining such in-depth knowledge as quickly as this list server provides.
Good job all !!
> Troy Dechant
> Sr. Technical Specialist Network Design
> First American Real Estate Information Services, Inc.
> [EMAIL PROTECTED]
> t.214.879.5079, f.214.879.4822
>
>
>
-----Original Message-----
From: Scott Armstrong [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 16, 2000 12:10 PM
To: Dechant, Troy
Subject: Re: Checkpoint to Gauntlet VPN Configuration
Hope this helps (sorry about the WS Word format). The VPN won't work unless
your CheckPoint is v 4.1.
Scott
<<checkpoint_gvpn11.doc>>
-----Original Message-----
From: Jose Muniz [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 16, 2000 9:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Checkpoint to Gauntlet VPN Configuration
Try seting the lifetime to 0 on the checkpoint and if it does not work
then
set the checkpiont to 28800 secs and the Gauntlet to 0 secs. give it a
shot both ways
if it does not work which probably it should, then you basically need to
upgrade to Checkpoint 4.1 sp 1 and this works!
Jose Muniz.
-----Original Message-----
From: Butters, Kevin [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, May 16, 2000 8:27 AM
To: Dechant, Troy
Subject: RE: Checkpoint to Gauntlet VPN Configuration
Troy,
Here is an NAI resource about configuring Checkpoint to Gauntlet. If
you have a service contract, I would also recommend that you visit
www.tis.com/support and verify whether you are current with Gauntlet
updates. You can call into support to receive the updates.
Kevin Butters
<<gnt-checkpoint.htm>>
-----Original Message-----
From: Patrick Ethier [SMTP:[EMAIL PROTECTED]]
Sent: Monday, May 15, 2000 5:25 PM
To: [EMAIL PROTECTED]
Subject: Re: Checkpoint to Gauntlet VPN Configuration
Hi Troy,
I'm by no means a Checkpoint Specialist but I do remember having an issue
when I was doing compatibility testing with CheckPoint's FW-1 4.0 back in
late November. I was never able to get it working. If I recall correctly,
logs kept showing that that it didn't support the IPV4_ADDR_SUBNET type.
That meant that our IKE Phase 1 would complet with no problem but it would
never be able to establish the Phase 2 (IPsec portion) of the connection.
This means that LAN to LAN configurations wouldn't work.
Apparently, this was corrected in 4.1.
I'm not sure if this is the problem you are experiencing but that was what I
learned from the experience. IPsec is a fairly new standard and FW-1 hadn't
implemented the whole standard at that point.
I never got around to testing the 4.1 to see if this was corrected or not.
Regards,
Patrick Ethier
[EMAIL PROTECTED]
> -----Original Message-----
> From: Dechant, Troy [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 15, 2000 3:54 PM
> To: [EMAIL PROTECTED]
> Subject: Checkpoint to Gauntlet VPN Configuration
>
> Hello All !!!
>
> I have been tasked with setting up a VPN tunnel between a Checkpoint v4.0
> SP3 (my side) and a Gauntlet v5.5 firewall (the customer's side). I have
> taken a first stab at it and still have had no success.
>
> I have configured both objects in Checkpoint as having the following
> encryption properties -
>
> ISAKMP/OAKLEY
> 3DES
> MD5 Hash
> Pre-shared secrets
> Supports Aggressive Mode option disabled
> ESP Transform enabled
> Use Perfect Forward Secrecy disabled
>
> The Gauntlet firewall configuration is as follows -
>
> IPSEC with IKE
> Pre-shared secrets
> 3DES
> MD5
> DH Group 1024
> Perfect Forward Secrecy disabled
>
> In addition to the normal Checkpoint VPN ports (ESP protocol type 50 &
> TCP/264), I have also opened up AH (protocol type 51) and ISAKMP (UDP/500)
> between the two firewalls.
>
> When I attempt to establish the VPN tunnel, the only thing that shows up
in
> my logs is an accept from the Gauntlet firewall on the ISAKMP port
> (UDP/500). No traffic is seen by the firewall as being encrypted. A
snoop
> of the external interface only shows traffic on UDP/500. The Checkpoint
> logs never record anything and encryption never appears.
>
> Any help would be greatly appreciated. I have searched the Internet and
am
> having problems locating any configuration examples for the above
scenarios.
> Thanks in advance for any help that you can provide !!
>
> > Troy Dechant
> > Sr. Technical Specialist Network Design
> > First American Real Estate Information Services, Inc.
> > [EMAIL PROTECTED]
> >
checkpoint_gvpn11.doc
gnt-checkpoint.htm
