Also, remember to create the PIX as an interoperable object in
Checkpoint and turn off Supports Agressive Mode under the PIX object.
I ran into a problem where my tunnel was being renegotiated during the
day and the CheckPoint would first try agressive mode which the PIX
didn't like. A full 60 seconds later the CheckPoint would then try
Main mode and the tunnel would come back up.
-Scott
On Tue, 7 Dec 2004 09:09:46 -0500, Dazsi, Brian
<brian.dazsi@capitalone.com> wrote:
I have run into the same problem. I followed the Cisco documentation
very carefully. However, there is one very important configuration line
missing in the Cisco documentation's example. You have to make sure
that BOTH the phase 1 and phase 2 key renegotiation times are set to
exactly the same values on both the Check Point and the PIX. If you do
not actually type the configuration lines on the PIX, and therefore use
the default values, your tunnel will go down when the Check Point
expires a key. Note that if you do not type these lines, they may not
show up when look at the config - and you will be using the default
values.
The Cisco PIX is very unforgiving about this (Check Point will just try
to renegotiate if either peer loses a key - Cisco will hang on to its
keys until they expire, and will not renegotiate). At first, before we
realized what was happening, we just kept clearing the Security
Associations on the PIX and the tunnel would re-establish (this would be
accomplished by reconfiguring the PIX, which we tried too) - but after
looking at debug logs in detail and playing with the PIX configuration,
we figured out what was missing in the PIX configuration. We even
opened up a case with Cisco about this - I am very disappointed that
they STILL have not updated their documentation.
Also note that you may still run into a problem if the Check Point loses
its key for whatever reason (a reboot, perhaps) - and you may still have
to clear the SAs on the PIX, in this case (but we have not had a problem
since we figured out the PIX config line).
Here are the two important config lines (note the second line (crypto
map) is missing in the Cisco documentation):
isakmp policy 1 lifetime 86400
crypto map rtprules 10 set security-association lifetime seconds 3600
kilobytes 4608000
Here's the Cisco document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a00800ef796.shtml
I hope that helps you out!
Brian
-----Original Message-----
From: Cunningham, Andy [mailto:acunningham@rsasecurity.com]
Sent: Monday, December 06, 2004 11:45 AM
To: firewalls@securityfocus.com
Subject: RE: VPN tunneling between PIX & Checkpoint
We've had all kinds of problems getting a PIX to Checkpoint tunnel to
remain stable with Checkpoint NG.
With FW-1 Version 4.1 everything was fine, but since we upgraded to NG
the whole thing was about as stable as nitrogylcerine in a tumble-dryer.
Repeating the same configuration steps five or six times would
eventually work for no obvious reason.
For other reasons we have moved away from the mixed solution for that
particular problem, so we never got around to finding the solution, I'm
afraid.
Andy
-----Original Message-----
From: Rizky Fithrianda [mailto:rizky@sctv.co.id]
Sent: 03 December 2004 14:00
To: 'firewalls@securityfocus.com'
Subject: VPN tunneling between PIX & Checkpoint
Dear All,
I got problem when connecting vpn tunnel from PIX to Checkpoint, I've
tried to
follow manual prosedure but connection still failed..
could you give me explain and is there any manual to explain about
this..?
pls..urgent
thank's all
--
Regards;
.::rhiez::.
