Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

Unanswered Question
Mar 20th, 2001
User Badges:

Hello All,

I am trying to get a PIX515 and Checkpoint Firewall 1.0 to talk to each other through IPSEC, using DES, SHA and a pres-shared key. Anyone ever done this before? I am having problems even with the key, since Checkpoint takes hex values for the key and pix takes a normal key. Any tips ?

Thanks in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thomas.chen Fri, 03/23/2001 - 10:58
User Badges:
  • Silver, 250 points or more

It makes it a little harder using two different vendors. I’ve always found using the same vendor in the long run is a better idea. I’d suggest conferencing both Cisco and Checkpoint to help get the issue resolved. I’ve never had any problems with Cisco because of their open architecture technology but I’m not sure about Checkpoint.

joluk Fri, 03/23/2001 - 13:43
User Badges:

I suppose you wanted a Tunnel mode VPN connection between the two firewalls. I don't know much about PIX but on Checkpoint, the "Tunnel mode" terminology is not used. Instead you need to make sure the "Support Keys exchange for subnets" box is checked under the Workstation Properties for both the CheckPoint and PIX network objects. This is the trick in letting CheckPoint know that Tunnel Mode VPN is enabled.

I thought CheckPoint uses clear text as the shared secret key, I remember an IBM firewall uses HEX for the shared secret key. If it does ask for hex then it will just be the HEX representation of the ASCII shared secret text.

John Luk.

Unfortunately, many have tried the example on chpt's site. With it, the tunnel will drop anytime a change is made to either firewall, along with a few other "issues".

To be honest, the one on Cisco's site is a little better, but still has issues. If you have a fairly simple Checkpoint config, the one on CCO will work well. If your chpt config is more complex you will probably run into problems.


(Been there, done that too may times... I HATE CHPT)


This Discussion