Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

Hello All,

I am trying to get a PIX515 and Checkpoint Firewall 1.0 to talk to each other through IPSEC, using DES, SHA and a pres-shared key. Anyone ever done this before? I am having problems even with the key, since Checkpoint takes hex values for the key and pix takes a normal key. Any tips ?

Thanks in Advance.

4 REPLIES
Silver

Re: IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

It makes it a little harder using two different vendors. I’ve always found using the same vendor in the long run is a better idea. I’d suggest conferencing both Cisco and Checkpoint to help get the issue resolved. I’ve never had any problems with Cisco because of their open architecture technology but I’m not sure about Checkpoint.

Community Member

Re: IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

I suppose you wanted a Tunnel mode VPN connection between the two firewalls. I don't know much about PIX but on Checkpoint, the "Tunnel mode" terminology is not used. Instead you need to make sure the "Support Keys exchange for subnets" box is checked under the Workstation Properties for both the CheckPoint and PIX network objects. This is the trick in letting CheckPoint know that Tunnel Mode VPN is enabled.

I thought CheckPoint uses clear text as the shared secret key, I remember an IBM firewall uses HEX for the shared secret key. If it does ask for hex then it will just be the HEX representation of the ASCII shared secret text.

John Luk.

Community Member

Re: IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

There is an example on Checkpoints website:

http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/pixvpn.pdf

It should solve your problem...

Community Member

Re: IPSEC tunnel between PIX515 and CheckPoint Firewall 1.0

Unfortunately, many have tried the example on chpt's site. With it, the tunnel will drop anytime a change is made to either firewall, along with a few other "issues".

To be honest, the one on Cisco's site is a little better, but still has issues. If you have a fairly simple Checkpoint config, the one on CCO will work well. If your chpt config is more complex you will probably run into problems.

Alex

(Been there, done that too may times... I HATE CHPT)

218
Views
0
Helpful
4
Replies
CreatePlease to create content