Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA to Checkpoint R70 VPN tunnel

I have an ASA running 8.4(2) code.

I have been trying to get a VPN tunnel established between this device and a Checkpoint R70 firewall, but have been getting nowehere.

The settings are:

Encap: ESP

Encryption: AES256

Hash: SHA1

DH: Group 2 (1024)

Authentication: pre-share

lifetime: 1440 min / 4096000 KB

I can open the tunnel from the ASA to the Checkpoint, but the Checkpoint cannot open a tunnel with the ASA. It looked like the issue originally was the KB timout which was turned off on the Checkpoint side. They have since added that (4096000), but we are getting Phase2 failures.

Has anyone here been able to create a tunnel between an ASA running 8.4(2) and a Checkpoint R70?

I am beginning to think that I have incompatible systems

Is it a PFS issue? If so, how do I enable that in the policy section?

1 REPLY
Community Member

ASA to Checkpoint R70 VPN tunnel

I can answer my own question ...got it working

PFS needs to be turned on.

In 8.4(2) code, the KB timeout (SA) CANNOT be turned off: any 3rd party firewall need to have this on in order for a tunnel to work (spent a week figuring that out).

so yes: you can get a tunnel up and running between these two systems, but it is a bit more rigid now.

789
Views
0
Helpful
1
Replies
CreatePlease to create content