fir3net
PPS-Firenetbanner-780.5x190-30-03-17

PIX to Check Point Sample VPN Configuration

Below provide sample configurations required for building a site to site VPN between a Cisco PIX and a Check Point Firewall.

PIX Configuration

(config)#isakmp enable outside
(config)#isakmp policy 10
(config-isakmp-policy)# encryption aes-256
(config-isakmp-policy)# hash sha
(config-isakmp-policy)# authentication pre-share
(config-isakmp-policy)# group 1
(config-isakmp-policy)# lifetime 86400

(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth

(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#nat (inside) 0 access-list nonat

(config)#Crypto ipsec transform-set TRAN esp-aes-256 esp-sha-hmac
(config)#Crypto map MYFW_MAP 10 ipsec-isakmp
(config)#Crypto map MYFW_MAP 10 match address ED
(config)#Crypto map MYFW_MAP 10 set peer 1.1.1.1
(config)#Crypto map MYFW_MAP 10 set transform-set TRAN
(config)#Crypto map MYFW_MAP 10 set security-association lifetime seconds 3600
(config)#Crypto map MYFW_MAP interface outside
(config)#Crypto isakmp identity address

(config)#sysopt connection permit-vpn

Check Point (R65) Configuration

Below details the required Check Point configuration steps:

  1. Configure a Simplified VPN Mesh.
  2. Create a interoperable object for the PIX, then configure the topology settings.
  3. Add the Gateways and the security rule to allow the traffic through. 
  4. Next add the necessary configuration as per below:

Issues

Problem A

encryption failure: no response from peer

If on the Check Point you are getting logs saying the above, run a tcpdump & capture on the firewalls and check if the IKE traffic is reaching its Peer. This error normally points to a routing or connectivity issue.

Problem B

Removing peer from correlator table failed, no match!    

If on the PIX you are getting the following, check your encryption domain settings on both sides.

Debugging

Below is a subset of commands which can be used for the troubleshooting of VPN issues.

PIX

  • debug crypto ipsec 7
  • debug crypto isakmp 7
  • no debug all

Check Point

  • vpn debug trunc
  • vpn debug off; vpn debug ikeoff

Note : The debug file is located under $FWDIR/log/ike.elg and $FWDIR/log/vpnd.elg

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001