CheckPoint Virtual Private Network (VPN) Interoperation Suggestion
CheckPoint Virtual Private Network (VPN) Interoperation Suggestion
Problem or Goal:
Checkpoint Next Generation (ng) Cluster VPN VPN to Checkpoint is not working Fails Phase 2 IKE negotiation
Solution:Bad SPI Messages
Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.An additional VPN policy may be needed that includes the external interface of the Checkpoint, and the internal destination network on the NetScreen trust side.
Example:
NetScreen trust Network: 192.168.1.0
NetScreen untrust IP: 10.1.1.1
Checkpoint Internal Network: 192.168.2.0
Checkpoint External IP: 10.10.1.2
Policies Required on the NetScreen side:
- An outgoing and incoming VPN policy is needed to go from 192.168.1.0 to 192.168.2.0.
- An additional policy may be needed from 192.168.1.0 to 10.10.1.2 (the Checkpoint's External IP address).
Here is the problem or goal:
- VPN to Checkpoint is not working
- Fails Phase 2 IKE negotiation
- Bad SPI Messages
- NetScreen to CheckPoint Virtual Private Network (VPN) Interoperation
Problem Environment:
- Checkpoint Next Generation (ng) Cluster VPN
Causes of this problem:
- CheckPoint VPN configuration instructions sometimes make CheckPoint administators make a VPN setting that includes an additional VPN to the Untrusted interface IP of the CheckPoint with a host mask.
Additional Information:
Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.
Applicable Products:
- NetScreen-5
- NetScreen-5XP
- NetScreen-10
- NetScreen-25
- NetScreen-50
- NetScreen-100
- NetScreen-204
- NetScreen-208
- NetScreen- 500
- NetScreen-1000
Applicable ScreenOS:
- 2.6.0
- 2.6.1
- 2.7.1
- 2.8.0
- 2.8.1
- 3.0.0
- 3.0.1
- 3.0.2
- 3.0.3
- 3.1.0
- 4.0.0
- 4.0.0-DIAL
- 4.0.0-DIAL2
- 4.0.1
- 4.0.2
- 4.0.3
Interoperability
