Knowledge Search


×
 

CheckPoint Virtual Private Network (VPN) Interoperation Suggestion

  [KB5167] Show Article Properties


Summary:
CheckPoint Virtual Private Network (VPN) Interoperation Suggestion
Symptoms:
Checkpoint Next Generation (ng) Cluster VPN VPN to Checkpoint is not working Fails Phase 2 IKE negotiation

Bad SPI Messages

 Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.
Solution:

An additional VPN policy may be needed that includes the external interface of the Checkpoint, and the internal destination network on the NetScreen trust side.

Example:

NetScreen trust Network: 192.168.1.0
NetScreen untrust IP: 10.1.1.1
Checkpoint Internal Network: 192.168.2.0
Checkpoint External IP: 10.10.1.2

Policies Required on the NetScreen side:

  1. An outgoing and incoming VPN policy is needed to go from 192.168.1.0 to 192.168.2.0.
  2. An additional policy may be needed from 192.168.1.0 to 10.10.1.2 (the Checkpoint's External IP address).

Here is the problem or goal:

  • VPN to Checkpoint is not working
  • Fails Phase 2 IKE negotiation
  • Bad SPI Messages
  • NetScreen to CheckPoint Virtual Private Network (VPN) Interoperation

Problem Environment:

  • Checkpoint Next Generation (ng) Cluster VPN

Causes of this problem:

  • CheckPoint VPN configuration instructions sometimes make CheckPoint administators make a VPN setting that includes an additional VPN to the Untrusted interface IP of the CheckPoint with a host mask.

Additional Information:

 Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 2.8.1
  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.1.0
  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.0-DIAL2
  • 4.0.1
  • 4.0.2
  • 4.0.3


Related Links: