Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

CheckPoint Virtual Private Network (VPN) Interoperation Suggestion

0

0

Article ID: KB5167 KB Last Updated: 28 Jun 2010Version: 3.0
Summary:
CheckPoint Virtual Private Network (VPN) Interoperation Suggestion
Symptoms:
Checkpoint Next Generation (ng) Cluster VPN VPN to Checkpoint is not working Fails Phase 2 IKE negotiation

Bad SPI Messages

 Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.
Solution:

An additional VPN policy may be needed that includes the external interface of the Checkpoint, and the internal destination network on the NetScreen trust side.

Example:

NetScreen trust Network: 192.168.1.0
NetScreen untrust IP: 10.1.1.1
Checkpoint Internal Network: 192.168.2.0
Checkpoint External IP: 10.10.1.2

Policies Required on the NetScreen side:

  1. An outgoing and incoming VPN policy is needed to go from 192.168.1.0 to 192.168.2.0.
  2. An additional policy may be needed from 192.168.1.0 to 10.10.1.2 (the Checkpoint's External IP address).

Here is the problem or goal:

  • VPN to Checkpoint is not working
  • Fails Phase 2 IKE negotiation
  • Bad SPI Messages
  • NetScreen to CheckPoint Virtual Private Network (VPN) Interoperation

Problem Environment:

  • Checkpoint Next Generation (ng) Cluster VPN

Causes of this problem:

  • CheckPoint VPN configuration instructions sometimes make CheckPoint administators make a VPN setting that includes an additional VPN to the Untrusted interface IP of the CheckPoint with a host mask.

Additional Information:

 Perform a debug ike detail to confirm the CheckPoint is trying to negotiate this SA, otherwise this additional configuration is not needed.

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 2.8.1
  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.1.0
  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.0-DIAL2
  • 4.0.1
  • 4.0.2
  • 4.0.3


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search