Checkpoint to Cisco VPN and traditional mode

[jolly403]

We have a Checkpoint NGX R60 running on a Dell PowerEdge with Windows 2000 server. Everything works fine except the VPN. I am editing the firewall object and then selecting VPN, under VPN I am clicking on the "Traditional mode configuration" button but I am not getting the subsequent page where we enter the encryption and hash methods.

Under Global Properties, I set the Smart Dashboard Customization>Create Checkpoint Gateways using classic mode (both options there) but that seemed to have no effect. The VPN-1 Edge/Embedded Gateway tab shows nothing about traditional mode. Additionally, when I click on the "VPN Properties" tab of either of the gateways, the program sits there and thinks about it for a second, then the whole program closes out. I have read and followed both the Checkpoint documentation on VPNs as well as the Cisco guide for creating a VPN between Checkpoint and Cisco (which is what I'm trying to accomplish). Havent' actually tried to get the VPN to the remote agency connected yet, but from what I've read I need to be using traditional mode rather than simplified mode so that I can set the additional IKE parameters.

This morning I updated the FW to R61. During the upgrade I chose the following products:
VPN-1 Pro
SmartCenter
Eventia Reporter
SmartConsole

Machine is a Dell PowerEdge 1850 2.4GHz with 1GB Ram running Windows 2000 Server.

I know, too many products and Windows 2000?!!! This has been an evolving project for me. When I previously tried to load it with the SecurePlatform and/or other platforms, I ran into several issues and ran out of time so I had reverted back to what I knew I could get working. I'm not done working towards a better platform, just waiting on spare hardware to make the change.

Another thing I noticed-I can get a lot of the VPN associated settings created i.e. create community, add members...and in the SmartMonitor console, the VPN status shows OK. On the firewall object, VPN is checked. However, when I created a rule to allow traffic from/to the VPN members in the action column there was no choice for "encrypt"- this is where I thought I had read that you can set some of the additional IKE properties. If on the VPN Community general page I check the "accept all encrypted traffic" box, an automatic rule does get created but you can't modify any of the entries in it because it is a system created rule.

Otherwise this FW installation is functioning normally. Seems like the root of the problem lies in not being able to switch to traditional mode.

Thanks in advance.
Brian

 

[stooo]

In the smart dashboard, click Policy, Global properties
Choose the VPN tab, and tick Traditional or simplified mode per new Security policy, and ok out.

Then go file, new and save your policy. You will then need to create a new policy. Tick Security & address translation and you should be able to choose Traditional mode.

OK this

You should then be able to create you vpn's using traditional mode (although you will have to re-create your original policy.

Stu

 

[jolly403]

Thank you for replying.

I don't know if I have something messed up or am having a brain lapse, but I'm just not finding this on my screens:

"Choose the VPN tab, and tick Traditional or simplified mode per new Security policy, and ok out."

Might there be something in one of the config files that I need to unremark?

Regards
Brian

 

[stooo]

In the smart dashboard, click Policy, Global properties.

You should have a list of options running down the left of he window. one of these should be vpn. If it isn't then mail me a screen shot of what you do have... I'd be inerested to see it ) am on stuart wisdom@hot mail.com obviously without the spaces

P.s. I've had a few beers so If I don't make sense, ignore me, or call me an idiot )

 

[jolly403]

Screen shot sent to you.
thanks
Brian

 

[stooo]

I think the reason you don't have the same menus as everyone else is that you have a/some vpn edge embedded objects but no vpn gateway objects.

I don't use the edge stuff so can't really help

 

[jolly403]

That's what confuses me. I don't know where this Edge thing came from.

Developments since my last post-I was adjusting a setting related to the HTTP resouce (something about http headers) and I got a nasty blue screen/debugging. After rebooting internet connectivity was lost and kept getting error about certificate authority not started. Tried a few things like deleting all the certificates and the command fwm sic_reset, but couldn't get anything to work. In a slight panic, I wiped the machine and loaded SPLAT. I'm back in business as far as the firewall goes, but still experiencing the VPN issue. Maybe something on my license is wrong.

Thanks for looking into this.
Regards
Brian

 

[stooo]

is unlikely to be a license issue. I'd delete the firewall object from the policy (the vpn edge embedded object), save it.. close dashboard and reload it, and then re-addd as a new checkpoint VPN Pro/Express gateway.

This will mean you will need to re-establish SIC and all that business, so will be looking at an outage for whatever is behind this firewall

Stu

 

[jolly403]

I just found out from Checkpoint account services that the product I have isn't a VPN product. I only have the Firewall-1 gateway. Here I've been for all these years thinking one thing and then...I'm working through the upgrade paperwork, so I should have this resolved soon.

Sorry to have bothered you with this; something I should have known.

Regards
Brian