This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Somethig_Di
Explorer
‎2021-12-07 02:08 AM

VPN IKE NAT Traversal Problems

Hello!

I'm testing and trying to create workable topology, when my Checkpoint 1530 firewall stands in front of the network with NAT WAN and behind it's the Cisco 800 which I need to do some a VLANs work, access-lists for the internal network etc. Also I do prefer to create a Site-to-Site VPN on it, because the Checkpoint 1530 doesn't have strong encryption methods, like only a DES method for IKE1 and IKE2.

So I configured the Main office and the Branch office Cisco on site-to-site ipsec (Screen). When I'm trying to ping the PC from Main Office to Branch (through Checkpoint) I have no problem: the tunnel opens and establish, packets reseived by Branch PCs. Logs showed me, that NAT-T on 1530 worked with no problemat this point.  

But if I stop the ping proccess from the Main Office or when I try to ping PC from the Branch Office to the Main, the tunnel don't open, because Checkpoint catch packets with IKE proporsal, think, that Cisco from Branch Office trying to establish the tunnel with it. You can see it on my screenshoot named "Log". 

So any ideas how can I skip an incoming VPN traffic through Checkpoint without it's accommodation?

Log.jpg
Preview file
73 KB
topology.jpg
Preview file
159 KB
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2021-12-07 02:38 AM

> Checkpoint 1530 doesn't have strong encryption methods, like only a DES method for IKE1 and IKE2.

I am pretty sure this statement is totally false, unless you are in a country where encryption methods are limited, such as Russia or maybe China. Which version are you running on your SMB appliance?

0 Kudos
Somethig_Di
Explorer
‎2021-12-07 03:35 AM
In response to _Val_

It's a R80.20.01 and yes, it's Russia, but we doesn't have a problem with a DH group 2 or 5 in Cisco, for example. But Checkpoint give me only a group 1.

VPN settings Checkpoint.jpg

Also, if you ask me why I can't upgrade it - just because after upgrate I have several errors, with whom the support works, so thats why I need the working scheme with Cisco behind.

0 Kudos
_Val_
Admin
Admin
‎2021-12-07 04:57 AM
In response to Somethig_Di

@Amir_Aliev can you please comment of SW here?

0 Kudos
Amir_Aliev
Ambassador
Ambassador
‎2021-12-07 07:36 AM
In response to Somethig_Di

Fresh install (not upgrade) to latest firmware with USB flash should resolve limited encryption issue.

0 Kudos
Somethig_Di
Explorer
‎2021-12-07 10:26 PM
In response to Amir_Aliev

Hello!

How can I do that? Where can I find a detailed manual or an instruction? All my current settings will erase?

0 Kudos
_Val_
Admin
Admin
‎2021-12-08 02:17 AM
In response to Somethig_Di

All releases and documentation are available on the product page. For the config, if it is a locally managed appliance, save config file before re-imaging. The appliance will be reset to factory defaults, but you can apply the saved config during the first time wizard.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top