trad. VPN settings in simp. mode

Dear List members,

I have a customer who wants to establish a site-to-site VPN
between a
FP2 cluster and a Cisco 2621 router. I know there are some
pitfalls in
setting something like this up. Anybody has some good info
or documents
related to setting up this kind of VPN? 
Note: the customer does not want to upgrade to a newer
version of FW.

The current firewall object is defined as a "simplified
mode" object. I
know in R55 that you have the button "traditional mode
configuration..."
in the VPN tab of the FW object to allow IKE settings for
these kind of
VPN tunnels, but I don't have this button in the object of
the FP2
policy. Does anybody know where I have to set the
traditional settings?
Or must I revert back to creating a "traditional"
object and then do the
settings?

David

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

David CALLEBAUT [AEMS Be] a écrit :
> Dear List members,
>
> I have a customer who wants to establish a site-to-site
VPN between a
> FP2 cluster and a Cisco 2621 router. I know there are
some pitfalls in
> setting something like this up. Anybody has some good
info or documents
> related to setting up this kind of VPN? 
> Note: the customer does not want to upgrade to a newer
version of FW.
>
> The current firewall object is defined as a
"simplified mode" object. I
> know in R55 that you have the button "traditional
mode configuration..."
> in the VPN tab of the FW object to allow IKE settings
for these kind of
> VPN tunnels, but I don't have this button in the object
of the FP2
> policy. Does anybody know where I have to set the
traditional settings?
> Or must I revert back to creating a
"traditional" object and then do the
> settings?
>
>   
the ike settings can be set on the vpn community properties.
there is a way to also set the parameters on every gateway,
but
it's better to have the same settings on each gateway that
participate
to the same community, so each time you change a parameter,
you don't have to change it for your n gateways.

hope this'll help.
> David
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>   


	

	
		
____________________________________________________________
_______________ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes
vos questions ! 
Profitez des connaissances, des opinions et des expériences
des internautes sur Yahoo! Questions/Réponses 
http://fr.answers.yahoo.c
om

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On Thu, 23 Nov 2006, David CALLEBAUT [AEMS Be] wrote:

> I have a customer who wants to establish a site-to-site
VPN between a
> FP2 cluster and a Cisco 2621 router. I know there are
some pitfalls in
> setting something like this up. Anybody has some good
info or documents
> related to setting up this kind of VPN? 

You can find one in the Check Point knowledgebase.

> Note: the customer does not want to upgrade to a newer
version of FW.

And you made the customer aware that there are security
issues that are 
unsolved in this version? The oldest version to get security
fixes is FP3 
and in my experience FP3 was the first really stable version
of NG.

All one can do is tell someone (s)he is pointing a gun at
their own feet 
in a trigger happy world.

Hugo.

-- 
	hvdkooijvanderkooij.org	http://hvdkooij.xs4all.nl/

	    This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Simplified mode will NOT work in NG Feature Pack 2 in
"pre-share" key method.
  This is one of the caveats in NG Feature Pack 2.  I got
burned by this three years ago.
  You can only use traditional mode for this.  You need to
convert the policy from
  "simplfied" to "tradition" mode which
I don't think is possible either.  You will have to
  create a new policy from scratch.  You can convert the
policy from "traditional" to 
  "simplified" but not the other way around.
   
  The problem is that neither Nokia nor Checkpoint is
supporting NG FP3 or lower anymore,
  unless you are willing to shell out big $$$ for this. 
Even then, your problem still exists,
  that "pre-share" key does not work NG Feature
Pack 2 simplified mode in Nokia.

Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> wrote:
  On Thu, 23 Nov 2006, David CALLEBAUT [AEMS Be] wrote:

> I have a customer who wants to establish a site-to-site
VPN between a
> FP2 cluster and a Cisco 2621 router. I know there are
some pitfalls in
> setting something like this up. Anybody has some good
info or documents
> related to setting up this kind of VPN? 

You can find one in the Check Point knowledgebase.

> Note: the customer does not want to upgrade to a newer
version of FW.

And you made the customer aware that there are security
issues that are 
unsolved in this version? The oldest version to get security
fixes is FP3 
and in my experience FP3 was the first really stable version
of NG.

All one can do is tell someone (s)he is pointing a gun at
their own feet 
in a trigger happy world.

Hugo.

-- 
hvdkooijvanderkooij.org http://hvdkooij.xs4all.nl/

This message is using 100% recycled electrons.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


 
---------------------------------
Access over 1 million songs - Yahoo! Music Unlimited.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================