Tuesday, 8 January 2013

Checkpoint IPSec VPN with Non-Checkpoint Products (Such as, PFsense, DrayTek etc.)



Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)

DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.

------------------------------------------------------------------------------------
# dbedit

Enter Server name (ENTER for 'localhost'): 



Enter User Name: fwadmin

Enter User Password: abc123



Please enter a command, -h for help or -q to quit: 

dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false



dbedit> update properties firewall_properties

firewall_properties updated successfully.



dbedit> quit

#

-----------------------------------------------------------
 
and You can configure the "max_subnet_for_range" table in "user.def" file on the Security Management Server / Domain Server. This table is designed to force VPN-1/FireWall-1 to negotiate IPSEC SAs using a specific subnet mask for a given IP address range;
max_subnet_for_range = {<first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>};

Example;
#ifndef __user_def__ 
#define __user_def__ 

// 
// User defined INSPECT code//
max_subnet_for_range = {
<0.0.0.0, 10.29.39.255; 255.255.255.0>,<10.29.40.0, 10.29.50.255; 255.255.255.255>,<10.29.51.0, 255.255.255.255; 255.255.0.0>};#endif /* __user_def__ */




No comments:

Post a comment