Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses
largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)
DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.
------------------------------------------------------------------------------------
# dbedit Enter Server name (ENTER for 'localhost'): Enter User Name: fwadmin Enter User Password: abc123 Please enter a command, -h for help or -q to quit: dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false dbedit> update properties firewall_properties firewall_properties updated successfully. dbedit> quit #
-----------------------------------------------------------
and You can configure the "max_subnet_for_range" table in "user.def" file on the Security Management Server / Domain Server. This table is designed to force VPN-1/FireWall-1 to negotiate IPSEC SAs using a specific subnet mask for a given IP address range;
max_subnet_for_range = {<first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>};
Example;
#ifndef __user_def__
#define __user_def__
// // User defined INSPECT code//
max_subnet_for_range = {<0.0.0.0, 10.29.39.255; 255.255.255.0>,<10.29.40.0, 10.29.50.255; 255.255.255.255>,<10.29.51.0, 255.255.255.255; 255.255.0.0>};#endif /* __user_def__ */
No comments:
Post a Comment