Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
1
Replies

ASA to Checkpoint R70 VPN tunnel

Colin Higgins
Level 2
Level 2

‎12-12-2011 07:16 AM

I have an ASA running 8.4(2) code.

I have been trying to get a VPN tunnel established between this device and a Checkpoint R70 firewall, but have been getting nowehere.

The settings are:

Encap: ESP

Encryption: AES256

Hash: SHA1

DH: Group 2 (1024)

Authentication: pre-share

lifetime: 1440 min / 4096000 KB

I can open the tunnel from the ASA to the Checkpoint, but the Checkpoint cannot open a tunnel with the ASA. It looked like the issue originally was the KB timout which was turned off on the Checkpoint side. They have since added that (4096000), but we are getting Phase2 failures.

Has anyone here been able to create a tunnel between an ASA running 8.4(2) and a Checkpoint R70?

I am beginning to think that I have incompatible systems

Is it a PFS issue? If so, how do I enable that in the policy section?

Labels:
0 Helpful
1 Reply 1

Colin Higgins
Level 2
Level 2

‎12-12-2011 07:47 AM

I can answer my own question ...got it working

PFS needs to be turned on.

In 8.4(2) code, the KB timeout (SA) CANNOT be turned off: any 3rd party firewall need to have this on in order for a tunnel to work (spent a week figuring that out).

so yes: you can get a tunnel up and running between these two systems, but it is a bit more rigid now.

0 Helpful
Customers Also Viewed These Support Documents