Solved: PIX to Checkpoint 4.1 VPN one-way initiation

briapolo · ‎09-05-2003

Peering up my PIX (6.2) with another company's Checkpoint 4.1 for a VPN connection. One problem - the tunnel only comes up if the traffic is initiated by the Checkpoint (obviously, I can't see the config) and then everything works fine. If my PIX tries to initiate the connection - nothing is working. Is this common? Do we have our SA lifetimes set to different values?

Would really appreciate if someone can point me in the right direction.

gfullage · ‎09-08-2003

Yes, 86400 is the highest you can go, you wouldn't want your tunnels to be up for 14 days straight.

View solution in original post

gfullage · ‎09-06-2003

You probably have your Phase 1/IKE lifetimes set differently. Phase 2 lifetimes will negotiate to the lower value, but Phase 1 won't. If the intiator's lifetime is higher than the responder's, the responder won't accept it. Make them the same on both sides.

FYI, the PIX Phase 1 lifetime defaults to 24 hrs, 86400 seconds.

briapolo · ‎09-08-2003

thank you. My peer has his lifetimes enables globally to almost 14 days. I have tried to set the PIX to the same value, but found out that 86400 is as high as you can go - is this a security feature than cannot be overriden?

gfullage · ‎09-08-2003

Yes, 86400 is the highest you can go, you wouldn't want your tunnels to be up for 14 days straight.

bphelps · ‎10-07-2003

I've got a similar situation. PIX to PIX VPN, and the tunnel only initiates in one direction. But after it is up, both LANs communicate.

I verified the isakmp lifetime was set to 86400 on both PIXes. They are both running 6.3.2.