PIX VPN Hotfix - FireWall-1 Gurus Forum

bassoctopus · Status: Offline

PIX VPN Hotfix

ccseng2002 · Status: Offline

You want to contact me offline?

ccseng2002 · Status: Offline

I can tell you that my vpn tunnel works fine between Cisco PIX and Secureplatform
NG with AI R55 HFA008-001. I don't know much about CP running on Windows
to give you any advice. I personally hate Microsoft Windows. Anything that runs
on Windows, in my opinion, is a bad idea. Then again, as a linux geek, I am
biased.

With NG AI R55 HFA008-001, vpn traffics can be initiated by either side. This wasn't
the case with NG Feature Pack 3 HF1 (or HF2) and earlier, 4.1 included. With earlier
version of Checkpoint, anytime when traffic is initiated from the Checkpoint side,
it generates a "malformed" payload. I work for a Managed Service Provider and I've
seen it countless time. when that happens, the vpn tunnel must be cleared on both
side and the traffic must be initiated from the pix side. After that eveyryone
is happy.

With Checkpoint NG Feature Pack 3 HFA317 or higher,
this problem is fixed. I don't know what else to tell you except that upgrade your
firewall to HFA008-001. Furthermore, when testing VPN connectivity between
Checkpoint and PIX, make sure you clear the tunnel on both side. On checkpoint
side, use the "vpn tu" utility to clear the tunnel. Again, this command works on
both the Nokia and Secureplatform so I don't know if it is applicable in your situation.
On the PIX side, you want to use "clear isakmp sa" and "clear ipsec sa" to clear
the tunnel.

One last point that I want to make is that, whenever possible, use "simplified"
method to configure your VPN since this is the preferred method in Checkpoint
NG. I prefer this method because each vpn tunnel has it own parameters which
is much more desirable and the "traditional" method. If you have to setup vpn
between Cisco Pix and Netscreen vpn at the same time, simplified mode
is the way to go.

In checkpoint 4.1, if you want to clear the vpn tunnel, here is the way to do it,
without repush the policy:

echo yes | fw tab -t IKE_SA_table -x
echo yes | fw tab -t outbound_SPI -x
echo yes | fw tab -t inbound_SPI -x

bassoctopus · Status: Offline

Thanks for your reply. I'm going to try and get it running this weekend. I'll let you know how I get on.

bassoctopus · Status: Offline

Thanks ccseng2002, It's all working now

A couple of points for future reference

1) The old 4.1 firewall was using 3DES and SHA1, this needed to be changed to 3DES and MD5 on PIX and CP. We couldn't get SHA1 to work at all.

2) Remember your NAT rules even in simplified VPN mode. This had me scratching my head for 20 mins. Doh!!

Neil

ccseng2002 · Status: Offline

Neil,

You must be missing something. I have the VPN between PIX and checkpoint 4.1 workinng just fine with 3DES/SHA1.

The other thing you need to remember is that you do NOT need the "no nat" rule in simplified mode. In the VPN community setup, there is a "checkbox" that will allow to disable NAT inside VPN community. If you check this box, then you don't need the "no nat" rule. It is a different story if you are using double nat or something.

Now that you have NG with AI up and running, you may want to look at AES256/sha1 setup. It's faster and more secure.

bassoctopus · Status: Offline

Thanks,

We were running 3DES/SHA1 on the old 4.1 box, but when we came to install NG the VPN would only work in 3DES/MD5

We will be moving to AES once we get some time to set it up.