Hosting Provided By

RE: interoperability of VPN checkpoint FW1 to ISA

From: Damien (at) HammerheadTech.net <(at)>
Date: Mon Apr 21 2003 - 16:55:32 EDT

Mark,

So long as all ends are matching on their encryption configuration, like Gary said, things should be fine. However, CheckPoint has one little "catch" to be aware of. They have a setting on their systems for "aggressive" negotiation of the VPN connection. Basically this tries to get the communication kicked off in half as many packets as your "industry standard" 6 packet handshake. So depending on whether not the tunnel is made from ISA to CheckPoint or CheckPoint to ISA, you could see a failure in the communications.

We saw something similar where a tunnel was made from a Cisco VPN device to a CheckPoint device. When the tunnel would drop before the scheduled re-negotiation the CheckPoint device would try it's "aggressive" mode and the reconnect would fail until the Cisco device eventually got around to its scheduled re-negotiation. Turning off the "aggressive" mode (which is really only designed for CP to CP tunnels) resolved that.

The same thing could very well happen when going from CP to ISA.

My 2c worth.

Damien

-----Original Message-----

From: Pasikowski, Gary [mailto:gpasikowski@mimillers.com] Sent: Monday, April 21, 2003 9:53 AM
To: 'Mark Fagan'; Security Focus Forum; focus-ms@securityfocus.com

I assume you are talking about an IPSEC VPN and not a PPTP? As long as both ends match you should be fine. (IPSEC, 3DES, AES, MD5, etc..) That is the key; the Check Point will not care what equipment is on the other end. In "theory" you can make any two IPSEC VPN devices talk to each other as long as each is using the industry standard and has not implemented their own proprietary settings.

Do you need help?

Gary

-----Original Message-----

From: Mark Fagan [mailto:Mark.Fagan@esat.com] Sent: Friday, April 18, 2003 3:58 AM
To: 'Security Focus Forum'; focus-ms@securityfocus.com Subject: RE: interoperability of VPN checkpoint FW1 to ISA

But what about shared secrets, encryption types and timeouts : any known issues ?

-----Original Message-----

From: Security Focus Forum [mailto:SecurityFocusForum@mimillers.com] Sent: 17 April 2003 21:07
To: Mark Fagan; focus-ms@securityfocus.com Subject: RE: interoperability of VPN checkpoint FW1 to ISA

I don't see why not as long as ISA talks standard IPSEC. I sit on the Check Point end, so I cannot tell you how ISA works, but I can tell you this, I have created multiple IPSEC VPNs between Check Point (both NG and 4.x) and WatchGuard firewalls.

...Gary

-----Original Message-----

From: Mark Fagan [mailto:Mark.Fagan@esat.com] Sent: Thursday, April 17, 2003 12:23 PM
To: focus-ms@securityfocus.com
Subject: interoperability of VPN checkpoint FW1 to ISA

All,

Do you need more help?

Have searched high and low, any one know if a VPN can be created between ISA and FW-1 ?

Mark Fagan
TDA
Esat BT Application Hosting
E mark.fagan@esat.com
T + 353 1 4326914
M + 353 86 6013397
www.esatbt.com

Esat Telecommunications Limited
is a wholly owned subsidiary of BT Group plc Registered in Ireland, Registration No. 141524 Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland

This electronic message contains information (and may contain files) from Esat Telecommunications Limited which may be privileged or confidential. The information is intended to be for the sole use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information and or files is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately. http://www.esatbt.com

Win EUR100,000 worth of eBusiness solutions from Esat BT. Click http://www.esatbt.com/ie/competition/labyrinth/index.html to enter!

-

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-ms

Esat Telecommunications Limited
is a wholly owned subsidiary of BT Group plc Registered in Ireland, Registration No. 141524 Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland

Win EUR100,000 worth of eBusiness solutions from Esat BT. Click http://www.esatbt.com/ie/competition/labyrinth/index.html to enter!

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-ms

Received on Tue Apr 22 13:17:47 2003

Can we help you?

This message: [ Message body ]
Next message: Matthew Wagenknecht: "RE: Auditing a reboot"
Previous message: ashah(at)sevenspace.com: "Files in system 32 directory"
In reply to: Pasikowski, Gary: "RE: interoperability of VPN checkpoint FW1 to ISA"
Next in thread: Barry Irwin: "Re: interoperability of VPN checkpoint FW1 to ISA"
Reply: Barry Irwin: "Re: interoperability of VPN checkpoint FW1 to ISA"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:29 EDT