topic Re: Palo alto to Checkpoint VPN in General Topics

Palo alto to Checkpoint VPN

u6960 — Mon, 16 May 2011 22:48:13 GMT

Is there any body tested the vpn functionality between palo alto to a policy based vpn such checkpoint? Can you guide me the steps on what to do with regards to what policy to allow and how to configure the vpn parameters? also i noticed that there is no option for ipsec sa for group2 with nopfs in palo alto, do you know if this is a limitation in palo alto or is there any reason for this.

Re: Palo alto to Checkpoint VPN

ncampagna — Tue, 17 May 2011 00:23:41 GMT

Hello,

I don't have all of the details for connecting with a Checkpoint VPN. Hopefully others can weigh in with that info. The primary thing to keep in mind is that you must configure Proxy IDs in the Advanced section of the IPSec Tunnel configuration.

Regarding the IPSec SA options, Group 2 means that we'll use Diffie Hellman (DH) group 2 to negotiate a shared secret between the two VPN peers. Group 2 basically dictates a particular public and private key size (DH uses a key pair much like RSA). The shared secret obtained through the DH key negotiation will be used to derive the keys used for the IPSec SA. If you select nopfs (no perfect forward secrecy), this negotiation will not take place and the keying information will be based instead on the secret material exchanged in the phase 1 or IKE SA.

Thanks,

Nick

Re: Palo alto to Checkpoint VPN

bpappas — Tue, 17 May 2011 14:35:43 GMT

1. Yes the PAN device will happily form IPSEC VPNs with Checkpoint.

2. In order to do this you will need to create Proxy IDs on the PAN device's IPSEC VPN. Limit 10 proxies per tunnel interface. ProxyIDs must match the policies on the Checkpoint end of the tunnel or phase 2 will not complete successfully.

e.g. if CheckPoint has a policy to allow local source IP 10.10.10.10/32 to remote destination IP 172.16.10.10/32 then you need a corresponding ProxyID on the PAN device for local 172.16.10.10/32 remote 10.10.10.10/32.

Re: Palo alto to Checkpoint VPN

migration — Tue, 24 May 2011 10:52:35 GMT

bpappas ha scritto:

Does that mean that I need to create 10 tunnel interface (tab Network -> Interfaces) if I have 100 Proxy ID in total (10 Proxy ID per tunnel interface) ?

I supposed I had to create 10 different phases 2 but with the same tunnel interface (and so the same phase1), that would be unique and the same for all 100 Proxy ID...

It's very important.

Many thanks

Re: Palo alto to Checkpoint VPN

bpappas — Tue, 24 May 2011 15:15:44 GMT

one tunnel interface will support 10 proxyIDs

so if you have 100 proxy IDs that will require 10 tunnel interfaces and 10 IPSEC VPNs (1 VPN per tunnel interface, 10 proxyIDs per tunnel/IPSEC VPN)