Palo alto to Checkpoint VPN

cancel
Showing results for 
Search instead for 
Did you mean: 

Palo alto to Checkpoint VPN

Not applicable

Is there any body tested the vpn functionality between palo alto to a policy based vpn such checkpoint? Can you guide me the steps on what to do with regards to what policy to allow and how to configure the vpn parameters? also i noticed that there is no option for ipsec sa for group2 with nopfs in palo alto, do you know if this is a limitation in palo alto or is there any reason for this.

4 REPLIES 4

Palo Alto Networks Guru

Hello,

I don't have all of the details for connecting with a Checkpoint VPN.  Hopefully others can weigh in with that info.  The primary thing to keep in mind is that you must configure Proxy IDs in the Advanced section of the IPSec Tunnel configuration.

Regarding the IPSec SA options, Group 2 means that we'll use Diffie Hellman (DH) group 2 to negotiate a shared secret between the two VPN peers. Group 2 basically dictates a particular public and private key size (DH uses a key pair much like RSA). The shared secret obtained through the DH key negotiation will be used to derive the keys used for the IPSec SA.  If you select nopfs (no perfect forward secrecy), this negotiation will not take place and the keying information will be based instead on the secret material exchanged in the phase 1 or IKE SA.

Thanks,

Nick

L6 Presenter

1. Yes the PAN device will happily form IPSEC VPNs with Checkpoint.

2. In order to do this you will need to create Proxy IDs on the PAN device's IPSEC VPN. Limit 10 proxies per tunnel interface. ProxyIDs must match the policies on the Checkpoint end of the tunnel or phase 2 will not complete successfully.

e.g. if CheckPoint has a policy to allow  local source IP 10.10.10.10/32 to remote destination IP 172.16.10.10/32 then you need a corresponding ProxyID on the PAN device for local 172.16.10.10/32 remote 10.10.10.10/32.

bpappas ha scritto:

2. In order to do this you will need to create Proxy IDs on the PAN device's IPSEC VPN. Limit 10 proxies per tunnel interface. ProxyIDs must match the policies on the Checkpoint end of the tunnel or phase 2 will not complete successfully.

Does that mean that I need to create 10 tunnel interface (tab Network -> Interfaces) if I have 100 Proxy ID in total (10 Proxy ID per tunnel interface) ?

I supposed I had to create 10 different phases 2 but with the same tunnel interface (and so the same phase1), that would be unique and the same for all 100 Proxy ID...

It's very important.

Many thanks

one tunnel interface will support 10 proxyIDs

so if you have 100 proxy IDs that will require 10 tunnel interfaces and 10 IPSEC VPNs (1 VPN per tunnel interface, 10 proxyIDs per tunnel/IPSEC VPN)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!