Campus Switching and Routing

Reply

MAS vpn to firewall?

Does the MAS support setting up a VPN to a third-party firewall like a checkpoint?

 

It will be used for management only, and not client traffic.

 

I see mentioned a lot about a VPN to a controller, but nothing about terminating on a firewall.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Valued Contributor II

Re: MAS vpn to firewall?

Hi,

 

I believe we can configure VPN from MAS to a third party firewall.

 

But I'm not sure about the limitations :)

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Aruba

Re: MAS vpn to firewall?

Michael,

We have previously done VPN testing against products from Juniper, Fortinet, Cisco and Strongswan. I can't say with 100% certainty that it will work with Checkpoint but we haven't done anything in code to prevent interoperability with 3rd parties.

 

Best regards,

 

Madani

Re: MAS vpn to firewall?

Excellent.  Good to know.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

Re: MAS vpn to firewall?

I have managed to get this to work with a Checkpoint firewall.  It took a bit of fiddling about to ensure the settings matched that of the Checkpoint.  In the end I think what made it spring into life was that I created a custom isakmp policy.

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

Re: MAS vpn to firewall?

Well I seem to have spoken too soon.  It appears to be up and working but we can't reach anything through the tunnel.  The Checkpoint is showing encryption errors and keeps trying to reform the sa.

 

Just for a laugh I tried to setup the vpn to an Aruba controller to test and I can't seem to get this to work either.  It all appears fine and I see the association in 'show crypto ipsec sa' on both ends.  Strangely on the controller nothing shows in 'show datapath tunnel table'.

 

TAC are looking at it now as well, but so far they can't see why it isn't working.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

Re: MAS vpn to firewall?

Have been working on this with TAC for a while now and we got lucky today.

The controller was complaining that it did not have the ISA-PSK for that host.  It was certainly there if we did a 'show crypto isakmp key'

 

It wasn't until we went in via the GUI, edited the ipsec-map and added the key here, it all worked.

airheads-ipsec key.jpg

I might get back round to looking at the Checkpoint again one day.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: