Wired Intelligent Edge

Does the MAS support setting up a VPN to a third-party firewall like a checkpoint?

It will be used for management only, and not client traffic.

I see mentioned a lot about a VPN to a controller, but nothing about terminating on a firewall.

Thanks

Hi,

I believe we can configure VPN from MAS to a third party firewall.

But I'm not sure about the limitations :)

Michael,

We have previously done VPN testing against products from Juniper, Fortinet, Cisco and Strongswan. I can't say with 100% certainty that it will work with Checkpoint but we haven't done anything in code to prevent interoperability with 3rd parties.

Best regards,

Madani

Excellent.  Good to know.

I have managed to get this to work with a Checkpoint firewall.  It took a bit of fiddling about to ensure the settings matched that of the Checkpoint.  In the end I think what made it spring into life was that I created a custom isakmp policy.

Well I seem to have spoken too soon.  It appears to be up and working but we can't reach anything through the tunnel.  The Checkpoint is showing encryption errors and keeps trying to reform the sa.

Just for a laugh I tried to setup the vpn to an Aruba controller to test and I can't seem to get this to work either.  It all appears fine and I see the association in 'show crypto ipsec sa' on both ends.  Strangely on the controller nothing shows in 'show datapath tunnel table'.

TAC are looking at it now as well, but so far they can't see why it isn't working.

Have been working on this with TAC for a while now and we got lucky today.

The controller was complaining that it did not have the ISA-PSK for that host.  It was certainly there if we did a 'show crypto isakmp key'

It wasn't until we went in via the GUI, edited the ipsec-map and added the key here, it all worked.

I might get back round to looking at the Checkpoint again one day.