last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

MAS vpn to firewall?

Jump to Best Answer
  • 1.  MAS vpn to firewall?

    Posted Dec 23, 2014 07:41 AM

    Does the MAS support setting up a VPN to a third-party firewall like a checkpoint?


    It will be used for management only, and not client traffic.


    I see mentioned a lot about a VPN to a controller, but nothing about terminating on a firewall.



  • 2.  RE: MAS vpn to firewall?

    Posted Dec 23, 2014 09:02 AM



    I believe we can configure VPN from MAS to a third party firewall.


    But I'm not sure about the limitations :)

  • 3.  RE: MAS vpn to firewall?
    Best Answer

    Posted Dec 23, 2014 10:15 AM


    We have previously done VPN testing against products from Juniper, Fortinet, Cisco and Strongswan. I can't say with 100% certainty that it will work with Checkpoint but we haven't done anything in code to prevent interoperability with 3rd parties.


    Best regards,



  • 4.  RE: MAS vpn to firewall?

    Posted Dec 23, 2014 10:34 AM

    Excellent.  Good to know.

  • 5.  RE: MAS vpn to firewall?

    Posted May 13, 2015 03:39 AM

    I have managed to get this to work with a Checkpoint firewall.  It took a bit of fiddling about to ensure the settings matched that of the Checkpoint.  In the end I think what made it spring into life was that I created a custom isakmp policy.


  • 6.  RE: MAS vpn to firewall?

    Posted May 29, 2015 03:37 PM

    Well I seem to have spoken too soon.  It appears to be up and working but we can't reach anything through the tunnel.  The Checkpoint is showing encryption errors and keeps trying to reform the sa.


    Just for a laugh I tried to setup the vpn to an Aruba controller to test and I can't seem to get this to work either.  It all appears fine and I see the association in 'show crypto ipsec sa' on both ends.  Strangely on the controller nothing shows in 'show datapath tunnel table'.


    TAC are looking at it now as well, but so far they can't see why it isn't working.

  • 7.  RE: MAS vpn to firewall?

    Posted Jul 10, 2015 06:27 AM

    Have been working on this with TAC for a while now and we got lucky today.

    The controller was complaining that it did not have the ISA-PSK for that host.  It was certainly there if we did a 'show crypto isakmp key'


    It wasn't until we went in via the GUI, edited the ipsec-map and added the key here, it all worked.

    airheads-ipsec key.jpg

    I might get back round to looking at the Checkpoint again one day.