Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)
DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.
------------------------------------------------------------------------------------
# dbedit
Enter Server name (ENTER for 'localhost'):
Enter User Name: fwadmin
Enter User Password: abc123
Please enter a command, -h for help or -q to quit:
dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false
dbedit> update properties firewall_properties
firewall_properties updated successfully.
dbedit> quit
#
-----------------------------------------------------------
and You can configure the "max_subnet_for_range" table in "user.def" file on the Security Management Server / Domain Server. This table is designed to force VPN-1/FireWall-1 to negotiate IPSEC SAs using a specific subnet mask for a given IP address range;
max_subnet_for_range = {<first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>};
Example;
#ifndef __user_def__
#define __user_def__
// // User defined INSPECT code//
max_subnet_for_range = {<0.0.0.0, 10.29.39.255; 255.255.255.0>,<10.29.40.0, 10.29.50.255; 255.255.255.255>,<10.29.51.0, 255.255.255.255; 255.255.0.0>};#endif /* __user_def__ */
No comments:
Post a Comment