Wednesday, May 13, 2015

Check Point And Cisco: (IPSEC VPN) Phase 2 Security Association Incompatibilities

So what is it, when you have a site to site vpn between a Check Point and Cisco firewall, its sometimes near impossible to get phase 2 combinations of encryption and hash higher than 3DES/MD5 to work out.  I have seen this often in the past.  I go with AES-256 and SHA1.  But for some reason, I get very unpredictable results.  That might mean I can ping across one minute, but the next I cant.  It has also meant that I can one way traffic.  The thing is, that when I change to 3DES/MD5, the vpn works perfectly and consistently.  So why is that?
I dont know the answer right now, but Ill certainly be looking into it.  I dont want to use 3DES/MD5.  I prefer to go higher.

2 comments:

  1. I've seen this too when running a tunnel between different brands of equipment...very irritating.

    ReplyDelete
    Replies
    1. Irritating is the nice work for it.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.