| Platform: | any platform for Check Point VPN-1 NG below R55 |
| Product: |
Check Point Next Generation FP2 up to NG AI R54 Please be aware that NG as well as NG AI isn't supported any more by Check Point. Please upgrade to a supported version like NGX R65 or R70! |
| Problem: |
Some problems seem to be associated with the configuration of an Extranet. But,
regarding the points mentioned below helps to configure an Extranet without major problems.
The Extranet Feature has been supported up to version NG AI R54 only |
| Workaround/Fix: |
First of all, obtain the necessary license. You can find out, if your license supports the
Extranet-Feature: At the prompt of the Management Server, type Using Check Point NG on both sides of the Extranet is essential. - Define your Firewall to be used as an Extranet-Gateway by selecting
- If you have a distributed installation, go to the object describing your Management-Server and select the VPN tab. If there is no certificate for IKE, you will have to create one. You can do this by clicking "Add". Then, give it a nickname, select a CA (e.g. internal_CA) and generate it. - Start a new rulebase in Traditional Mode (!). Extranet won't work with "Simplified Setup" for VPN. You can easily find out, which mode is enabled: If it's the simplied mode (not working with Extranet), the column "IF VIA" shows up in the rulebase. - Don't define any object from your partner's network, not even the Firewall (!). - Start to define your part of the Extranet by going to - If you want, you can change the name. Give it a color and a comment. - Go to "Exported Objects" and select the objects (Servers, Networks or IP-Ranges) you want to export, so your partner can import them afterwards. - Install the rulebase, so your partner might import these objects later. The same steps your partner has to do. If done so, everything is prepared for the definition of the partner's properties. - Create a rulebase which accepts the service "FW1_Exnet_PK" (18262/tcp) and "FW1_Exnet_resolve" (18263/tcp) from and to your Management-Module and Firewall. - Go to General of your Extranet-object. The button "New Partner" will allow you to define your partner for this Extranet. Give it a name and a comment. - Then, you will have to use "Import Partner Identity" to get the Extranet-fingerprint from your partner. Remember, this is your partner's Management-Module. - If the connection with service "FW1_Exnet_PK" is ok, you will get the fingerprint from your partner. Please be sure to get the right one. You will find the fingerprint of your own Management-Module in the Policy Editor under Policy > Global Properties > Extranet Management Interface. So please compare them out-of-band. - After this, your partner is defined completely and you can start to import his objects by going to "Imported Objects". Be sure, the service "FW1_Exnet_resolve" is accepted on both sides. - Click "Import Partners Objects", you will find them in a new window. Approving this, the import is complete. - Then, the IKE-Properties for the Extranet need to be defined. Be sure, your partner uses the same parameters. After having done this, your Extranet is completely defined. - What's missing? Yes, the rulebase, of course. Select "Add Extranet Groups..." for Source and Destination, the service you want and "Encrypt". The last point has to be configured correctly at both sides of the VPN. - After having installed the rulebase, you are able to test the Extranet-VPN. The log should look like the example given. |
No warranty at all, your Feedback
is welcome!
© 2003-2011 AERAsec Network Services and
Security GmbH, last change 2009-04-16
back to http://www.vpn-1.de/aerasec/