This information was supplied by Ken Carvel. I have not tried it myself. This is his actual email message.
From: Carvel, Ken P [carvel@BATTELLE.ORG] Sent: Tuesday, March 14, 2000 11:38 AM To: 'Ross Presser' Subject: RE: Cisco Router to Checkpoint IKE This is a basic overview of what we did, but the router config is much more detailed than the Checkpoint setup. IPs have been changed to protect the innocent. On the Cisco Router: !***Setup the ISAKMP policy using triple DES and a preshared key ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key sharedkey address (firewall external IP here) ! ! !***Define authentication and encryption settings ! crypto ipsec transform-set ciscofw1 esp-3des esp-md5-hmac ! !***The actual map ! crypto map fw1 10 ipsec-isakmp set peer (firewall external IP here) set transform-set ciscofw1 ! !***When something matches access-list 100, encyrpt it ! match address 100 ! !***Assign the map to the external interface ! interface Ethernet0/0 ip address 192.168.202.254 255.255.255.0 crypto map fw1 ! !***We used NAT on our internal interface ! interface Ethernet0/1 description Internal LAN Interface ip address 192.168.201.254 255.255.255.0 no ip directed-broadcast ip nat inside ! ip nat inside source list 101 interface Ethernet0/0 overload ! !*** Encrypt anything going to the 192.168.203 network ! access-list 100 permit ip host 192.168.202.254 192.168.203.0 0.0.0.255 access-list 101 permit ip 192.168.201.0 0.0.0.255 any On the Checkpoint Firewall Add an object for the router and set up it's VPN encryption properties for IKE. Edit the IKE properties to match the router's crypto settings. Use preshared secret for the authentication method and set the secret key. We added two rules, one for traffic coming from the Cisco and one for traffic going to the Cisco. They allow all traffic and the action is set to encrypt. Match the encrypt action's properties with the crypto settings on the router.