Implementing Checkpoint NG R55 Firewall and Microsoft ISA 2004 Firewall IPSec Site-to-Site VPN

As you already know, Microsoft ISA 2004 is a Stateful packet and Application layer inspection Firewall that is becoming increasingly popular among the Security Experts and Firewall Administrators.  They understand that Microsoft ISA 2004 is the best security solution for Microsoft environment, and even non-Microsoft environments.

In this article I will show you the process you need to accomplish to configure Site-to-Site VPN between Microsoft ISA 2004 and Checkpoint NG R55.


Secret Keys are not secure and I use them in this article for demonstration purposes ONLY! I will publish part 2 for this document that will explain how to configure VPN Site-to-Site based on Digital Certificate.

There are 8 phases to establish on the CP Firewall for this infrastructure to work:

  1. Choose Shared Secret Key between the source and the destination firewalls
  2. Create an “Externally Managed Gateway” Object for the Microsoft ISA 2004 Firewall server.
  3. Configure the Checkpoint Firewall for site-to-site VPN.
  4. Configure the IPSec IKE Phases properties on the Checkpoint firewall based on the Microsoft ISA 2004 Requirements.
  5. Create a suitable access rule for the VPN traffic.
  6. Validate the NAT rules.
  7. Apply the current policy.
  8. Open the “SmartView Tracker” to see if the traffic is encrypted between the two sites.

There are 5 phases to establish on the Microsoft ISA 2004 Firewall for this infrastructure to work:

  1. Add Remote Site Network
  2. Choose IP Address for the Remote VPN Gateway and for the Local VPN Gateway.
  3. Insert the Shared Secret Key that you agree on in the first phase to the ISA Server properties.
  4. Add the Checkpoint NAT Address to the Network range that will used inside the tunnel

Please follow the steps bellow:

1. Choose a Shared Secret key in the following structure:

a. 15 characters.

b. Must be Complicity!!!

c. Don’t pass it over the Net without Encryption!!!

2. Right click on the “Checkpoint” and create a new “Externally Managed Gateway”.

Mark the 2 options inside the firewall object (See the picture below):

  • Firewall
  • VPN

3. Open the “VPN Manager” tab, then press double click on the “SiteToSiteVPN” object.

Open the “SiteToSiteVPN” object

Go to “Participating Gateways” and add the Checkpoint Firewall object and the Microsoft ISA 2004 Firewall.

These are the properties you need to configure on the CheckPoint IKE Phases Settings:

Then open the “VPN Properties” on the same window and configure the following information:

Then go to the “Shared Secret” option on the same windows and  enter the Shared Secret you choose in phase 1.

  1. To avoid the problem on the CP Firewall the indicate “No Valid SA” you need to configure the a NAT rule that says, when the internal CP source network is trying to talk to the destination ISA Firewall network, change the source of the CP internal network to the CP Firewall external IP Address.

  1. Now you need to create a rule in the rule base that is compatible to our organization VPN Site-to-Site needs

This rule is for the demonstration ONLY!



There are 5 phases to establish on the Microsoft ISA 2004 Firewall for this infrastructure to work:

  1. Open the Virtual Private Network (VPN) tab in the ISA 2004 firewall console.
  2. Choose the Remote Sites tab.
  3. In right side of the window on the Tasks tab, click Add Remote Site Network

Choose an understandable name for this purpose and click Next to continue.

Choose IP Security protocol (IPSec) tunnel mode to establish VPN Site-to-Site with Checkpoint Firewall and press Next to continue.

At this point you need to configure both the Remote and the Local VPN Gateways IP Addresses, press Next to continue.

Just for the demonstration we choose Shared Secret Key that we agree on in the first phase, press Next to continue.

In this phase you need to add the IP Addresses or IP Ranges that will participate in the VPN Site-to-Site tunnel, for my demonstration I add just the Checkpoint Firewall NAT Address, press enter to continue.

This is the end of this Wizard, you can see the details inside, press Finish.

For more details you can right click on the VPN Site-to-Site rule and choose IPSec Policy Summary

This is the IPSec Policy Summary information:

The last phase is to configure a VPN access rule that compatible to your organization VPN Site-to-Site needs (You don’t need my help in this oneJ )


Enjoy !!!!


Idan Plotnik
Strategic Defense Expert
Microsoft Security Regional Director – ISA 2004
MSecurity LTD, Israel

Designing Digital Defense Architectures for Next Generation Trustworthy Systems

If you would like us to email you when Idan Plotnik releases another article on, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top