YES it works. But the Checkpoint must have min. Release 4.1 and servicepacks installed. You also have to change the default ipsec.conf in your ASL by hand and install a script to prevent that the middleware-agent change your handmade ipsec-configuration . The script could be found here: http://docs.astaro.org/hacking/ipfilter.local
TIP: First make all definitions of your VPN-Connection with the webadmin. The connection between your ASL and the Checkpoint must up and running. After the test, shutdown/stop the VPN Service on the ASL via the webadmin. Now copy your ipsec.conf to ipsec.conf_manual and set keylife=60m and ikelifetime=480m in this new file (ASL). The ipsec.conf could be found at /var/chroot-ipsec/etc/
Install ipfilter.local in /sbin/init.d/
After that you could start the VPN via the webadmin.
The checkpoint must have the same values for keylife and ikelifetime!
Notes for Setup your VPN via the webadmin:
IKE-debugging = Disabled Perfect Forwarding Secrecy = NO Secure Association = IKE Authentication method = secret
The above description is for ASL 2.xx. Hope it will help you setup VPN-Connection between your ASL and the Checkpoint .
