I am trying to setup a bordermanager 3.9sp1 vpn with a checkpoint vpn.

Therefore I was wondering if anyone have experience on this.

-is it necessary to change parameters (communications section) by use of monitor(.nlm) on the bordermanager server?

- When connecting 3rd party vpn's, can I only use the 3rd party traffic rules? If yes, then how am I gonna restrict on specific ports?

- the master vpn (bm) server also has the shared secret enabled. Is this really necessary or is it only needed for the configured s2s 3rd party vpn slave?. In our case there is no tunnel when I do not set it for both the master as well as the 3rd party slave member.

- In particular we had to change 3des/md5 to des/sha before an connection could be established. Now the tunnel is active and ip packets flow over, however we can not reach the other subnets completely, so this looks like a routing issue. The other (3rd party) site can only ping my master tunnel ip ( address, but not the configured tunnel ipaddress ( for the configured 3rd party slave.
I assume that the 3rd party does not need to have this tunnel ip ( on their site, because this is a 3rd party setup?
I can only ping their private ipaddress and further nothing.

- The BM routing table has the 3rd party protected networks and subnets and points to the tunnel ip of the 3rd party slave vpn server ( Does this tunnel ip need to be present on the checkpoint firewall? (I ask this because of BM S2S, it is, but probably on 2rd party it's not needed) Can't find any info on this.

- I do not have any error messages anymore.

other info:
- bm39sp1 on nw65sp7 (upgraded from nw65sp5/bm38sp5).
- latest official patches from Novell (not the beta patches)
- there is NAT enabled (static + dynamic) on the public interface of the bordermanager.
- Also c2s vpn is configured on the same box, which just runs fine.
- rules are configured any any (do not have errors about this in csaudit)