VPN-1 Security Gateway von Checkpoint · PDF filePA Sna 02/1, VPN-1 Security Gateway von Check Point 1 Introduction The following guide describes how to create a VPN-Tunnel between

PA Sna 02/1

VPN-1 Security Gateway von Check Point

Anhang A, Check Point Guidance

PA Sna 02/1, VPN-1 Security Gateway von Check Point

Content

1 Introduction ...........................................................................................................3 2 Topology ................................................................................................................4 3 Preparatory work...................................................................................................4

3.1 Public Key Signature_____________________________________________ 4 4 Setup of Check Point Firewall-1 NG / VPN-1.......................................................5

4.1 Installation of Check Point Firewall-1 NG / VPN-1 ______________________ 5 4.2 Global Properties________________________________________________ 5 4.3 Networks in front and behind the gateway ____________________________ 6 4.4 Create a Certificate Authority (CA) __________________________________ 9 4.5 Create and modify the firewall itself ________________________________ 10 4.6 VPN-Network__________________________________________________ 17 4.7 Create and modify Linux as a VPN partner___________________________ 18 4.8 Gateway-to-Gateway and Network-to-Network rule set _________________ 21 4.9 Encryption Properties ___________________________________________ 22 4.10 Install a rule set ________________________________________________ 23

5 Linux FreeS/WAN ................................................................................................24 5.1 Modify FreeS/WAN on pluto.zhwin.ch_______________________________ 24

6 Logging at Check Point, Logfile-View...............................................................25 7 URLs.....................................................................................................................25

© 2002, Zürcher Hochschule Winterthur Seite 2 von 25


1 Introduction The following guide describes how to create a VPN-Tunnel between a Check Point

Firewall-1 and a Linux FreeS/WAN Security Gateway.

If you have not done so already, you will need to install a copy of FreeS/WAN on your

Linux host. FreeS/WAN will allow Linux to support IKE and IPsec, and can be easily

configured to interoperate with Check Point VPN-1 NG. For further information on

installing and compiling FreeS/WAN please refer to the URLs listed in chapter 7.

This guide will only give the required information about configuring Check Point VPN-1

NG to allow interoperability between FreeS/WAN and VPN-1 and not details about

setting up FreeS/WAN.

The following products were testing during our tests:

- Gateway 1: Check Point Firewall-1 NG FP-2 installed on a Windows 2000

Advanced Server SP 2.

- Gateway 2: Linux Suse 7.1 Gateway running kernel 2.4.17 extended with a

Iptables-Firewall and FreeS/WAN VPN-Software.

The following issues should be known before starting with the configuration of Check

Point VPN- and FreeS/WAN:

- FreeS/WAN does not support Aggressive Mode. Aggressive mode is slightly

faster, but reveals more information to an eavesdropper. Specifically, it lets an

eavesdropper know what identities are in use.

- FreeS/WAN does not support an IKE SA renegotiation time above 480

minutes.

- FreeS/WAN does not implement Diffie-Hellman group 1 (768-bit) because it is

considered to be insecure.

- The interoperability works only when Perfect Forward Secrecy (PFS) is

enabled. With PFS enabled, a Diffie-Hellman key exchange is executed for

each IPsec SA in order to make the short term session keys independent of

each other.

Good luck and have fun!



2 Topology The following diagram corresponds to the configuration that we’ve used during the

creation of this document:

Picture A 2.1: Topology test net

3 Preparatory work Before you install the Check Point Software make sure that the communication to all

the machines in and out of your network is functioning well (that all routing has been

setup), otherwise you may have problems with your Check Point Firewall-1.

3.1 Public Key Signature

Under Check Point NG it’s not possible to generate certificates for external servers with

the Check Point Management station itself. You have to create an additional CA

(Certificate Authority). In our case this means, that we have to import the root-

certificate from the ZHW-CA.

Requirements from CA::

- X.509 certificate of CA in PEM format (e.g.: ca-cert.pem)

- X.509 certificate of FreeS/WAN host (e.g.: plutoCert.der)



4 Setup of Check Point Firewall-1 NG / VPN-1 This section will not discuss all required configuration information on VPN-1. Only the

needed parts to get the VPN-Tunnel functioning with certificates. For detailed

information about other configuration options please consult the user guide from Check

Point.

4.1 Installation of Check Point Firewall-1 NG / VPN-1

That’s easy so that no screenshots should be required. Otherwise please consult the

Check Point guide.

4.2 Global Properties

The first step to a successful setup is to change the VPN configuration method to

traditional. Otherwise you get the VPN Wizard from Check Point, which was not tested

in this document.

Picture A 4.1: Global Properties



Modify Global Properties (According to picture A 4.1)

Policies\Global

Properties\VPN-1 Pro

Traditional Mode: Enabled

Expand the VPN-1 Pro tree to check the following settings

Policies\Global

Properties\VPN-1

Pro\Early Versions

Compatibility (not

shown)

Renegotiate IKE:

Renegotiate IPsec

60 minutes

3600 seconds

4.3 Networks in front and behind the gateway

To create a policy, you have to create acting objects which map to your real network

components (Management Server, Networks, Nodes etc.).

First of all you have to create the networks both in front and behind the gateway:

Picture A 4.2: Create a network

Create object: Intranet/Extranet (According to picture A 4.2)

Manage\Network Objects\New\Network



4.3.1 Intranet

After creating a new network you have to specify it:

Picture A 4.3: Intranet

Modify object: Intranet (According to picture A 4.3)

General Name:

Network Address:

Net Mask:

Broadcast address:

Intranet-160.85.22.0

160.85.22.0

255.255.255.0

Included

NAT - -



4.3.2 Extranet

(The same as chapter 4.3.1)

Picture A 4.4: Extranet

Modify object: Extranet (According to picture A 4.4)

General Name:

Network Address:

Net Mask:

Broadcast address:

Extranet-160.85.20.0

160.85.20.0

255.255.255.0

Included

NAT - -



4.4 Create a Certificate Authority (CA)

It’s not possible to generate certificates for external servers with the Check Point

Management station itself, so you have to create an additional Certificate Authority (we

used the ZHW-CA, which is based on OPSEC1 PKI):

Picture A 4.5 and A 4.6: ZHW-CA

Create object: ZHW-CA

Manage\Servers\New\Certificate Authority

Modify object: ZHW-CA (According to picture A 4.5 and A 4.6)

General Name:

Certificate Authority:

ZHW-CA

OPSEC PKI

OPSEC PKI LDAP-Server:

HTTP-Server:

GET:

Disabled

Enabled

Get the ZHW-CA-Root-Certificate

Advanced (not shown) - Default values

1 OPSEC = Open Platform for Secure Enterprise Connectivity



4.5 Create and modify the firewall itself

If you have not already created the Firewall itself, do so now. It is represented as a

gateway between the encryption domain and the insecure extranet.

Check whether VPN-1 Pro is enabled, otherwise the VPN will not work (VPN-1 must be

licensed)!

Picture A 4.7: Create the firewall

Create object: zhwpoint

Manage\Network Objects\New\Check Point\Gateway

Modify object: zhwpoint – General Properties (According to picture A 4.7)

General Properties Name:

IP-Address:

Firewall-1:

VPN-1 Pro:

zhwpoint (Computer Name)

160.85.20.120 (GET address)

Enabled

Enabled



To get the firewall to work properly you have to define its interfaces to its neighboring

networks. Just push the Get Topology button to get the default values and then check

and correct the details of each interface (contact Picture A 4.9).

Picture A 4.8: Topology firewall

Modify object: zhwpoint-Topology (According to picture A 4.8)

Topology Get Topology:

VPN Domain:

Exportable for

SecuRemote:

(get standard value)

Manually Defined Intranet

Enabled (for the use with SecuRemote)



Picture A 4.9: Topology firewall

Modify object: zhwpoint-Interface Properties (According to picture A 4.9)

General (not shown) Name:

IP:

Net Mask:

EL90Xbc0

EL90Xbc1

160.85.22.2

160.85.20.120

255.255.255.0

Topology

Anti Spoofing

Internal:

Perform Anti-

Spoofing based……:

Specific Intranet

Disabled (see chapter 7)

QoS (not shown) Outbound Activity

Rate:

Enable (5898240 Bps) only for the

EL90Xbc1 interface (otherwise it does

not work properly)



FreeS/WAN supports IKE, so you have to enable the IKE-Encryption scheme by

clicking on it. To set the IKE properties click Edit (see picture A 4.11).

To make a VPN connection you have to get a certificate from your CA (created below

in shown in picture A 4.12).

Picture A 4.10: VPN

Modify object: zhwpoint-VPN (According to picture A 4.10)

VPN Encryption schemes Enable IKE



FreeS/WAN does not support DES encryption because it is considered insecure, so

you have to choose the safer 3DES. Both data integrity hashing algorithms MD5 and

SHA1 are supported by FreeS/WAN.

We want to authenticate Check Point to Pluto with certificates, so we have to enable

the Public Key Signature box. To set the matching certificate from the right CA we have

to edit the Public Key Signature and select the CA which we‘ve defined above (ZHW-

CA).

Picture A 4.11: IKE-Properties

Modify object: zhwpoint-VPN-IKE (According to picture A 4.11)

IKE Properties 3DES:

MD5:

SHA1:

Public Key Signature:

Enabled

Enabled

Enabled

Enabled Specify: ZHW-CA



The UDP encapsulation will be used for the SecuRemote access (see in the main

document chapter 4.6 SecuRemote).

Quite a safe Diffie-Hellmann group is group 2.

As we told that FreeS/WAN does not support IKE SA renegotiation time above 480

minutes, you have to change Rekeying Parameters as shown in picture A 4.11b.

Picture A 4.11b: Advanced IKE properties

Modify object: zhwpoint-VPN-IKE Advanced (According to picture A 4.11b)

Advanced IKE

Properties

Use UDP

encapsulation:

Support Diffie-

Hellman groups:

Rekeying

Parameters:

Misc:

Enabled VPN1_IPSEC_encapsulation

Enable group 2

Renegotiate IKE 60 Minutes

Renegotiate IPsec 3600 Seconds

-



To get a certificate for the VPN you first have to generate a certificate request for your

machine. With your request you can get the correct certificate from your CA.

Afterwards you have to import the certificate into the Check Point gateway. In picture A

4.12 you can see the certificate issued by the ZHW-CA.

Picture A 4.12: Certificate Properties

Modify object: zhwpoint-VPN-Certificate (According to picture A 4.12)

Certificate

Properties

Certificate Nickname:

Certificate Authority:

Generate the

Certificate Request:

Get the Certificate:

CertIP

ZHW-CA

CN=zhwpoint.zhwin.ch, OU=PA,

O=ZHW, C=CH It is important when

you generate the certificate, that you

specify the ip-address as the

SubjectAltName!

Read the certificate that you got from

your CA



4.6 VPN-Network

As mentioned in chapter 2 (Topology) our VPN tunnel is situated between two

gateways (Pluto and Check Point). Behind the Linux gateway (Pluto) is our encryption

domain, so we have to create another network to represent it (see picture A 4.13).

Picture A 4.13: VPN-Network

Create object: VPN-Net

Manage\Network Objects\New\Network

Modify object: VPN-Net (According to picture A 4.13)

General Name:

Network Address:

Net Mask:

Broadcast address:

VPNN-160.85.106.252

160.85.106.252

255.255.255.252

Included

NAT - -



4.7 Create and modify Linux as a VPN partner

Here you have to create and modify an object to represent the Linux host in our

security policy. A new feature in Check Point NG is the object called Interoperable

Device which best matches our requirements for a Linux gateway.

Picture A 4.14: pluto.zhwin.ch – General Properties

Create object: pluto.zhwin.ch

Manage\Network Objects\New\Interoperable Device

Modify object: pluto.zhwin.ch– General Properties (According to picture A 4.14)

General Properties Name:

IP-Address:

pluto.zhwin.ch

160.85.139.240 (GET address)



For a flawless function of the VPN you have to fill in the exact topology of your Linux

gateway.

The VPN domain is the encryption domain that we’ve created in chapter 4.6 (see

picture A 4.15).

Picture A 4.15: pluto.zhwin.ch - Topology

Modify object: pluto.zhwin.ch – Topology (According to picture A 4.15)

Topology Add: eth0

Add: eth1

VPN Domain

IP Address: 160.85.139.240

Network Mask: 255.255.255.0

IP Address:160.85.106.254

Network Mask: 255.255.255.252

Manually Defined VPN-Net



Use the VPN page to select IKE and modify its properties as shown below in picture A

4.16.

We didn’t use any matching criteria in our tests, but feel free to do so.

Picture A 4.16: pluto.zhwin.ch – IKE Properties

Modify object: pluto.zhwin.ch – IKE Properties (According to picture A 4.16)

IKE Properties 3DES:

MD5:

SHA1:

Public Key Signature:

enabled

enabled

enabled

enabled Matching Criteria: Certificate

Issued by ZHW-CA



4.8 Gateway-to-Gateway and Network-to-Network rule set

Create an encrypt rule to define the VPN which looks similar to the following (rule 6 and

7 in picture A 4.17):

Picture A 4.17: Rule set

Rule 1 and 2 are used to allow ICMP, IKE and ESP connection to the gateways. Be

sure that these rules are above the stealth-rule1, otherwise the IKE will fail.

To create an encrypt rule, you have to choose the encrypt-symbol from the Action-

Field. Afterwards you have to edit the encrypt properties (see chapter 4.9).

Note The rules shown in picture A 4.17 are required for the VPN tunnel. In addition to this

rules, you have to implement the needed rules for the firewall itself.

1 A Stealth-Rule is used to prevents a direct connection to the firewall.



4.9 Encryption Properties

So far we have only defined that a connection between Pluto an Check Point should be

encrypted, but we haven’t declared an encryption algorithm. So you have to change the

properties in the encryption rules (see picture A 4.18).

Picture A 4.18: Encryption Properties

Modify object: Encryption Properties (According to picture A 4.18)

Encryption Properties

right mouse click on

the Encrypt symbol in

the rule base Edit

IKE Edit: Encryption Algorithm: 3DES

Data Integrity: MD5

Compression method: None

Allowed Peer Gateway: pluto.zhwin.ch

Use PFS1 Group2

Note: Perfect Forward Secrecy (PFS): PFS is a policy which requires encryption keys to be changed during each rekeying

and thus ensures that no two sets of keys have any relation to each other. The

advantage of perfect forward secrecy is that if one set of keys is compromised, only

data encrypted with those keys are at risk. The IKE protocol achievesperfect forward

secrecy by using frequent Diffie-Hellman key exchanges.

1 Perfect Forward Secrecy



4.10 Install a rule set

Policy\Install

That’s easy, no screenshots should be required – good luck!

After this last step your machine is ready to build a VPN connection.



5 Linux FreeS/WAN

5.1 Modify FreeS/WAN on pluto.zhwin.ch

/etc/ipsec.conf: config setup

# # THIS SETTING MUST BE CORRECT or almost nothing will work # %defaultroute is ok for most simple cases. interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes dumpdir=/root conn %default keyingtries=3 ikelifetime=3h keylife=1h disablearrivalcheck=no # --- RSA authentication using certificates authby=rsasig # --- left: this server left=%defaultroute [email protected] leftcert=plutoCert.der leftupdown=/usr/local/lib/ipsec/updown # --- right: roadwarrior right=%any rightrsasigkey=%cert # --- preferred encryption algorithms esp=aes128, 3des # --- load connections automatically at startup auto=add conn checkpoint right=160.85.20.120 rightsubnet=160.85.22.0/24 leftsubnet=160.85.160.252/30




6 Logging at Check Point, Logfile-View Below is an excerpt from our logs after successful establishment of a VPN connection

to Pluto.

Picture A 6.1: Check Point Logfile

Log-Nr. 0 shows the establishment of a IKE Security Association.

Log-Nr. 1/2 shows the IKE authentication

Log-Nr.3 shows the encrypted data transfer

7 URLs URLs:

- # Linux netfilter firewallhttp://www.netfilter.org

- # Linux IPsec stackhttp://www.freeswan.org

- # Certificate support for Linux IPsechttp://www.strongsec.com/freeswan/

- http://www.irrigacion.gov.ar/juanjo/ipsec/ # AES encryption for Linux IPsec

http://www.netfilter.org/

http://www.freeswan.org/

http://www.strongsec.com/freeswan/

http://www.irrigacion.gov.ar/juanjo/ipsec/

Documents

VPN-1 Security Gateway von Checkpoint · PDF filePA Sna 02/1, VPN-1 Security Gateway von Check Point 1 Introduction The following guide describes how to create a VPN-Tunnel between