Configuring a Site-to-Site IPSEC VPN with a Check Point Embedded NG Security Appliance and a Fortinet FortiGate Security Appliance

Note: This document assumes the reader is familiar with the basic network installation of a Check Point Embedded NG appliance and a Fortinet FortiGate security appliance.

Overview
This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG security appliance and a Fortinet FortiGate security appliance. In particular, it describes the configuration of the following sample network:

Figure 1: Site-to-Site VPN with Check Point Embedded NG and Fortinet FortiGate Security Appliances

This sample network uses the parameters shown in the table below; however, you can change any of these parameters as desired, so long as they are the same on both appliances.

Table 1: Site-to-Site VPN Configuration Parameters

Parameter Encryption Integrity Authentication Diffie-Hellman (DH) Perfect Forward Secrecy (PFS) Phase-1 key lifetime Phase-2 key lifetime Value 3DES SHA1 Pre-shared Key (Shared Secret) Group 2 Disabled 24 hours (86400 seconds) 1 hour (3600 seconds)

Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.

Configuring the FortiGate Security Appliance

To configure the FortiGate security appliance for Site-to-Site VPN

1. Configure the encryption domain. The encryption domain represents the networks to and from which you want to encrypt. These are the networks behind the VPN gateways. Do the following: a. Create an object for the Embedded NG VPN gateways internal network. See Creating an Object for the Embedded NG VPN Gateways Internal Network, page 3. b. Create an object for the FortiGate VPN gateways internal network. See Creating an Object for the FortiGate VPN Gateways Internal Network, page 4. 2. Configure the IPSEC parameters, by doing the following: a. Configure a Phase-1 profile. See Configuring a Phase-1 Profile, page 5. b. Configure a Phase-2 profile. See Configuring a Phase-2 Profile, page 6.

3. Configure VPN rules, by doing the following: a. Configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway network. See Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN Gateway Network, page 8. b. Configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway network. See Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN Gateway Network, page 9.

Configuring the Encryption Domain

Creating an Object for the Embedded NG VPN Gateways Internal Network
To create an object for the Embedded NG VPN gateways internal network

1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Address. The Address page appears. 3. Click Create New. The New Address page appears.

4. In the Address Name field, type a name for the Embedded NG VPN gateway internal network object. For example: CP_Internal. 5. In the IP Range/Subnet field, type the IP address and subnet mask of the Embedded NG VPN gateways internal network. For example: 192.168.100.0/24. 6. Click OK.

Creating an Object for the FortiGate VPN Gateways Internal Network

To create an object for the FortiGate VPN gateways internal network

1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Address. The Address page appears. 3. Click Create New. The New Address page appears.

4. In the Address Name field, type a name for the FortiGate VPN gateway internal network object. For example: FG_Internal. 5. In the IP Range/Subnet field, type the IP address and subnet mask of the FortiGate VPN gateways internal network. For example: 192.168.1.0/255.255.255.0.
4

6. Click OK.

Configuring IPSEC Parameters

Configuring a Phase-1 Profile
To configure a Phase-1 profile

1. In the main menu, click VPN. The VPN submenu opens. 2. In the VPN submenu, click IPSEC. The Phase 1 page appears. 3. Click Create New. The New VPN Gateway page appears. 4. Click Advanced. Additional fields appear.

5. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 6. Click OK.
5

Table 2: Phase-1 Profile Fields

In this field Do this In the sample network Gateway Name Remote Gateway IP address Authentication Method Pre-shared Key Type the pre-shared key. Use the same pre-shared key as configured on the Embedded NG VPN gateway. For example: Secret123 Encryption Select the type of encryption to use to secure the VPN connection. Authentication DH Group Keylife Select the authentication algorithm to use. Select the Diffie-Hellman group to use. Type the Phase-1 key lifetime in seconds. SHA1 2 86400 This parameter must match the Phase-1 keylife on the Embedded NG appliance VPN gateway. 3DES Type a name for the gateway. Type the remote gateways static IP address. Type the Embedded NG VPN gateways IP address. Select the authentication method to use. 212.150.8.85 Preshared Key Site2Site

Configuring a Phase-2 Profile

To configure a Phase-2 profile

1. In the main menu, click VPN. The VPN submenu opens. 2. In the VPN submenu, click IPSEC. The Phase 1 page appears. 3. Click on the Phase 2 tab. The Phase 2 page appears. 4. Click Create New. The New VPN Tunnel page appears.
6

5. Click Advanced. Additional fields appear.

6. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 7. Click OK. Table 3: IPSEC Phase-2 Profile Fields
In this field Do this In the sample network Tunnel Name Remote Gateway 1-Encryption Enter a name for the tunnel. Select the Phase-1 profile you created for this tunnel. Select the type of encryption to use to secure the VPN connection. Authentication Enable perfect forward secrecy (PFS) Keylife Use the fields provided to specify the Phase-2 keylife in seconds. 3600 This parameter must match the Phase-2 keylife on the Embedded NG appliance VPN gateway. Select the authentication algorithm to use. Specify whether to use PFS. SHA1 Clear this option. Check Point Site2Site 3DES

Configuring VPN Rules

Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN Gateway Network
To configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway network

1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Policy. The Policy page appears. 3. Click Create New. The New Policy page appears.

4. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 5. Click OK.

Table 4: Encrypt Rule from the FortiGate Network to the Embedded NG Network Fields
In this field Do this In the sample network Interface/Zone In the Source drop-down list, select Internal. In the Destination drop-down list, select External. Address Name In the Source drop-down list, select the internal FortiGate VPN gateway address object from which you want traffic to be encrypted. In the Destination drop-down list, select the internal Embedded NG VPN gateway address object to which you want traffic to be encrypted. Action VPN Tunnel Select ENCRYPT. Select the Phase-2 profile you created. CheckPoint CP_External FG_Internal

Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN Gateway Network
To configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway network

1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Policy. The Policy page appears. 3. Click Create New.

The New Policy page appears.

4. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 5. Click OK. Table 5: Encrypt Rule from the Embedded NG Network to the FortiGate Network Fields
In this field Do this In the sample network Interface/Zone In the Source drop-down list, select Internal. In the Destination drop-down list, select External. Address Name In the Source drop-down list, select the Embedded NG VPN gateway address object from which you want traffic to be encrypted. In the Destination drop-down list, select the internal FortiGate VPN gateway address object to which you want traffic to be encrypted. Action VPN Tunnel Select ENCRYPT. Select the Phase-2 profile you created. CheckPoint FG_External CP_Internal

10

Configuring the Embedded NG Security Appliance

To configure the Embedded NG security appliance for Site-to-Site VPN

1. Add the FortiGate security appliance as a Site-to-Site gateway. See Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway, page 11. 2. Configure IPSEC parameters to match those you configured on the FortiGate appliance. Do the following: a. Modify IKE Phase-1 encryption parameters. See Modifying IKE Phase-1 Encryption Parameters, page 16. b. Modify IKE Phase-2 encryption parameters. See Modifying IKE Phase-2 Encryption Parameters , page 17. c. Modify the IKE Phase-1 key lifetime. See Modifying the IKE Phase-1 Key Lifetime , page 17. d. Modify the IKE Phase-2 key lifetime. See Modifying the IKE Phase-2 Key Lifetime , page 18.

Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway

To add the FortiGate appliance as a Site-to-Site VPN gateway

1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears.

2. Click New Site.

11

The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Select Site-to-Site VPN. 4. Click Next. The VPN Gateway Address dialog box appears.

5. In the VPN Gateway field, type the IP address of the FortiGate VPN gateway. 6. Select Bypass NAT. This setting enables the FortiGate VPN gateway to bypass NAT when connecting to the Embedded NG VPN gateway internal network. 7. Select Bypass the firewall. This setting enables the FortiGate VPN gateway to bypass the firewall and access the Embedded NG VPN gateways internal network without restriction over the VPN tunnel only.

12

8. Click Next. The VPN Network Configuration dialog box appears.

9. Select Specify Configuration. 10. Click Next. A second VPN Network Configuration dialog box appears.

11. In the Destination network fields, type up to three destination network addresses at the FortiGate VPN gateway. 12. In the Subnet mask fields, select the subnet masks for the destination network addresses.

13

13. Click Next. The Authentication Method dialog box appears.

14. Select Shared Secret. 15. Click Next. The Authentication dialog box appears.

16. In the Use Shared Secret field, type the shared secret to use for secure communications with the FortiGate VPN gateway. This should be the pre-shared key you configured on the FortiGate VPN gateway in Configuring a Phase-1 Profile, page 5.

14

17. Click Next. The Connect dialog box appears.

18. If you configured the FortiGate appliance as described in Configuring the FortiGate Security Appliance, page 2, select the Try to Connect to the VPN Gateway check box to try to connect to it. This allows you to test the VPN connection.

Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 19. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears.

20. Type a name for the VPN site. You may choose any name. For example: FortiGate.
15

Note: Do not select Keep this site alive.

21. Click Next. The VPN Site Created screen appears.

22. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list.

Configuring IPSEC Parameters

Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliances command line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax, refer to the Check Point Embedded NG CLI Reference Guide.

Modifying IKE Phase-1 Encryption Parameters

To modify IKE Phase-1 encryption parameters

Use the following command syntax: set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase1ikealgs 3des/sha1 16

Modifying IKE Phase-2 Encryption Parameters

To modify IKE Phase-2 encryption parameters

Use the following command syntax: set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase2ikealgs 3des/sha1

Modifying the IKE Phase-1 Key Lifetime

To modify the IKE Phase-1 key lifetime

Use the following command syntax: set vpn sites number phase1exptime seconds where: number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-1 key lifetime in seconds. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run the command:
set vpn sites 2 phase1exptime 86400

17

Modifying the IKE Phase-2 Key Lifetime

To modify IKE Phase-2 key lifetime

Use the following command syntax: set vpn sites number phase2exptime seconds where: number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-2 key lifetime in seconds. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the command:
set vpn sites 2 phase2exptime 3600

18