Professional Documents
Culture Documents
VPN Check Point
VPN Check Point
Overview
Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3 systems. This document provides an example for configuring VPN from a Proventia Network MFS to a Check Point NG FeaturePack 3 system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic, below. Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guide for more information about the following:
Intended use
Scope
Related documentation
IKE settings IPSEC and IPSEC policies security gateways access policies NAT rules
For procedures for configuring the Check Point NG FP 3 system, refer to the documentation provided with your system.
In this document
Topography
Subnet A 192.168.1.0/24 ` ` `
Subnet B 10.1.0.0/16 ` 192.168.1.1 Proventia Network MFS a.a.a.a Internet b.b.b.b Check Point 10.1.0.1 ` `
Table 1: Topography for VPN tunnel from Proventia Network MFS to Check Point
Checklist
The following checklist indicates the information that you need before configuring your VPN tunnel.
Description Proventia Network MFS External IP address _____________________________ Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia Network MFS Internal IP Address _____________________________ Subnet A IP address _____________________________ Symantec External IP address _____________________________ Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Symantec Internal IP address _____________________________ Subnet B IP address _____________________________ Preshared key (minimum of 16 characters) _____________________________ Note: Use signed certificates to identify the Proventia Network MFS and Symantec VPN server for better security.
Description IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds _____________________________ IKE Phase 1 Key Lifetime Kbytes _____________________________ IKE Phase 1 Diffie-Hellman Group
3DES DES AES Note: If you select AES, select an AES key length: 128 192 256
IKE Phase 2 Key Lifetime Seconds _____________________________ IKE Phase 2 Key Lifetime Kbytes _____________________________ IKE Phase 2 Diffie-Hellman Group Access Policies
Authentication Mode Pre Shared Key Pre-Shared Key A text string value of at least 16 alphanumeric characters Example
1234567890abcdef
Note: Use the same text string for the Check Point NG FP3 system. Life Time Secs Life Time KBytes DH Group Local IP Address 7200 0 Group2 Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example
a.a.a.a
Table 3: IKE Configuration settings for the Proventia Network MFS
Setting Static Address Note: In the IP Address field, type the external interface IP address of the Check Point NG FP3 system. Example
b.b.b.b
Local ID Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example
a.a.a.a
Remote ID Static Address Note: In the IP Address field, type the external interface IP address of the Symantec system. Example
b.b.b.b
Table 3: IKE Configuration settings for the Proventia Network MFS (Continued)
In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled by default. Make sure that this checkbox is cleared to disable the XAuth settings. Define the IPSEC Configuration general settings on the IPSEC Configuration tab, as shown in the following table:
Item Setting
Encapsulation Mode Tunnel Perfect Forward Secrecy Advanced Settings Group2 Disabled
Table 4: IPSEC Configuration general settings for the Proventia Network MFS
In the Security Proposal area of the IPSEC Configuration tab, add a security proposal with the settings shown in the following table:
Item Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length Life Time Secs Setting ESP with Auth SHA1 AES 256 7200
Setting 10000
Table 5: Security Proposal settings for the Proventia Network MFS (Continued)
Advanced settings
In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox is cleared by default. Make sure that this checkbox is cleared to disable the advanced settings.
Define the IPSEC policy general settings as shown in the following table:
Item Name Enabled Comment Security Process Protocol Setting To_Check_Point Selected IPSEC tunnel to Check Point system Encrypt All
Table 6: IPSEC general policy settings for the Proventia Network MFS
Define the remaining IPSEC policy settings as shown in the following table:
On this subtab... Security Gateway Source Address Select this item... Auto Key Security Gateway Network Address/#Network Bits (CIDR) With this setting... To_Check_Point The network address and subnet mask for subnet A Example
192.168.1.0/24
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example
10.1.0.0/16
Destination Port Any N/A
Table 7: IPSEC Configuration remaining settings for antivirus protection for VPN
To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy. IPSEC policy general settings Define the IPSEC policy general settings as shown in the following table:
Item Name Enabled Comment Security Process Protocol Setting AV_To_Check_Point Selected IPSEC policy to protect AV traffic to Check Point Encrypt All
Table 8: IPSEC Configuration general settings for antivirus protection for VPN
Define the remaining IPSEC policy settings as shown in the following table:
On this subtab... Security Gateway Source Address Select this item... Auto Key Security Gateway Single IP Address With this setting... To_Check_Point The external interface IP address of the Proventia Network MFS Example
a.a.a.a
Note: This setting encapsulates traffic from the Proventia Network MFS external interface. Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example
10.1.0.0/16
Destination Port Any N/A
enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia Network MFS external interface
Reference: See Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS on page 11.
enable traffic from subnet A to subnet B without NAT (Network Address Translation)
Reference: See Creating Access Policies to Enable Traffic from Subnet A to Subnet B on page 12.
Guideline
You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. See Creating NAT Rules on page 14. The appliance processes access policies in the order that they appear in the Access Policy list.
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
Introduction Although you have created a VPN tunnel from the Check Point server to the Proventia Network MFS VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS external interface. To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text:
Enable this rule for VPN Connectivity
Note: This access policy is disabled by default. You must enable it to allow VPN traffic.
Define the access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Comment Setting Selected Allow Not selected (optional) Enable this rule for VPN Connectivity
Define the remaining access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Protocol Name list Single IP Address With this setting... UDP The external interface IP address for Unit B Example
b.b.b.b
Source Port Destination Address Destination Port Any Self Specify Network Objects N/A N/A ISAKMP_UDP
Define the inbound access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Comment Setting Selected Allow Not selected (optional) Access policy to allow traffic from remote Check Point network
Define the remaining inbound access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network address and subnet mask for subnet B Example
10.1.0.0/16
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet A Example
192.168.1.0/24
Destination Port Any N/A
Define the outbound access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Setting Selected Allow Not selected (optional)
Table 14: Outbound access policy general settings Contents of document subject to change.
12
Item Comment
Setting Access policy to allow traffic out to remote Check Point network
Define the remaining outbound access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network address and subnet mask for subnet A Example
192.168.1.0/24
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example
10.1.0.0/16
Destination Port Any N/A
Create a Source NAT Rule with general settings as defined in the following table:
Item Name Enabled Comment Setting CheckPoint_BypassNAT_Src Selected Source NAT Rule to bypass NAT
Define the remaining Source NAT Rule settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network mask for subnet A. Example
192.168.1.0/24
Destination Address Network Address/#Network Bits (CIDR) The network mask for subnet B. Example
10.1.0.0/16
Destination Port Translated Address Any Do Not Translate N/A N/A
Table 17: Source NAT Rule remaining settings Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules
table. Destination NAT Rule general settings Create a Destination NAT Rule with general settings as defined in the following table:
Item Name Enabled Comment Setting CheckPoint_BypassNAT_Dst Selected Destination NAT Rule to bypass NAT
Define the remaining Destination NAT Rule settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network mask for subnet B. Example
10.1.0.0/16
Destination Address Network Address/#Network Bits (CIDR) The network mask for subnet A. Example
192.168.1.0/24
Destination Port Translated Address Translated Port Any Do Not Translate Do Not Translate N/A N/A N/A
Table 19: Destination NAT Rule remaining settings Note: Make sure that the Destination NAT Rule is in the first position in the Destination
verifying the Check Point VPN-1 Pro mode creating network objects
Notes:
This document covers only Traditional mode. For help with setting up a VPN connection in Simplified mode, consult your Check Point documentation. If you change from Simplified mode to Traditional mode in the Global Properties window, then you must create a new policy so that the Encrypt Action is available for firewall rules.
To verify Check Point VPN-1 Pro mode: 1. Open the Management console and log in. 2. Select Policy Global Properties. 3. Click VPN-1 Pro in the left window pane. 4. Verify that the VPN configuration method is Traditional mode.
Important: If the policy is not in Traditional mode, then select one of the Traditional
Mode options, click OK, and then select File New... to create a new policy. Create network objects To create network objects: 1. In the Management console, click the Network Objects icon to display the Network Objects tree. 2. Expand the Network Objects tree. 3. Rightclick Networks, and then select New Network. 4. Provide the following information on the General tab:
Item Name Network Address Setting Subnet_A The network IP address for subnet A Example
192.168.1.0
Netmask The netmask for subnet A Example
255.255.255.0
5. Click OK to save the network. 6. Does a network object already exist for the internal network protected by the Check Point NG FP 3 firewall?
If yes, you have finished creating network objects. Go to the next topic. If no, go to Step 7.
7. Rightclick Networks, and then select New Network. 8. Provide the following information on the General tab:
Item Name Network Address Setting Subnet_B The network IP address for subnet B Example
10.1.0.0
Netmask The netmask for subnet B Example
255.255.0.0
a.a.a.a
5. In the left pane, click Topology. 6. Click Add, and then provide the following information on the General tab:
Item Name IP Address Setting Internal The internal interface IP address of the Proventia Network MFS Example
192.168.1.1
Netmask The netmask for subnet A Example
255.255.255.0
8. Click OK to save.
9. Click Add, and then enter the following information on the General tab:
Item Name IP Address Setting External The external interface IP address of the Proventia Network MFS Example: a.a.a.a Netmask The external netmask of the Proventia Network MFS Example: 255.255.255.255
10. On the Topology tab, select External for Topology. 11. Click OK, and then click OK again to save the Interoperable Device settings.
Procedure
5. Click Advanced in the left pane, and then configure the following settings:
Item Diffie-Hellman groups for IKE Renegotiate IKE Security Associations Renegotiate IPSEC Security Associations Renegotiate IPSEC Security Associations Support aggressive mode Setting Group2 120 minutes 7200 seconds 10000 Kbytes Disabled
6. Click OK, and then click OK again to save the encryption settings. 7. Select VPN Advanced in the left pane, and then enable Support key exchange for subnets. 8. Click OK to save your changes.
Procedure
4. Click Edit Secrets. 5. Select Check Point object, and then click Edit. 6. Type the same pre-shared key that you used for the Proventia Network MFS.
Example: 1234567890abcdef
7. Click Set, and then click OK. 8. Click Advanced, and then configure the following settings:
Item Diffie-Hellman groups for IKE Renegotiate IKE Security Associations Renegotiate IPSEC Security Associations Renegotiate IPSEC Security Associations Support aggressive mode Setting Group 2 120 minutes 7200 seconds 10000 Kbytes Disabled
9. Click OK, and then click OK again to save the encryption settings. 10. Select VPN Advanced in the left pane, and then enable Support key exchange for subnets. 11. Click OK to save your changes.
3. Add a rule after the IPSEC rule just created with the following settings:
Item Source Setting Subnet A Subnet B Destination Subnet B Subnet A Service Action Any Encrypt
4. Rightclick on Encrypt in the action for the rule above, and then select Edit properties. 5. Select IKE, and click Edit.
7. Click OK to save the IKE settings. 8. Click OK to save the IPSEC policy.
Copyright IBM Corporation 2003, 2007. All Rights Reserved. IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.