IBM Proventia Network Multi-Function Security (MFS)

Configuring VPN from Proventia Network MFS to Check Point Systems

December 18, 2007

Overview
Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3 systems. This document provides an example for configuring VPN from a Proventia Network MFS to a Check Point NG FeaturePack 3 system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic, below. Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guide for more information about the following:

Intended use

Scope

Related documentation

IKE settings IPSEC and IPSEC policies security gateways access policies NAT rules

For procedures for configuring the Check Point NG FP 3 system, refer to the documentation provided with your system.

IBM Internet Security Systems

1

Configuring VPN from Proventia Network MFS to Check Point Systems

In this document

This document contains the following topics:

Topic Before You Begin Configuring the Proventia Network MFS Security Gateway Configuring the Proventia Network MFS IPSEC Policy Creating an IPSEC Policy for Antivirus Protection with VPN Connection Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS Creating Access Policies to Enable Traffic from Subnet A to Subnet B Creating NAT Rules Configuring Check Point Modes and Objects Creating Interoperable Objects Configure IKE (Phase 1) for Default Check Point Object Configure IKE (Phase 1) Policy for Proventia Network MFS Object Creating Security Rules in the IPSEC Policy Page 3 5 8 9 11 12 14 16 18 20 21 22

Contents of document subject to change.

2

Before You Begin

Before You Begin

Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia Network MFS and Check Point NG FP 3 system. The following graphic illustrates the network topography of a Proventia Network MFS configured for VPN with a Check Point NG FP 3 system. The example used in this document is based on the topography depicted.

Topography

Subnet A 192.168.1.0/24 ` ` `

Subnet B 10.1.0.0/16 ` 192.168.1.1 Proventia Network MFS a.a.a.a Internet b.b.b.b Check Point 10.1.0.1 ` `

Table 1: Topography for VPN tunnel from Proventia Network MFS to Check Point

Checklist

The following checklist indicates the information that you need before configuring your VPN tunnel.

Description Proventia Network MFS External IP address _____________________________ Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia Network MFS Internal IP Address _____________________________ Subnet A IP address _____________________________ Symantec External IP address _____________________________ Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Symantec Internal IP address _____________________________ Subnet B IP address _____________________________ Preshared key (minimum of 16 characters) _____________________________ Note: Use signed certificates to identify the Proventia Network MFS and Symantec VPN server for better security.

Table 2: Checklist before configuring VPN tunnel

Contents of document subject to change.

3

Configuring VPN from Proventia Network MFS to Check Point Systems

Description IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds _____________________________ IKE Phase 1 Key Lifetime Kbytes _____________________________ IKE Phase 1 Diffie-Hellman Group

Group1 Group2 Group5 MD5 SHA1

IKE Phase 2 (Quick Mode) Authentication IKE Phase 2 Encryption

3DES DES AES Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 2 Key Lifetime Seconds _____________________________ IKE Phase 2 Key Lifetime Kbytes _____________________________ IKE Phase 2 Diffie-Hellman Group Access Policies

None Group1 Group2 Group5

Table 2: Checklist before configuring VPN tunnel (Continued)

Contents of document subject to change.

4

Configuring the Proventia Network MFS Security Gateway

Configuring the Proventia Network MFS Security Gateway

Introduction You must configure the security gateway that represents the Check Point system. The security gateway contains the IKE and IPSEC communication settings. To configure the security gateway, create an Auto Key IPSEC Security Gateway with the settings shown below. Define the security gateway name, and configure IKE settings on the IKE Configuration tab, as shown in the following table:
Item Name Enabled Comment Direction Exchange Type Encryption Algorithm AES Key Length Setting To_Check_Point Selected IPSEC tunnel to Check Point system Both Directions Main Mode 3DES N/A Note: This list is available if you select the AES encryption algorithm, to allow you to select the AES key length from the list. Authentication Algorithm MD5

Security gateway IKE Configuration general settings

Authentication Mode Pre Shared Key Pre-Shared Key A text string value of at least 16 alphanumeric characters Example

1234567890abcdef
Note: Use the same text string for the Check Point NG FP3 system. Life Time Secs Life Time KBytes DH Group Local IP Address 7200 0 Group2 Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example

a.a.a.a
Table 3: IKE Configuration settings for the Proventia Network MFS

Contents of document subject to change.

5

Configuring VPN from Proventia Network MFS to Check Point Systems

Item Remote IP Address

Setting Static Address Note: In the IP Address field, type the external interface IP address of the Check Point NG FP3 system. Example

b.b.b.b
Local ID Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example

a.a.a.a
Remote ID Static Address Note: In the IP Address field, type the external interface IP address of the Symantec system. Example

b.b.b.b
Table 3: IKE Configuration settings for the Proventia Network MFS (Continued)

IKE XAuth settings

In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled by default. Make sure that this checkbox is cleared to disable the XAuth settings. Define the IPSEC Configuration general settings on the IPSEC Configuration tab, as shown in the following table:
Item Setting

IPSEC Configuration general settings

Encapsulation Mode Tunnel Perfect Forward Secrecy Advanced Settings Group2 Disabled

Table 4: IPSEC Configuration general settings for the Proventia Network MFS

Adding a security proposal

In the Security Proposal area of the IPSEC Configuration tab, add a security proposal with the settings shown in the following table:
Item Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length Life Time Secs Setting ESP with Auth SHA1 AES 256 7200

Table 5: Security Proposal settings for the Proventia Network MFS

Contents of document subject to change.

6

Configuring the Proventia Network MFS Security Gateway

Item Life Time KBytes

Setting 10000

Table 5: Security Proposal settings for the Proventia Network MFS (Continued)

Advanced settings

In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox is cleared by default. Make sure that this checkbox is cleared to disable the advanced settings.

Contents of document subject to change.

7

Configuring VPN from Proventia Network MFS to Check Point Systems

Configuring the Proventia Network MFS IPSEC Policy

Introduction You must configure the IPSEC policy to define what is encrypted between the Proventia Network MFS and the Check Point system. The IPSEC policy is configured without network address translation (NAT).
Reference: See Creating NAT Rules on page 14.

IPSEC policy general settings

Define the IPSEC policy general settings as shown in the following table:
Item Name Enabled Comment Security Process Protocol Setting To_Check_Point Selected IPSEC tunnel to Check Point system Encrypt All

Table 6: IPSEC general policy settings for the Proventia Network MFS

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:
On this subtab... Security Gateway Source Address Select this item... Auto Key Security Gateway Network Address/#Network Bits (CIDR) With this setting... To_Check_Point The network address and subnet mask for subnet A Example

192.168.1.0/24
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example

10.1.0.0/16
Destination Port Any N/A

Table 7: IPSEC Configuration remaining settings for antivirus protection for VPN

Contents of document subject to change.

8

Creating an IPSEC Policy for Antivirus Protection with VPN Connection

Creating an IPSEC Policy for Antivirus Protection with VPN Connection

Introduction The antivirus software proxies traffic to the external interface of the Proventia Network MFS for the following protocols:

HTTP FTP SMTP POP3

To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy. IPSEC policy general settings Define the IPSEC policy general settings as shown in the following table:
Item Name Enabled Comment Security Process Protocol Setting AV_To_Check_Point Selected IPSEC policy to protect AV traffic to Check Point Encrypt All

Table 8: IPSEC Configuration general settings for antivirus protection for VPN

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:
On this subtab... Security Gateway Source Address Select this item... Auto Key Security Gateway Single IP Address With this setting... To_Check_Point The external interface IP address of the Proventia Network MFS Example

a.a.a.a
Note: This setting encapsulates traffic from the Proventia Network MFS external interface. Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example

10.1.0.0/16
Destination Port Any N/A

Table 9: IPSEC policy settings for the Proventia Network MFS

Contents of document subject to change.

9

Configuring VPN from Proventia Network MFS to Check Point Systems

Creating Related Access Policies for the Proventia Network MFS

Introduction You must create additional access policies on the Proventia Network MFS to do the following:

enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia Network MFS external interface
Reference: See Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS on page 11.

enable traffic from subnet A to subnet B without NAT (Network Address Translation)
Reference: See Creating Access Policies to Enable Traffic from Subnet A to Subnet B on page 12.

Guideline

You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. See Creating NAT Rules on page 14. The appliance processes access policies in the order that they appear in the Access Policy list.

Order of access policies

Contents of document subject to change.

10

Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS

Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
Introduction Although you have created a VPN tunnel from the Check Point server to the Proventia Network MFS VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS external interface. To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text:
Enable this rule for VPN Connectivity
Note: This access policy is disabled by default. You must enable it to allow VPN traffic.

ISAKMP access policy general settings

Define the access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Comment Setting Selected Allow Not selected (optional) Enable this rule for VPN Connectivity

Table 10: ISAKMP access policy general settings

ISAKMP access policy remaining settings

Define the remaining access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Protocol Name list Single IP Address With this setting... UDP The external interface IP address for Unit B Example

b.b.b.b
Source Port Destination Address Destination Port Any Self Specify Network Objects N/A N/A ISAKMP_UDP

Table 11: ISAKMP access policy remaining settings

Contents of document subject to change.

11

Configuring VPN from Proventia Network MFS to Check Point Systems

Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Introduction You must create two additional access policies on the Proventia Network MFS to allow all traffic from subnet A to subnet B:

a policy to allow inbound traffic a policy to allow outbound traffic

Inbound access policy general settings

Define the inbound access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Comment Setting Selected Allow Not selected (optional) Access policy to allow traffic from remote Check Point network

Table 12: Inbound access policy general settings

Inbound access policy remaining settings

Define the remaining inbound access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network address and subnet mask for subnet B Example

10.1.0.0/16
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet A Example

192.168.1.0/24
Destination Port Any N/A

Table 13: Inbound access policy remaining settings

Outbound access policy general settings

Define the outbound access policy general settings as defined in the following table:
Item Enabled Action Log Enabled Setting Selected Allow Not selected (optional)

Table 14: Outbound access policy general settings Contents of document subject to change.
12

Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Item Comment

Setting Access policy to allow traffic out to remote Check Point network

Table 14: Outbound access policy general settings (Continued)

Outbound access policy remaining settings

Define the remaining outbound access policy settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network address and subnet mask for subnet A Example

192.168.1.0/24
Source Port Destination Address Any Network Address/#Network Bits (CIDR) N/A The network address and subnet mask for subnet B Example

10.1.0.0/16
Destination Port Any N/A

Table 15: Outbound access policy remaining settings

Contents of document subject to change.

13

Configuring VPN from Proventia Network MFS to Check Point Systems

Creating NAT Rules

Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rules to bypass NAT and insure that the appliance does not translate packets that travel between subnets. The additional NAT rules are as follows:

a Source NAT Rule a Destination NAT Rule

Source NAT Rule general settings

Create a Source NAT Rule with general settings as defined in the following table:
Item Name Enabled Comment Setting CheckPoint_BypassNAT_Src Selected Source NAT Rule to bypass NAT

Table 16: Source NAT Rule general settings

Source NAT Rule remaining settings

Define the remaining Source NAT Rule settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network mask for subnet A. Example

192.168.1.0/24
Destination Address Network Address/#Network Bits (CIDR) The network mask for subnet B. Example

10.1.0.0/16
Destination Port Translated Address Any Do Not Translate N/A N/A

Table 17: Source NAT Rule remaining settings Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules

table. Destination NAT Rule general settings Create a Destination NAT Rule with general settings as defined in the following table:
Item Name Enabled Comment Setting CheckPoint_BypassNAT_Dst Selected Destination NAT Rule to bypass NAT

Table 18: Destination NAT Rule general settings

Contents of document subject to change.

14

Creating NAT Rules

Destination NAT Rule remaining settings

Define the remaining Destination NAT Rule settings as shown in the following table:
On this subtab... Protocol Source Address Select this item... Any Network Address/#Network Bits (CIDR) With this setting... N/A The network mask for subnet B. Example

10.1.0.0/16
Destination Address Network Address/#Network Bits (CIDR) The network mask for subnet A. Example

192.168.1.0/24
Destination Port Translated Address Translated Port Any Do Not Translate Do Not Translate N/A N/A N/A

Table 19: Destination NAT Rule remaining settings Note: Make sure that the Destination NAT Rule is in the first position in the Destination

NAT Rules table.

Contents of document subject to change.

15

Configuring VPN from Proventia Network MFS to Check Point Systems

Configuring Check Point Modes and Objects

Introduction Configuring Check Point modes and objects includes the following tasks:

verifying the Check Point VPN-1 Pro mode creating network objects

Notes:

This document covers only Traditional mode. For help with setting up a VPN connection in Simplified mode, consult your Check Point documentation. If you change from Simplified mode to Traditional mode in the Global Properties window, then you must create a new policy so that the Encrypt Action is available for firewall rules.

Verify Check Point VPN-1 Pro mode

To verify Check Point VPN-1 Pro mode: 1. Open the Management console and log in. 2. Select Policy Global Properties. 3. Click VPN-1 Pro in the left window pane. 4. Verify that the VPN configuration method is Traditional mode.
Important: If the policy is not in Traditional mode, then select one of the Traditional

Mode options, click OK, and then select File New... to create a new policy. Create network objects To create network objects: 1. In the Management console, click the Network Objects icon to display the Network Objects tree. 2. Expand the Network Objects tree. 3. Rightclick Networks, and then select New Network. 4. Provide the following information on the General tab:
Item Name Network Address Setting Subnet_A The network IP address for subnet A Example

192.168.1.0
Netmask The netmask for subnet A Example

255.255.255.0

5. Click OK to save the network. 6. Does a network object already exist for the internal network protected by the Check Point NG FP 3 firewall?

Contents of document subject to change.

16

Configuring Check Point Modes and Objects

If yes, you have finished creating network objects. Go to the next topic. If no, go to Step 7.

7. Rightclick Networks, and then select New Network. 8. Provide the following information on the General tab:
Item Name Network Address Setting Subnet_B The network IP address for subnet B Example

10.1.0.0
Netmask The netmask for subnet B Example

255.255.0.0

9. Click OK to save the network.

Contents of document subject to change.

17

Configuring VPN from Proventia Network MFS to Check Point Systems

Creating Interoperable Objects

Introduction Procedure You must create interoperable objects for the Proventia Network MFS. To create interoperable objects: 1. In the Management console, click the Network Objects icon to display the Network Objects tree. 2. Expand the Network Objects tree. 3. Rightclick Interoperable Devices, and then select New Interoperable Device. 4. Provide the following information for the Proventia Network MFS:
Item Name IP address Setting Proventia The external interface IP address of the Proventia Network MFS. Example

a.a.a.a

5. In the left pane, click Topology. 6. Click Add, and then provide the following information on the General tab:
Item Name IP Address Setting Internal The internal interface IP address of the Proventia Network MFS Example

192.168.1.1
Netmask The netmask for subnet A Example

255.255.255.0

7. Provide the following information on the Topology tab:

Item Topology IP Address behind this interface Setting Internal Specific Select Subnet A from the drop-down list

8. Click OK to save.

Contents of document subject to change.

18

Creating Interoperable Objects

9. Click Add, and then enter the following information on the General tab:
Item Name IP Address Setting External The external interface IP address of the Proventia Network MFS Example: a.a.a.a Netmask The external netmask of the Proventia Network MFS Example: 255.255.255.255

10. On the Topology tab, select External for Topology. 11. Click OK, and then click OK again to save the Interoperable Device settings.

Contents of document subject to change.

19

Configuring VPN from Proventia Network MFS to Check Point Systems

Configure IKE (Phase 1) for Default Check Point Object

Introduction You must configure the IKE settings for Phase I (Main Mode) negotiation for the default Check Point object. To configure IKE for the default Check Point object: 1. Right-click the default Check Point object, and then click Edit. 2. Verify that VPN-1 Pro is selected. If not, select it. 3. Click VPN in the left pane. 4. Click Traditional Mode Configuration, and then configure the following settings:
Item Encryption Algorithm Data Integrity Pre-Shared Secret Setting 3DES MD5 Enable

Procedure

5. Click Advanced in the left pane, and then configure the following settings:
Item Diffie-Hellman groups for IKE Renegotiate IKE Security Associations Renegotiate IPSEC Security Associations Renegotiate IPSEC Security Associations Support aggressive mode Setting Group2 120 minutes 7200 seconds 10000 Kbytes Disabled

6. Click OK, and then click OK again to save the encryption settings. 7. Select VPN Advanced in the left pane, and then enable Support key exchange for subnets. 8. Click OK to save your changes.

Contents of document subject to change.

20

Configure IKE (Phase 1) Policy for Proventia Network MFS Object

Configure IKE (Phase 1) Policy for Proventia Network MFS Object

Introduction You must configure the IKE policy for Phase I (Main Mode) negotiation for the Proventia Network MFS object. To configure IKE for the Proventia Network MFS object: 1. Right-click the Proventia Network MFS interoperable object that you just created, and then click Edit. 2. Click VPN in the left pane. 3. Click Traditional Mode Configuration, and then configure the following settings:
Item Encryption Algorithm Data Integrity Pre-shared Secret Setting 3DES MD5 Enable

Procedure

4. Click Edit Secrets. 5. Select Check Point object, and then click Edit. 6. Type the same pre-shared key that you used for the Proventia Network MFS.
Example: 1234567890abcdef

7. Click Set, and then click OK. 8. Click Advanced, and then configure the following settings:
Item Diffie-Hellman groups for IKE Renegotiate IKE Security Associations Renegotiate IPSEC Security Associations Renegotiate IPSEC Security Associations Support aggressive mode Setting Group 2 120 minutes 7200 seconds 10000 Kbytes Disabled

9. Click OK, and then click OK again to save the encryption settings. 10. Select VPN Advanced in the left pane, and then enable Support key exchange for subnets. 11. Click OK to save your changes.

Contents of document subject to change.

21

Configuring VPN from Proventia Network MFS to Check Point Systems

Creating Security Rules in the IPSEC Policy

Introduction Procedure You must create security rules in the IPSEC policy. To create rules: 1. In the right panel, select the Security tab. 2. Open the Rules menu, select Add Rule Top, and then configure the following settings:
Item Source Setting Default Check Point Object Proventia Network MFS Destination Proventia Network MFS Default Check Point Object Service Action IPSEC (includes IKE - UDP 500) Accept

3. Add a rule after the IPSEC rule just created with the following settings:
Item Source Setting Subnet A Subnet B Destination Subnet B Subnet A Service Action Any Encrypt

4. Rightclick on Encrypt in the action for the rule above, and then select Edit properties. 5. Select IKE, and click Edit.

Contents of document subject to change.

22

Creating Security Rules in the IPSEC Policy

6. Configure the following settings:

Item Encryption Algorithm Data Integrity Compression Method Allowed Peer Gateway Use Perfect Forward Secrecy Use DH Group Perform IP Pool NAT Setting AES-256 MD5 None Any Enabled Group 2 Enabled

7. Click OK to save the IKE settings. 8. Click OK to save the IPSEC policy.

Contents of document subject to change.

23

Configuring VPN from Proventia Network MFS to Check Point Systems

Copyright IBM Corporation 2003, 2007. All Rights Reserved. IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

Contents of document subject to change.

24