VPN Check Point
-
Upload
kodlolec82 -
Category
Documents
-
view
221 -
download
0
Transcript of VPN Check Point
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 1/24
1
IBM Internet Security Systems
IBM Proventia® Network Multi-Function Security (MFS)
Configuring VPN from ProventiaNetwork MFS to Check Point SystemsDecember 18, 2007
Overview
Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFSrunning a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3systems.
Intended use This document provides an example for configuring VPN from a Proventia Network MFSto a Check Point NG FeaturePack 3 system. The example is not designed for operational
use without modification. A knowledgeable IPSEC network administrator or advanceduser should design new, custom polices for operational use.
Scope This document does not provide specific procedures, but rather examples of settings. Forspecific instructions on how to configure these settings, refer to the documentation listedin the “Related documentation” section of this topic, below.
Relateddocumentation
Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-FunctionSecurity (MFS) Policy Configuration Guide for more information about the following:
● IKE settings
● IPSEC and IPSEC policies
● security gateways
● access policies
● NAT rules
For procedures for configuring the Check Point NG FP 3 system, refer to thedocumentation provided with your system.
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 2/24
Configuring VPN from Proventia Network MFS to Check Point Systems
2
Contents of document subject to change.
In this document This document contains the following topics:
Topic Page
Before You Begin 3
Configuring the Proventia Network MFS Security Gateway 5
Configuring the Proventia Network MFS IPSEC Policy 8
Creating an IPSEC Policy for Antivirus Protection with VPN Connection 9
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS 11
Creating Access Policies to Enable Traffic from Subnet A to Subnet B 12
Creating NAT Rules 14
Configuring Check Point Modes and Objects 16
Creating Interoperable Objects 18
Configure IKE (Phase 1) for Default Check Point Object 20
Configure IKE (Phase 1) Policy for Proventia Network MFS Object 21
Creating Security Rules in the IPSEC Policy 22
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 3/24
Before You Begin
3
Contents of document subject to change.
Before You Begin
Introduction This topic includes a topography graphic and a checklist to help you gather theinformation you need to configure VPN for your Proventia Network MFS and CheckPoint NG FP 3 system.
Topography The following graphic illustrates the network topography of a Proventia Network MFSconfigured for VPN with a Check Point NG FP 3 system. The example used in thisdocument is based on the topography depicted.
Table 1: Topography for VPN tunnel from Proventia Network MFS to Check Point
Checklist The following checklist indicates the information that you need before configuring yourVPN tunnel.
InternetProventia ®
Network MFS
Check Point
`
`
`
10.1.0.0/16
Subnet B
`
`
`
192.168.1.0/24
Subnet A
192.168.1.1 10.1.0.1a.a.a.a b.b.b.b
9 Description
Proventia Network MFS External IP address _____________________________
Note: This is the IP address that you will use where a.a.a.a appears in the examples in this
document.
Proventia Network MFS Internal IP Address _____________________________
Subnet A IP address _____________________________
Symantec External IP address _____________________________
Note: This is the IP address that you will use where b.b.b.b appears in the examples in this
document.
Symantec Internal IP address _____________________________
Subnet B IP address _____________________________
Preshared key (minimum of 16 characters) _____________________________
Note: Use signed certificates to identify the Proventia Network MFS and Symantec VPN
server for better security.
Table 2: Checklist before configuring VPN tunnel
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 4/24
Configuring VPN from Proventia Network MFS to Check Point Systems
4
Contents of document subject to change.
IKE Phase 1 (Main Mode) AuthenticationMD5SHA1
IKE Phase 1 Encryption3DESDESAES
Note: If you select AES, select an AES key length:128192256
IKE Phase 1 Key Lifetime Seconds _____________________________
IKE Phase 1 Key Lifetime Kbytes _____________________________
IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5
IKE Phase 2 (Quick Mode) Authentication MD5 SHA1
IKE Phase 2 Encryption 3DES DES AES
Note: If you select AES, select an AES key length:128192256
IKE Phase 2 Key Lifetime Seconds _____________________________
IKE Phase 2 Key Lifetime Kbytes _____________________________
IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5
Access Policies
9 Description
Table 2: Checklist before configuring VPN tunnel (Continued)
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 5/24
Configuring the Proventia Network MFS Security Gateway
5
Contents of document subject to change.
Configuring the Proventia Network MFS Security Gateway
Introduction You must configure the security gateway that represents the Check Point system. Thesecurity gateway contains the IKE and IPSEC communication settings. To configure thesecurity gateway, create an Auto Key IPSEC Security Gateway with the settings shown
below.
Security gateway IKE Configurationgeneral settings
Define the security gateway name, and configure IKE settings on the IKE Configurationtab, as shown in the following table:
Item Setting
Name To_Check_Point
Enabled Selected
Comment IPSEC tunnel to Check Point system
Direction Both Directions
Exchange Type Main Mode
Encryption
Algorithm
3DES
AES Key Length N/A
Note: This list is available if you select the AES encryption algorithm, to
allow you to select the AES key length from the list.
Authentication
Algorithm
MD5
Authentication Mode Pre Shared Key
Pre-Shared Key A text string value of at least 16 alphanumeric characters
Example
1234567890abcdef
Note: Use the same text string for the Check Point NG FP3 system.
Life Time Secs 7200
Life Time KBytes 0
DH Group Group2
Local IP Address Static AddressNote: In the IP Address field, type the external interface IP address of the
Proventia Network MFS.
Example
a.a.a.a
Table 3: IKE Configuration settings for the Proventia Network MFS
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 6/24
Configuring VPN from Proventia Network MFS to Check Point Systems
6
Contents of document subject to change.
IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled bydefault. Make sure that this checkbox is cleared to disable the XAuth settings.
IPSEC Configurationgeneral settings
Define the IPSEC Configuration general settings on the IPSEC Configuration tab, asshown in the following table:
Adding a security proposal
In the Security Proposal area of the IPSEC Configuration tab, add a security proposalwith the settings shown in the following table:
Remote IP Address Static Address
Note: In the IP Address field, type the external interface IP address of the
Check Point NG FP3 system.
Example b.b.b.b
Local ID Static Address
Note: In the IP Address field, type the external interface IP address of the
Proventia Network MFS.
Example
a.a.a.a
Remote ID Static Address
Note: In the IP Address field, type the external interface IP address of the
Symantec system.
Example b.b.b.b
Item Setting
Table 3: IKE Configuration settings for the Proventia Network MFS (Continued)
Item Setting
Encapsulation Mode Tunnel
Perfect Forward
Secrecy
Group2
Advanced Settings Disabled
Table 4: IPSEC Configuration general settings for the Proventia Network MFS
Item Setting
Security Protocol ESP with Auth
Auth Algorithm SHA1
ESP Algorithm AES
ESP AES Key
Length
256
Life Time Secs 7200
Table 5: Security Proposal settings for the Proventia Network MFS
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 7/24
Configuring the Proventia Network MFS Security Gateway
7
Contents of document subject to change.
Advanced settings In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox iscleared by default. Make sure that this checkbox is cleared to disable the advancedsettings.
Life Time KBytes 10000
Item Setting
Table 5: Security Proposal settings for the Proventia Network MFS (Continued)
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 8/24
Configuring VPN from Proventia Network MFS to Check Point Systems
8
Contents of document subject to change.
Configuring the Proventia Network MFS IPSEC Policy
Introduction You must configure the IPSEC policy to define what is encrypted between the ProventiaNetwork MFS and the Check Point system. The IPSEC policy is configured withoutnetwork address translation (NAT).
Reference: See “Creating NAT Rules” on page 14.
IPSEC policy general settings
Define the IPSEC policy general settings as shown in the following table:
IPSEC policy remaining settings
Define the remaining IPSEC policy settings as shown in the following table:
Item Setting
Name To_Check_Point
Enabled Selected
Comment IPSEC tunnel to Check Point system
Security Process Encrypt
Protocol All
Table 6: IPSEC general policy settings for the Proventia Network MFS
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Check_Point
Source Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet A
Example
192.168.1.0/24
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet B
Example
10.1.0.0/16
Destination Port Any N/A
Table 7: IPSEC Configuration remaining settings for antivirus protection for VPN
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 9/24
Creating an IPSEC Policy for Antivirus Protection with VPN Connection
9
Contents of document subject to change.
Creating an IPSEC Policy for Antivirus Protection with VPNConnection
Introduction The antivirus software proxies traffic to the external interface of the Proventia Network
MFS for the following protocols:
● HTTP
● FTP
● SMTP
● POP3
To ensure that traffic analyzed by the antivirus software is sent and received from theremote VPN subnet B, you must create an additional IPSEC policy.
IPSEC policy
general settings
Define the IPSEC policy general settings as shown in the following table:
IPSEC policy remaining settings
Define the remaining IPSEC policy settings as shown in the following table:
Item Setting
Name AV_To_Check_Point
Enabled Selected
Comment IPSEC policy to protect AV traffic to Check Point
Security Process Encrypt
Protocol All
Table 8: IPSEC Configuration general settings for antivirus protection for VPN
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Check_Point
Source Address Single IP Address The external interface IP address
of the Proventia Network MFS
Example
a.a.a.a
Note: This setting encapsulates
traffic from the Proventia NetworkMFS external interface.
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet B
Example
10.1.0.0/16
Destination Port Any N/A
Table 9: IPSEC policy settings for the Proventia Network MFS
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 10/24
Configuring VPN from Proventia Network MFS to Check Point Systems
10
Contents of document subject to change.
Creating Related Access Policies for the Proventia Network MFS
Introduction You must create additional access policies on the Proventia Network MFS to do the
following:
● enable Internet Security Association and Key Management Protocol (ISAKMP) trafficto the Proventia Network MFS external interface
Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the ProventiaNetwork MFS” on page 11.
● enable traffic from subnet A to subnet B without NAT (Network Address Translation)
Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B”on page 12.
Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP,so you do not need NAT for the subnets. See “Creating NAT Rules” on page 14.
Order of accesspolicies
The appliance processes access policies in the order that they appear in the Access Policylist.
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 11/24
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
11
Contents of document subject to change.
Creating an Access Policy to Enable ISAKMP Traffic to theProventia Network MFS
Introduction Although you have created a VPN tunnel from the Check Point server to the Proventia
Network MFS VPN server, you must configure the firewall to accept or deny traffic fromthe VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS externalinterface.
To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy thatallows VPN traffic. You can identify this policy by the Comment field that includes thefollowing default text:
Enable this rule for VPN Connectivity
Note: This access policy is disabled by default. You must enable it to allow VPN traffic.
ISAKMP accesspolicy generalsettings
Define the access policy general settings as defined in the following table:
ISAKMP accesspolicy remainingsettings
Define the remaining access policy settings as shown in the following table:
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Comment Enable this rule for VPN Connectivity
Table 10: ISAKMP access policy general settings
On this subtab... Select this item... With this setting...
Protocol Protocol Name list UDP
Source Address Single IP Address The external interface IP address
for Unit B
Example
b.b.b.b
Source Port Any N/A
Destination Address Self N/A
Destination Port Specify Network Objects ISAKMP_UDP
Table 11: ISAKMP access policy remaining settings
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 12/24
Configuring VPN from Proventia Network MFS to Check Point Systems
12
Contents of document subject to change.
Creating Access Policies to Enable Traffic from Subnet A toSubnet B
Introduction You must create two additional access policies on the Proventia Network MFS to allow all
traffic from subnet A to subnet B:
● a policy to allow inbound traffic
● a policy to allow outbound traffic
Inbound accesspolicy generalsettings
Define the inbound access policy general settings as defined in the following table:
Inbound accesspolicy remainingsettings
Define the remaining inbound access policy settings as shown in the following table:
Outbound accesspolicy generalsettings
Define the outbound access policy general settings as defined in the following table:
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Comment Access policy to allow traffic from remote Check Point network
Table 12: Inbound access policy general settings
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits(CIDR) The network address and subnetmask for subnet B
Example
10.1.0.0/16
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet A
Example
192.168.1.0/24
Destination Port Any N/A
Table 13: Inbound access policy remaining settings
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Table 14: Outbound access policy general settings
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 13/24
Creating Access Policies to Enable Traffic from Subnet A to Subnet B
13
Contents of document subject to change.
Outbound accesspolicy remainingsettings
Define the remaining outbound access policy settings as shown in the following table:
Comment Access policy to allow traffic out to remote Check Point network
Item Setting
Table 14: Outbound access policy general settings (Continued)
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet A
Example
192.168.1.0/24
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet B
Example
10.1.0.0/16
Destination Port Any N/A
Table 15: Outbound access policy remaining settings
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 14/24
Configuring VPN from Proventia Network MFS to Check Point Systems
14
Contents of document subject to change.
Creating NAT Rules
Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rulesto bypass NAT and insure that the appliance does not translate packets that travel
between subnets. The additional NAT rules are as follows:
● a Source NAT Rule
● a Destination NAT Rule
Source NAT Rulegeneral settings
Create a Source NAT Rule with general settings as defined in the following table:
Source NAT Ruleremaining settings
Define the remaining Source NAT Rule settings as shown in the following table:
Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules
table.
Destination NATRule generalsettings
Create a Destination NAT Rule with general settings as defined in the following table:
Item Setting
Name CheckPoint_BypassNAT_Src
Enabled Selected
Comment Source NAT Rule to bypass NAT
Table 16: Source NAT Rule general settings
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits
(CIDR)
The network mask for subnet A.
Example
192.168.1.0/24
Destination Address Network Address/#Network Bits
(CIDR)
The network mask for subnet B.
Example
10.1.0.0/16
Destination Port Any N/A
Translated Address Do Not Translate N/A
Table 17: Source NAT Rule remaining settings
Item Setting
Name CheckPoint_BypassNAT_Dst
Enabled Selected
Comment Destination NAT Rule to bypass NAT
Table 18: Destination NAT Rule general settings
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 15/24
Creating NAT Rules
15
Contents of document subject to change.
Destination NATRule remainingsettings
Define the remaining Destination NAT Rule settings as shown in the following table:
Note: Make sure that the Destination NAT Rule is in the first position in the DestinationNAT Rules table.
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits(CIDR)
The network mask for subnet B.Example
10.1.0.0/16
Destination Address Network Address/#Network Bits
(CIDR)
The network mask for subnet A.
Example
192.168.1.0/24
Destination Port Any N/A
Translated Address Do Not Translate N/A
Translated Port Do Not Translate N/A
Table 19: Destination NAT Rule remaining settings
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 16/24
Configuring VPN from Proventia Network MFS to Check Point Systems
16
Contents of document subject to change.
Configuring Check Point Modes and Objects
Introduction Configuring Check Point modes and objects includes the following tasks:
● verifying the Check Point VPN-1 Pro mode
● creating network objects
Notes:
● This document covers only Traditional mode. For help with setting up a VPNconnection in Simplified mode, consult your Check Point documentation.
● If you change from Simplified mode to Traditional mode in the Global Propertieswindow, then you must create a new policy so that the Encrypt Action is available forfirewall rules.
Verify Check Point
VPN-1 Pro mode
To verify Check Point VPN-1 Pro mode:
1. Open the Management console and log in.
2. Select PolicyÆGlobal Properties.
3. Click VPN-1 Pro in the left window pane.
4. Verify that the VPN configuration method is Traditional mode.
Important: If the policy is not in Traditional mode, then select one of the Traditional
Mode options, click OK, and then select FileÆNew... to create a new policy.
Create network
objects
To create network objects:
1. In the Management console, click the Network Objects icon to display the NetworkObjects tree.
2. Expand the Network Objects tree.
3. Right–click Networks, and then select New Network.
4. Provide the following information on the General tab:
5. Click OK to save the network.
6. Does a network object already exist for the internal network protected by the CheckPoint NG FP 3 firewall?
Item Setting
Name Subnet_A
Network Address The network IP address for subnet A
Example
192.168.1.0
Netmask The netmask for subnet A
Example
255.255.255.0
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 17/24
Configuring Check Point Modes and Objects
17
Contents of document subject to change.
■ If yes, you have finished creating network objects. Go to the next topic.
■ If no, go to Step 7.
7. Right–click Networks, and then select New Network.
8. Provide the following information on the General tab:
9. Click OK to save the network.
Item Setting
Name Subnet_B
Network Address The network IP address for subnet B
Example
10.1.0.0
Netmask The netmask for subnet B
Example
255.255.0.0
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 18/24
Configuring VPN from Proventia Network MFS to Check Point Systems
18
Contents of document subject to change.
Creating Interoperable Objects
Introduction You must create interoperable objects for the Proventia Network MFS.
Procedure To create interoperable objects:
1. In the Management console, click the Network Objects icon to display the NetworkObjects tree.
2. Expand the Network Objects tree.
3. Right–click Interoperable Devices, and then select New Interoperable Device.
4. Provide the following information for the Proventia Network MFS:
5. In the left pane, click Topology.
6. Click Add, and then provide the following information on the General tab:
7. Provide the following information on the Topology tab:
8. Click OK to save.
Item Setting
Name Proventia
IP address The external interface IP address of the Proventia NetworkMFS.
Example
a.a.a.a
Item Setting
Name Internal
IP Address The internal interface IP address of the Proventia Network
MFS
Example
192.168.1.1
Netmask The netmask for subnet A
Example
255.255.255.0
Item Setting
Topology Internal
IP Address behind this
interface
Specific
Select Subnet A from the drop-down list
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 19/24
Creating Interoperable Objects
19
Contents of document subject to change.
9. Click Add, and then enter the following information on the General tab:
10. On the Topology tab, select External for Topology.
11. Click OK, and then click OK again to save the Interoperable Device settings.
Item Setting
Name External
IP Address The external interface IP address of the Proventia NetworkMFS
Example: a.a.a.a
Netmask The external netmask of the Proventia Network MFS
Example: 255.255.255.255
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 20/24
Configuring VPN from Proventia Network MFS to Check Point Systems
20
Contents of document subject to change.
Configure IKE (Phase 1) for Default Check Point Object
Introduction You must configure the IKE settings for Phase I (Main Mode) negotiation for the defaultCheck Point object.
Procedure To configure IKE for the default Check Point object:
1. Right-click the default Check Point object, and then click Edit.
2. Verify that VPN-1 Pro is selected. If not, select it.
3. Click VPN in the left pane.
4. Click Traditional Mode Configuration, and then configure the following settings:
5. Click Advanced in the left pane, and then configure the following settings:
6. Click OK, and then click OK again to save the encryption settings.
7. Select VPN Advanced in the left pane, and then enable Support key exchange forsubnets.
8. Click OK to save your changes.
Item Setting
Encryption Algorithm 3DES
Data Integrity MD5
Pre-Shared Secret Enable
Item Setting
Diffie-Hellman groups for
IKE
Group2
Renegotiate IKE Security
Associations
120 minutes
Renegotiate IPSEC Security
Associations
7200 seconds
Renegotiate IPSEC Security
Associations
10000 Kbytes
Support aggressive mode Disabled
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 21/24
Configure IKE (Phase 1) Policy for Proventia Network MFS Object
21
Contents of document subject to change.
Configure IKE (Phase 1) Policy for Proventia Network MFSObject
Introduction You must configure the IKE policy for Phase I (Main Mode) negotiation for the Proventia
Network MFS object.
Procedure To configure IKE for the Proventia Network MFS object:
1. Right-click the Proventia Network MFS interoperable object that you just created, andthen click Edit.
2. Click VPN in the left pane.
3. Click Traditional Mode Configuration, and then configure the following settings:
4. Click Edit Secrets.
5. Select Check Point object, and then click Edit.
6. Type the same pre-shared key that you used for the Proventia Network MFS.
Example: 1234567890abcdef
7. Click Set, and then click OK.
8. Click Advanced, and then configure the following settings:
9. Click OK, and then click OK again to save the encryption settings.
10. Select VPN Advanced in the left pane, and then enable Support key exchange forsubnets.
11. Click OK to save your changes.
Item Setting
Encryption Algorithm 3DES
Data Integrity MD5
Pre-shared Secret Enable
Item Setting
Diffie-Hellman groups for
IKE
Group 2
Renegotiate IKE Security
Associations
120 minutes
Renegotiate IPSEC Security
Associations
7200 seconds
Renegotiate IPSEC Security
Associations
10000 Kbytes
Support aggressive mode Disabled
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 22/24
Configuring VPN from Proventia Network MFS to Check Point Systems
22
Contents of document subject to change.
Creating Security Rules in the IPSEC Policy
Introduction You must create security rules in the IPSEC policy.
Procedure To create rules:
1. In the right panel, select the Security tab.
2. Open the Rules menu, select Add RuleÆTop, and then configure the followingsettings:
3. Add a rule after the IPSEC rule just created with the following settings:
4. Right–click on Encrypt in the action for the rule above, and then select Editproperties.
5. Select IKE, and click Edit.
Item Setting
Source Default Check Point Object
Proventia Network MFS
Destination Proventia Network MFS
Default Check Point Object
Service IPSEC (includes IKE - UDP 500)
Action Accept
Item Setting
Source Subnet A
Subnet B
Destination Subnet BSubnet A
Service Any
Action Encrypt
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 23/24
Creating Security Rules in the IPSEC Policy
23
Contents of document subject to change.
6. Configure the following settings:
7. Click OK to save the IKE settings.
8. Click OK to save the IPSEC policy.
Item Setting
Encryption Algorithm AES-256
Data Integrity MD5Compression Method None
Allowed Peer Gateway Any
Use Perfect Forward
Secrecy
Enabled
Use DH Group Group 2
Perform IP Pool NAT Enabled
7/28/2019 VPN Check Point
http://slidepdf.com/reader/full/vpn-check-point 24/24
Configuring VPN from Proventia Network MFS to Check Point Systems
© Copyright IBM Corporation 2003, 2007. All Rights Reserved.
IBM and the IBM logo are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE,Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, SystemScanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet SecuritySystems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make
them available in all countries in which IBM operates.