VPN Check Point

7/28/2019 VPN Check Point

http://slidepdf.com/reader/full/vpn-check-point 1/24

1

IBM Internet Security Systems

IBM Proventia® Network Multi-Function Security (MFS)

Configuring VPN from ProventiaNetwork MFS to Check Point SystemsDecember 18, 2007

Overview

Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFSrunning a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3systems.

Intended use This document provides an example for configuring VPN from a Proventia Network MFSto a Check Point NG FeaturePack 3 system. The example is not designed for operational

use without modification. A knowledgeable IPSEC network administrator or advanceduser should design new, custom polices for operational use.

Scope This document does not provide specific procedures, but rather examples of settings. Forspecific instructions on how to configure these settings, refer to the documentation listedin the “Related documentation” section of this topic, below.

Relateddocumentation

Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-FunctionSecurity (MFS) Policy Configuration Guide for more information about the following:

● IKE settings

● IPSEC and IPSEC policies

● security gateways

● access policies

● NAT rules

For procedures for configuring the Check Point NG FP 3 system, refer to thedocumentation provided with your system.



Configuring VPN from Proventia Network MFS to Check Point Systems

2

Contents of document subject to change.

In this document This document contains the following topics:

Topic Page

Before You Begin 3

Configuring the Proventia Network MFS Security Gateway 5

Configuring the Proventia Network MFS IPSEC Policy 8

Creating an IPSEC Policy for Antivirus Protection with VPN Connection 9

Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS 11

Creating Access Policies to Enable Traffic from Subnet A to Subnet B 12

Creating NAT Rules 14

Configuring Check Point Modes and Objects 16

Creating Interoperable Objects 18

Configure IKE (Phase 1) for Default Check Point Object 20

Configure IKE (Phase 1) Policy for Proventia Network MFS Object 21

Creating Security Rules in the IPSEC Policy 22



Before You Begin

3


Before You Begin

Introduction This topic includes a topography graphic and a checklist to help you gather theinformation you need to configure VPN for your Proventia Network MFS and CheckPoint NG FP 3 system.

Topography The following graphic illustrates the network topography of a Proventia Network MFSconfigured for VPN with a Check Point NG FP 3 system. The example used in thisdocument is based on the topography depicted.

Table 1: Topography for VPN tunnel from Proventia Network MFS to Check Point

Checklist The following checklist indicates the information that you need before configuring yourVPN tunnel.

InternetProventia ®

Network MFS

Check Point

`

`

`

10.1.0.0/16

Subnet B

`

`

`

192.168.1.0/24

Subnet A

192.168.1.1 10.1.0.1a.a.a.a b.b.b.b

9 Description

Proventia Network MFS External IP address _____________________________

Note: This is the IP address that you will use where a.a.a.a appears in the examples in this

document.

Proventia Network MFS Internal IP Address _____________________________

Subnet A IP address _____________________________

Symantec External IP address _____________________________

Note: This is the IP address that you will use where b.b.b.b appears in the examples in this

document.

Symantec Internal IP address _____________________________

Subnet B IP address _____________________________

Preshared key (minimum of 16 characters) _____________________________

Note: Use signed certificates to identify the Proventia Network MFS and Symantec VPN

server for better security.

Table 2: Checklist before configuring VPN tunnel




4


IKE Phase 1 (Main Mode) AuthenticationMD5SHA1

IKE Phase 1 Encryption3DESDESAES

Note: If you select AES, select an AES key length:128192256

IKE Phase 1 Key Lifetime Seconds _____________________________

IKE Phase 1 Key Lifetime Kbytes _____________________________

IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5

IKE Phase 2 (Quick Mode) Authentication MD5 SHA1

IKE Phase 2 Encryption 3DES DES AES

Note: If you select AES, select an AES key length:128192256

IKE Phase 2 Key Lifetime Seconds _____________________________

IKE Phase 2 Key Lifetime Kbytes _____________________________

IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5

Access Policies

9 Description

Table 2: Checklist before configuring VPN tunnel (Continued)



Configuring the Proventia Network MFS Security Gateway

5



Introduction You must configure the security gateway that represents the Check Point system. Thesecurity gateway contains the IKE and IPSEC communication settings. To configure thesecurity gateway, create an Auto Key IPSEC Security Gateway with the settings shown

below.

Security gateway IKE Configurationgeneral settings

Define the security gateway name, and configure IKE settings on the IKE Configurationtab, as shown in the following table:

Item Setting

Name To_Check_Point

Enabled Selected

Comment IPSEC tunnel to Check Point system

Direction Both Directions

Exchange Type Main Mode

Encryption

Algorithm

3DES

AES Key Length N/A

Note: This list is available if you select the AES encryption algorithm, to

allow you to select the AES key length from the list.

Authentication

Algorithm

MD5

Authentication Mode Pre Shared Key

Pre-Shared Key A text string value of at least 16 alphanumeric characters

Example

1234567890abcdef

Note: Use the same text string for the Check Point NG FP3 system.

Life Time Secs 7200

Life Time KBytes 0

DH Group Group2

Local IP Address Static AddressNote: In the IP Address field, type the external interface IP address of the

Proventia Network MFS.

Example

a.a.a.a

Table 3: IKE Configuration settings for the Proventia Network MFS




6


IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled bydefault. Make sure that this checkbox is cleared to disable the XAuth settings.

IPSEC Configurationgeneral settings

Define the IPSEC Configuration general settings on the IPSEC Configuration tab, asshown in the following table:

Adding a security proposal

In the Security Proposal area of the IPSEC Configuration tab, add a security proposalwith the settings shown in the following table:

Remote IP Address Static Address

Note: In the IP Address field, type the external interface IP address of the

Check Point NG FP3 system.

Example b.b.b.b

Local ID Static Address


Proventia Network MFS.

Example

a.a.a.a

Remote ID Static Address


Symantec system.

Example b.b.b.b

Item Setting

Table 3: IKE Configuration settings for the Proventia Network MFS (Continued)

Item Setting

Encapsulation Mode Tunnel

Perfect Forward

Secrecy

Group2

Advanced Settings Disabled

Table 4: IPSEC Configuration general settings for the Proventia Network MFS

Item Setting

Security Protocol ESP with Auth

Auth Algorithm SHA1

ESP Algorithm AES

ESP AES Key

Length

256

Life Time Secs 7200

Table 5: Security Proposal settings for the Proventia Network MFS




7


Advanced settings In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox iscleared by default. Make sure that this checkbox is cleared to disable the advancedsettings.

Life Time KBytes 10000

Item Setting

Table 5: Security Proposal settings for the Proventia Network MFS (Continued)




8


Configuring the Proventia Network MFS IPSEC Policy

Introduction You must configure the IPSEC policy to define what is encrypted between the ProventiaNetwork MFS and the Check Point system. The IPSEC policy is configured withoutnetwork address translation (NAT).

Reference: See “Creating NAT Rules” on page 14.

IPSEC policy general settings

Define the IPSEC policy general settings as shown in the following table:

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:

Item Setting

Name To_Check_Point

Enabled Selected

Comment IPSEC tunnel to Check Point system

Security Process Encrypt

Protocol All

Table 6: IPSEC general policy settings for the Proventia Network MFS

On this subtab... Select this item... With this setting...

Security Gateway Auto Key Security Gateway To_Check_Point

Source Address Network Address/#Network Bits

(CIDR)

The network address and subnet

mask for subnet A

Example

192.168.1.0/24

Source Port Any N/A

Destination Address Network Address/#Network Bits

(CIDR)


mask for subnet B

Example

10.1.0.0/16

Destination Port Any N/A

Table 7: IPSEC Configuration remaining settings for antivirus protection for VPN



Creating an IPSEC Policy for Antivirus Protection with VPN Connection

9


Creating an IPSEC Policy for Antivirus Protection with VPNConnection

Introduction The antivirus software proxies traffic to the external interface of the Proventia Network

MFS for the following protocols:

● HTTP

● FTP

● SMTP

● POP3

To ensure that traffic analyzed by the antivirus software is sent and received from theremote VPN subnet B, you must create an additional IPSEC policy.

IPSEC policy

general settings

Define the IPSEC policy general settings as shown in the following table:

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:

Item Setting

Name AV_To_Check_Point

Enabled Selected

Comment IPSEC policy to protect AV traffic to Check Point

Security Process Encrypt

Protocol All

Table 8: IPSEC Configuration general settings for antivirus protection for VPN


Security Gateway Auto Key Security Gateway To_Check_Point

Source Address Single IP Address The external interface IP address

of the Proventia Network MFS

Example

a.a.a.a

Note: This setting encapsulates

traffic from the Proventia NetworkMFS external interface.

Source Port Any N/A


(CIDR)


mask for subnet B

Example

10.1.0.0/16


Table 9: IPSEC policy settings for the Proventia Network MFS




10


Creating Related Access Policies for the Proventia Network MFS

Introduction You must create additional access policies on the Proventia Network MFS to do the

following:

● enable Internet Security Association and Key Management Protocol (ISAKMP) trafficto the Proventia Network MFS external interface

Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the ProventiaNetwork MFS” on page 11.

● enable traffic from subnet A to subnet B without NAT (Network Address Translation)

Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B”on page 12.

Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP,so you do not need NAT for the subnets. See “Creating NAT Rules” on page 14.

Order of accesspolicies

The appliance processes access policies in the order that they appear in the Access Policylist.



Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS

11


Creating an Access Policy to Enable ISAKMP Traffic to theProventia Network MFS

Introduction Although you have created a VPN tunnel from the Check Point server to the Proventia

Network MFS VPN server, you must configure the firewall to accept or deny traffic fromthe VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS externalinterface.

To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy thatallows VPN traffic. You can identify this policy by the Comment field that includes thefollowing default text:

Enable this rule for VPN Connectivity

Note: This access policy is disabled by default. You must enable it to allow VPN traffic.

ISAKMP accesspolicy generalsettings

Define the access policy general settings as defined in the following table:

ISAKMP accesspolicy remainingsettings

Define the remaining access policy settings as shown in the following table:

Item Setting

Enabled Selected

Action Allow

Log Enabled Not selected (optional)

Comment Enable this rule for VPN Connectivity

Table 10: ISAKMP access policy general settings


Protocol Protocol Name list UDP

Source Address Single IP Address The external interface IP address

for Unit B

Example

b.b.b.b

Source Port Any N/A

Destination Address Self N/A

Destination Port Specify Network Objects ISAKMP_UDP

Table 11: ISAKMP access policy remaining settings




12


Creating Access Policies to Enable Traffic from Subnet A toSubnet B

Introduction You must create two additional access policies on the Proventia Network MFS to allow all

traffic from subnet A to subnet B:

● a policy to allow inbound traffic

● a policy to allow outbound traffic

Inbound accesspolicy generalsettings

Define the inbound access policy general settings as defined in the following table:

Inbound accesspolicy remainingsettings

Define the remaining inbound access policy settings as shown in the following table:

Outbound accesspolicy generalsettings

Define the outbound access policy general settings as defined in the following table:

Item Setting

Enabled Selected

Action Allow


Comment Access policy to allow traffic from remote Check Point network

Table 12: Inbound access policy general settings


Protocol Any N/A

Source Address Network Address/#Network Bits(CIDR) The network address and subnetmask for subnet B

Example

10.1.0.0/16

Source Port Any N/A


(CIDR)


mask for subnet A

Example

192.168.1.0/24


Table 13: Inbound access policy remaining settings

Item Setting

Enabled Selected

Action Allow


Table 14: Outbound access policy general settings



Creating Access Policies to Enable Traffic from Subnet A to Subnet B

13


Outbound accesspolicy remainingsettings

Define the remaining outbound access policy settings as shown in the following table:

Comment Access policy to allow traffic out to remote Check Point network

Item Setting

Table 14: Outbound access policy general settings (Continued)


Protocol Any N/A


(CIDR)


mask for subnet A

Example

192.168.1.0/24

Source Port Any N/A


(CIDR)


mask for subnet B

Example

10.1.0.0/16


Table 15: Outbound access policy remaining settings




14


Creating NAT Rules

Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rulesto bypass NAT and insure that the appliance does not translate packets that travel

between subnets. The additional NAT rules are as follows:

● a Source NAT Rule

● a Destination NAT Rule

Source NAT Rulegeneral settings

Create a Source NAT Rule with general settings as defined in the following table:

Source NAT Ruleremaining settings

Define the remaining Source NAT Rule settings as shown in the following table:

Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules

table.

Destination NATRule generalsettings

Create a Destination NAT Rule with general settings as defined in the following table:

Item Setting

Name CheckPoint_BypassNAT_Src

Enabled Selected

Comment Source NAT Rule to bypass NAT

Table 16: Source NAT Rule general settings


Protocol Any N/A


(CIDR)

The network mask for subnet A.

Example

192.168.1.0/24


(CIDR)

The network mask for subnet B.

Example

10.1.0.0/16


Translated Address Do Not Translate N/A

Table 17: Source NAT Rule remaining settings

Item Setting

Name CheckPoint_BypassNAT_Dst

Enabled Selected

Comment Destination NAT Rule to bypass NAT

Table 18: Destination NAT Rule general settings



Creating NAT Rules

15


Destination NATRule remainingsettings

Define the remaining Destination NAT Rule settings as shown in the following table:

Note: Make sure that the Destination NAT Rule is in the first position in the DestinationNAT Rules table.


Protocol Any N/A

Source Address Network Address/#Network Bits(CIDR)

The network mask for subnet B.Example

10.1.0.0/16


(CIDR)

The network mask for subnet A.

Example

192.168.1.0/24


Translated Address Do Not Translate N/A

Translated Port Do Not Translate N/A

Table 19: Destination NAT Rule remaining settings




16


Configuring Check Point Modes and Objects

Introduction Configuring Check Point modes and objects includes the following tasks:

● verifying the Check Point VPN-1 Pro mode

● creating network objects

Notes:

● This document covers only Traditional mode. For help with setting up a VPNconnection in Simplified mode, consult your Check Point documentation.

● If you change from Simplified mode to Traditional mode in the Global Propertieswindow, then you must create a new policy so that the Encrypt Action is available forfirewall rules.

Verify Check Point

VPN-1 Pro mode

To verify Check Point VPN-1 Pro mode:

1. Open the Management console and log in.

2. Select PolicyÆGlobal Properties.

3. Click VPN-1 Pro in the left window pane.

4. Verify that the VPN configuration method is Traditional mode.

Important: If the policy is not in Traditional mode, then select one of the Traditional

Mode options, click OK, and then select FileÆNew... to create a new policy.

Create network

objects

To create network objects:

1. In the Management console, click the Network Objects icon to display the NetworkObjects tree.

2. Expand the Network Objects tree.

3. Right–click Networks, and then select New Network.

4. Provide the following information on the General tab:

5. Click OK to save the network.

6. Does a network object already exist for the internal network protected by the CheckPoint NG FP 3 firewall?

Item Setting

Name Subnet_A

Network Address The network IP address for subnet A

Example

192.168.1.0

Netmask The netmask for subnet A

Example

255.255.255.0



Configuring Check Point Modes and Objects

17


■ If yes, you have finished creating network objects. Go to the next topic.

■ If no, go to Step 7.

7. Right–click Networks, and then select New Network.

8. Provide the following information on the General tab:

9. Click OK to save the network.

Item Setting

Name Subnet_B

Network Address The network IP address for subnet B

Example

10.1.0.0

Netmask The netmask for subnet B

Example

255.255.0.0




18


Creating Interoperable Objects

Introduction You must create interoperable objects for the Proventia Network MFS.

Procedure To create interoperable objects:

1. In the Management console, click the Network Objects icon to display the NetworkObjects tree.

2. Expand the Network Objects tree.

3. Right–click Interoperable Devices, and then select New Interoperable Device.

4. Provide the following information for the Proventia Network MFS:

5. In the left pane, click Topology.

6. Click Add, and then provide the following information on the General tab:

7. Provide the following information on the Topology tab:

8. Click OK to save.

Item Setting

Name Proventia

IP address The external interface IP address of the Proventia NetworkMFS.

Example

a.a.a.a

Item Setting

Name Internal

IP Address The internal interface IP address of the Proventia Network

MFS

Example

192.168.1.1

Netmask The netmask for subnet A

Example

255.255.255.0

Item Setting

Topology Internal

IP Address behind this

interface

Specific

Select Subnet A from the drop-down list



Creating Interoperable Objects

19


9. Click Add, and then enter the following information on the General tab:

10. On the Topology tab, select External for Topology.

11. Click OK, and then click OK again to save the Interoperable Device settings.

Item Setting

Name External

IP Address The external interface IP address of the Proventia NetworkMFS

Example: a.a.a.a

Netmask The external netmask of the Proventia Network MFS

Example: 255.255.255.255




20


Configure IKE (Phase 1) for Default Check Point Object

Introduction You must configure the IKE settings for Phase I (Main Mode) negotiation for the defaultCheck Point object.

Procedure To configure IKE for the default Check Point object:

1. Right-click the default Check Point object, and then click Edit.

2. Verify that VPN-1 Pro is selected. If not, select it.

3. Click VPN in the left pane.

4. Click Traditional Mode Configuration, and then configure the following settings:

5. Click Advanced in the left pane, and then configure the following settings:

6. Click OK, and then click OK again to save the encryption settings.

7. Select VPN Advanced in the left pane, and then enable Support key exchange forsubnets.

8. Click OK to save your changes.

Item Setting

Encryption Algorithm 3DES

Data Integrity MD5

Pre-Shared Secret Enable

Item Setting

Diffie-Hellman groups for

IKE

Group2

Renegotiate IKE Security

Associations

120 minutes

Renegotiate IPSEC Security

Associations

7200 seconds


Associations

10000 Kbytes

Support aggressive mode Disabled



Configure IKE (Phase 1) Policy for Proventia Network MFS Object

21


Configure IKE (Phase 1) Policy for Proventia Network MFSObject

Introduction You must configure the IKE policy for Phase I (Main Mode) negotiation for the Proventia

Network MFS object.

Procedure To configure IKE for the Proventia Network MFS object:

1. Right-click the Proventia Network MFS interoperable object that you just created, andthen click Edit.

2. Click VPN in the left pane.

3. Click Traditional Mode Configuration, and then configure the following settings:

4. Click Edit Secrets.

5. Select Check Point object, and then click Edit.

6. Type the same pre-shared key that you used for the Proventia Network MFS.

Example: 1234567890abcdef

7. Click Set, and then click OK.

8. Click Advanced, and then configure the following settings:

9. Click OK, and then click OK again to save the encryption settings.

10. Select VPN Advanced in the left pane, and then enable Support key exchange forsubnets.

11. Click OK to save your changes.

Item Setting

Encryption Algorithm 3DES

Data Integrity MD5

Pre-shared Secret Enable

Item Setting

Diffie-Hellman groups for

IKE

Group 2

Renegotiate IKE Security

Associations

120 minutes


Associations

7200 seconds


Associations

10000 Kbytes

Support aggressive mode Disabled




22


Creating Security Rules in the IPSEC Policy

Introduction You must create security rules in the IPSEC policy.

Procedure To create rules:

1. In the right panel, select the Security tab.

2. Open the Rules menu, select Add RuleÆTop, and then configure the followingsettings:

3. Add a rule after the IPSEC rule just created with the following settings:

4. Right–click on Encrypt in the action for the rule above, and then select Editproperties.

5. Select IKE, and click Edit.

Item Setting

Source Default Check Point Object

Proventia Network MFS

Destination Proventia Network MFS

Default Check Point Object

Service IPSEC (includes IKE - UDP 500)

Action Accept

Item Setting

Source Subnet A

Subnet B

Destination Subnet BSubnet A

Service Any

Action Encrypt



Creating Security Rules in the IPSEC Policy

23


6. Configure the following settings:

7. Click OK to save the IKE settings.

8. Click OK to save the IPSEC policy.

Item Setting

Encryption Algorithm AES-256

Data Integrity MD5Compression Method None

Allowed Peer Gateway Any

Use Perfect Forward

Secrecy

Enabled

Use DH Group Group 2

Perform IP Pool NAT Enabled




© Copyright IBM Corporation 2003, 2007. All Rights Reserved.

IBM and the IBM logo are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE,Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, SystemScanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet SecuritySystems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make

them available in all countries in which IBM operates.

VPN Check Point

Documents

Transcript of VPN Check Point