Check Point VPN-1 NG
Gateway-to-Gateway
IPsec with BinTec routers using public/private keys
Note: here, only the switch to IKE authentication using
public/private keys are described, for general setup, take first a look
on Example
for a setup
using pre-shared secrets in IKE authentication
Contents
Back to main page
Create/manage
certificates using an external CA
BinTec router
Import the external CA
- Goto IPSEC
-> Certificate and Key Management
-> Certificate Authority
Certificate -> DOWNLOAD
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][GETCERT]: IPsec Configuration - Get Certificate x1200
_______________________________________________________________________________
Import a Certificate/CRL using: TFTP
Type of certificate: Certificate Authority
Server: <IP of TFTP server>
Name: AE-TestCA-2003-A.crt auto
START EXIT
_______________________________________________________________________________
|
- Verify the CA certificate and import it
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][GETCERT]: IPsec Configuration - Review Certificate x1200
_______________________________________________________________________________
Please Review retrieved Certificate: [AE-TestCA-2003-A.crt]
Certificate = =
SerialNumber = 1 |
SubjectName = <MAILTO=ca@aerasec.de, OU=AERAsec Certificate Authority, |
O=AERAsec Network Services and Security GmbH, ST=Bayern, L=Hohenbrunn, |
C=DE, CN=AE-TestCA-2003-A> |
IssuerName = <MAILTO=ca@aerasec.de, OU=AERAsec Certificate Authority, |
O=AERAsec Network Services and Security GmbH, ST=Bayern, L=Hohenbrunn, |
C=DE, CN=AE-TestCA-2003-A> |
Certificate seems to be self-signed. |
* Signature verification success. |
Validity = |
NotBefore = 2003 Oct 23rd, 14:24:07 GMT |
NotAfter = 2004 Oct 22nd, 14:24:07 GMT v
IMPORT CANCEL
_______________________________________________________________________________
|
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Certificate Authority
Certificate
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
ext-ca CA,T 1 , MAILTO=ca@aerasec.de, OU=AERAsec Certifi
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
- Important: change CRL
usage flag, if no CRL is used. Otherwise you get "Autentication failed" on IKE phase
1 and don't find the reason....
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][CAS][EDIT]: IPsec Configuration - Certificate Management
_______________________________________________________________________________
Change Certificate Attributes
Description: AE-TestCA-2003-A.crt
Type of certificate: Certificate Authority
no CRLs
Certificate Contents:
Certificate = =
SerialNumber = 1 |
SubjectName = <MAILTO=ca@aerasec.de, OU=AERAsec Certificate |
Authority, O=AERAsec Network Services and Security GmbH, |
ST=Bayern, L=Hohenbrunn, C=DE, CN=AE-TestCA-2003-A> |
IssuerName = <MAILTO=ca@aerasec.de, OU=AERAsec Certificate |
Authority, O=AERAsec Network Services and Security GmbH, |
ST=Bayern, L=Hohenbrunn, C=DE, CN=AE-TestCA-2003-A> |
Certificate seems to be self-signed. v
SAVE EXIT
_______________________________________________________________________________
|
- Confirm proper settings a second time by goto IPSEC
-> Certificate and Key Management
-> Certificate Authority
Certificate
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
ext-ca CA,N,T 1 , MAILTO=ca@aerasec.de, OU=AERAsec Certifi
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
Create a new private/public key pair (key size of 2048 or above can
need
some time...)
- Goto IPSEC
-> Certificate and Key Management
-> Key Management -> CREATE
- You can choose a different key size, but be patient, the
higher, more time is needed for calculation.
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][KEYS][CREATE]: IPsec Configuration - Create Keys x1200
_______________________________________________________________________________
Description: bintec-own-key
Algorithm: rsa
Key Size (Bits): 1024
RSA Public Exponent: 65537
Create Exit
_______________________________________________________________________________
|
- As an alternative way, you can use command line:
x1200:> key create -a rsa -s 1024 bintec-own-key
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Key Management
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][KEYS]: IPsec Configuration - Configure Keys x1200
_______________________________________________________________________________
Highlight an entry and type 'e' to generate a pkcs#10 certificate request
Description Algorithm Key Length
bintec-own-key rsa 001024
CREATE DELETE REQUEST CERT EXIT
_______________________________________________________________________________
|
Create a certificate request
- Goto IPSEC
-> Certificate and Key Management
-> Key Management -> REQUEST
CERT
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][ENROLL]: IPsec Configuration - Certificate Enrollment x1200
_______________________________________________________________________________
Key to enroll: 2 (bintec-own-key)
Method: Manual
Subject Name: CN=bintec,O=bintec.lab.aerasec.de
Subject Alternative Names (optional):
Type Value
IP
DNS
NONE
Signing algorithm to use: sha1WithRSAEncryption
Server: <IP of TFTP server>
Filename: bintec-own-request.pem base64
Start Exit
_______________________________________________________________________________
|
Sign certificate request of BinTec by exernal PKI tool
- Copy request from TFTP server directory to floppy disk
- Transfer request to the PKI tool
- Import the request in the PKI tool
- Sign the request
- Save signed certificate to floppy disk
- Copy the signed certificate to TFTP server directory
Import the signed certificate
- Goto IPSEC
-> Certificate and Key Management
-> Own Certificates -> DOWNLOAD
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][GETCERT]: IPsec Configuration - Get Certificate x1200
_______________________________________________________________________________
Import a Certificate/CRL using: TFTP
Type of certificate: Own Certificate
Server: <IP of TFTP server>
Name: bintec.crt auto
START EXIT
_______________________________________________________________________________
|
- Review content of signed certificate and import it
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][GETCERT]: IPsec Configuration - Review Certificate x1200
_______________________________________________________________________________
Please Review retrieved Certificate: [bintec.crt]
Certificate = =
SerialNumber = 8 |
SubjectName = <CN=bintec, O=bintec.lab.aerasec.de> |
IssuerName = <MAILTO=ca@aerasec.de, OU=AERAsec Certificate Authority, |
O=AERAsec Network Services and Security GmbH, ST=Bayern, L=Hohenbrunn, |
C=DE, CN=AE-TestCA-2003-A> |
Validity = |
NotBefore = 2003 Oct 29th, 11:14:48 GMT |
NotAfter = 2003 Nov 28th, 11:14:48 GMT |
PublicKeyInfo = |
Algorithm name (X.509) : rsaEncryption |
Modulus n (1024 bits) : |
1539457218084629878963560670801157699985678099637576257888985635927 v
IMPORT CANCEL
_______________________________________________________________________________
|
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Own Certificates
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][OWN]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
bintec.crt O 8 , CN=bintec, O=bintec.lab.aerasec.de, CN=b
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
Check Point VPN-1
See here for more: Check
Point VPN-1 configuration for usage of an external CA
Create/manage
certificates using the internal_ca of a Check Point managment
WARNING: this
is currently still not working because of the issue, that a Check Point
VPN-1 module send in IKE phase 1 the object's IPv4 address as ID, but
this ID isn't contained by the certificate of the module, which was
created by the internal CA.
This issue is already known, see also: Check
Point and FreeS/WAN using certificates, but still unsolved in a
proper fashion. Playing tricks on FreeS/WAN doesn't help, too:
left=172.16.1.2
leftcert=/root/checkpoint.crt
leftid=172.16.1.2
Oct 30 14:05:37 freeswan pluto[2143]: loaded host cert file '/root/checkpoint.crt' (1120 bytes)
Oct 30 14:05:37 freeswan pluto[2143]: no subjectAltName matches ID '172.16.1.2', replaced by subject DN
Oct 30 14:17:35 freeswan pluto[2143]: "net-checkpoint-net-freeswan-rsa" #21: we require peer to have ID
'O=checkpoint.lab.aerasec.de..abcdef, CN=checkpoint VPN Certificate', but peer declares '172.16.1.2'
So we believe, that this issue is responsible for the same problem here
with BinTec IPsec implementation. In FreeS/WAN, this issue can be
solved by specifying the public key directly, but this is impossible on
a BinTec router.
Additional note: during playing around we found following scenario
working, don't know whether it's 100% useful:
- BinTec router uses a user certificate from Check Point's
internal_ca for authentication against the Check Point VPN-1 module
- Check Point VPN-1 module uses the (proper generated
[subjectAltName contains the IP address of the module]) certificate
signed by an external CA for authentication against the BinTec router
Check Point VPN-1 using the
management internal_ca
Generate a user certificate and
create requested files
- Create a user and generate a key/cert pair and save it as
PKCS#12 file (e.g. bintec-router.p12)
- With the use of OpenSSL extract the private key of the PKCS#12
and convert it into PKCS#8 format
$ openssl pkcs12 -in bintec-router.p12 -nocerts -out bintec-router-key.pem
$ openssl pkcs8 -in bintec-router-key.pem -topk8 -out bintec-router-key.p8
- Copy the PKCS#8 key to the TFTP server
- With the use of OpenSSL extract the public keys of the PKCS#12
$ openssl pkcs12 -in bintec-router.p12 -nokeys -clcerts -out bintec-router-certbag.pem
- Split this singe bag file into two ones, results in e.g.
cp-internal_ca.pem and bintec-router-cert.pem (see bag information on
top of each certificate, to which it belongs).
Important note: you have to remove the bag information also, the BinTec
router doesn't like it!
Bag Attributes
friendlyName: internal_ca
localKeyID: 2E 66 8A 80 FC B9 14 60 B3 49 35 D2 FA B2 80 A6
subject=/O=checkpoint.lab.aerasec.de..abcdef
issuer= /O=checkpoint.lab.aerasec.de..abcdef
-----BEGIN CERTIFICATE-----
MIIC...
...liA==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: bintec-router
localKeyID: 0E BD A9 09 B4 2A 9D 73 30 37 17 87 F2 82 EE 14
subject=/O=checkpoint.lab.aerasec.de..abcdef/OU=users/CN=bintec-router
issuer= /O=checkpoint.lab.aerasec.de..abcdef
-----BEGIN CERTIFICATE-----
MIID...
...WtQ==
-----END CERTIFICATE-----
BinTec router
Note: certificate import can
also be done using the setup utility, but no key import.
Therefore we describe here command line usage only.
Import internal_ca of
Check Point VPN-1
- Import the internal_ca certificate (here we use the command line)
x1200:> cert get tftp://<server>/cp-internal_ca.crt cp-ca
cert:
Certificate =
SerialNumber = 1
SubjectName = <O=checkpoint.lab.aerasec.de..abcdef>
IssuerName = <O=checkpoint.lab.aerasec.de..abcdef>
Certificate seems to be self-signed.
* Signature verification success.
...
md5 Fingerprint: 2E:66:8A:80:FC:B9:14:60:B3:49:35:D2:FA:B2:80:A6
sha1 Fingerprint: 4E:0C:01:04:BD:0C:51:24:21:66:10:C9:5E:75:65:43:2D:AB:D2:34
Accept this Certificate? (y/n) > y
cert: CA certificate detected
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Certificate Authority
Certificates
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
cp-internal_ca. CA,T 1 , O=checkpoint.lab.aerasec.de..abcdef, O=c
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
- Important: change CRL
usage flag, if no CRL is used. Otherwise you get "Autentication failed" on IKE phase
1 and don't find the reason....
Change Certificate Attributes
Description: cp-ca
Type of certificate: Certificate Authority
no CRLs
Certificate Contents:
Certificate = =
SerialNumber = 1 |
SubjectName = <O=checkpoint.lab.muc.aerasec.de..abcdef> |
IssuerName = <O=checkpoint.lab.aerasec.de..abcdef> |
Certificate seems to be self-signed. |
* Signature verification success. |
Validity = |
NotBefore = 2003 Oct 28th, 13:55:14 GMT |
NotAfter = 2023 Oct 23rd, 13:55:14 GMT v
SAVE EXIT
_______________________________________________________________________________
|
- Confirm proper settings a second time by goto IPSEC
-> Certificate and Key Management
-> Certificate Authority
Certificate
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
cp-ca CA,N,T 1 , O=checkpoint.lab.aerasec.de..abcdef, O=c
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
Import private key in PKCS#8
format
- Import the key (note: this can only be done
in command line mode)
x1200:> key import tftp://<server>/bintec-router-key.p8 bintec-router <passphrase>
key: importing key 1 from tftp://<server>/bintec-router-key.p8
key: requesting file bintec-router-key.p8 from server <server> (<server>)
key: key bintec-router imported successfully from tftp://<server>/bintec-router-key.p8
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Key Management
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][KEYS]: IPsec Configuration - Configure Keys x1200
_______________________________________________________________________________
Highlight an entry and type 'e' to generate a pkcs#10 certificate request
Description Algorithm Key Length
bintec-router rsa 001024
CREATE DELETE REQUEST CERT EXIT
_______________________________________________________________________________
|
Import public key (aka
certificate)
x1200:> cert get tftp://<server>/bintec-router-cert.pem bintec-router
cert:
Certificate =
SerialNumber = 630
SubjectName = <CN=bintec-router, OU=users, O=checkpoint.lab.aerasec.de..abcdef>
IssuerName = <O=checkpoint.lab.aerasec.de..abcdef>
...
[End of Certificate]
md5 Fingerprint: 0E:BD:A9:09:B4:2A:9D:73:30:37:17:87:F2:82:EE:14
sha1 Fingerprint: EC:10:FB:9F:76:6F:3A:2B:3C:42:A5:32:40:F8:1E:78:40:C4:88:B5
Accept this Certificate? (y/n) > y
cert: user certificate detected
- Confirm proper import by goto IPSEC
-> Certificate and Key Management
-> Own Certificates
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][CERTMGMT][OWN]: IPsec Configuration - Certificate Management x1200
_______________________________________________________________________________
Description Flags SerialNo Subject Names
bintec-router O 630 , CN=bintec-router, OU=users, O=checkpoint
DOWNLOAD DELETE EXIT
_______________________________________________________________________________
|
Result:
This is not
working, because the BinTec router can't correlate the ID sent in IKE
phase 1 with the certificate sent (same issue as found using Free/SWAN)
- therefore no public key was found:
Check Point's logging tells:
30Oct2003 14:26:44 keyinst 172.16.1.2 >daemon src: 172.16.1.1; dst: 172.16.1.2; peer gateway: 172.16.1.1;
scheme: IKE; IKE: Phase1 Received Notification from Peer: authentication failed ;
CookieI: d4ed0fa7b61dab92; CookieR: 0ee769d4fb000001; product: VPN-1 & FireWall-1;
Debugging of Check Point's vpn daemon tells also more of the real
reason:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
fwIsakmp_ProcessInfoExc peer: xxxxxxxx ~~ Thu Oct 30 14:26:44 2003
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
debugNotifyPayload: (Process)
NextPld: 00 (PA_NONE)
Reserved: 00
Length: 00 3b (59)
DOI: 00 00 00 01
ProtID: 01
SPISize: 10 (16)
NotifyType: 00 18 (authentication failed)
SPI: d4 ed 0f a7 b6 1d ab 92 0e e7 69 d4 fb 00 00 01
NotifData:
80 0c 00 01 00 06 00 13 4e 6f 20 70 75 62 6c 69 63 20 6b 65
79 20 66 6f 75 6e 64 80 08 00 00
NotifData as string:
~@ ^L ^@ ^A ^@ ^F ^@ ^S N o p u b l i c k e
y f o u n d ~@ ^H ^@ ^@
The BinTec router tells the same (if log-level is set to debug)
IPsec related
configuration of a BinTec router
This is currently only working using an external CA!
Phase 1 (IKE-SA) settings of this peer:
Change settings of IKE autentication from shared-secret to RSA Signatures, also select proper
local certificate.
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][PHASE 1]: IPsec Configuration - Phase 1 (IKE) Settings
_______________________________________________________________________________
Proposal : Rijndael/SHA1 (def)
Lifetime : 900 Sec/0 Kb (def)
Group : 5 (1536 bit MODP)
Authentication Method : RSA Signatures
Mode : id_protect (def)
Local ID :
Local Certificate : 5 (bintec.crt)
View Proposals >
Edit Lifetimes >
SAVE CANCEL
_______________________________________________________________________________
|
IKE/IPsec
Monitoring
on a BinTec router
Using IPsec monitoring, IKE and IPsec SAs can be monitored for e.g.
existing or which methods are used now.
IKE monitoring
(public/private keys)
- Goto Monitoring
- Goto IKE Security Associations
- Example shows a 3DES/MD5 IKE-SA with RSA signatures (using
certificates):
X1200 Setup Tool BinTec Access Networks GmbH
[IPSEC][MONITORING][IKE SAS]: IPsec Monitoring - IKE SAs x1200
_______________________________________________________________________________
T: xch.-Type: B=Base I=Id-prot. O=auth-Only A=Aggressive
A: Auth-Meth: P=P-S-Key D=DSA-sign. S=RSA-sign. E=RSA-encryption
R: Role : I=Initiator R=Responder
S: State : N=Negotiate E=Establ. D=Delete W=Waiting-for-remove
E: Enc.-Alg : d=DES D=3ES B=Blowfish C=Cast R=Rijndael T=Twofis
H: Hash-Alg : M=MD5 S=SHA1 T=Tiger R=Ripemd160
type 'h' to toggle this help
Remote ID Remote IP Local ID TARSEH
172.16.1.2 172.16.1.2 O=bintec.lab.ae ISREDM
DELETE EXIT
_______________________________________________________________________________
|
No warranty
at all, your Feedback
is welcome!
© 2003-2010 AERAsec Network
Services and Security GmbH, last update 2003-10-30 (PB)
back to http://www.vpn-1.de/aerasec/