Check Point VPN-1 NG

Gateway-to-Gateway IPsec with BinTec routers using a pre-shared secret

IPsec related configuration of a BinTec router
IPsec related configuration of a Check Point VPN-1
IPsec Monitoring on a BinTec router

IPsec related configuration of a BinTec router

It's important to use the Wizard here at first time because some initial values are set during this run.

Used topology in this example:
192.168.1.0/24 --- [.1] CP NG [.2] --- 172.16.1.0/24 --- [.1] BinTec [.1] ---192.168.2.0/24

Requirements:

On both sides supported:

IKE encryption method
IKE integrity method
IKE-SA lifetime
IKE Diffie-Hellman Groups
ESP encryption method
ESP integrity method
IPsec-SA lifetime
Perfect Forward Secrecy Support
Preshared secret key

Reachable (normally external) IPv4 address of peer (Check Point NG VPN-1 Pro)
Topology

Local network(s) - BinTec router internal network(s)
Remote network(s) - Check Point NG VPN-1 internal network(s)

To do:

Login via serial console or telnet
Start setup tool
Goto IPSEC menu (if missing, current firmware doesn't support it, see above for more)
Change Enable IPSec to yes
Goto IKE (Phase 1) Defaults

Select a supported Proposal, e.g. Rijndael/SHA1
Select a supported Lifetime, e.g. 900 Sec/0 Kb
Select a supported Authentication Method, e.g. Pre Shared Keys
Select Save

Goto IPsec (Phase 2) Defaults

Select a supported Proposal, e.g. (ESP(Rijndael/Sha1) no Comp)
Select a supported Lifetime, e.g. 900 Sec/0 Kb
Select use of Perfect Forward Secrecy: Use PFS, e.g. yes

Goto Wizard

On What to do? select start wizard

Select IKE authentication method on Use which Default IPSEC Authentication Method ?, here: Pre Shared Keys
Start configuring peer by selecting Configure Peer ? start

Fill-in Description
Fill-in peer's (Check Point NG VPN-1's) Peer Address
Peer IDs can be left empty for now
On Pre Shared Key fill in the on both sides used one

Start configuring network topology by selecting Configure Peer Traffic ? start

Fill-in Description
Select a Protocol filter, if required, here for now: dont-verify
Add local part of topology, here e.g. Type: net Ip: 192.168.2.0 / 24
Add remote part of topology, here e.g. Type: net Ip: 192.168.1.0 / 24
Select Save

Now you can dump all during the wizard created messages to syslog by selecting: What to do? dump messages

Select Save

Result should look like following (some values are not overtaken from default so check setup and change it, if required).

Configured peers:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS]: IPsec Configuration - Configure Peer List                 x1200
_______________________________________________________________________________
  Highlight an entry and type 'i' to insert new entry below,
  'u'/'d' to move up/down, 'a' to select as active peer list

  Description       PeerID            PeerAddr        IKEProp  TrafficList
  *Check Point NG                     172.16.1.2      default           2

     APPEND              DELETE              EXIT
______________________________________________________________________________

Configuration of peer "Check Point NG":

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT]: IPsec Configuration - Configure Peer List           x1200
_______________________________________________________________________________

     Description:   Check Point NG
     Peer Address:  172.16.1.2
     Peer IDs:
     Pre Shared Key:*
     ISDN Callback: disabled

     Special Settings >

  Traffic List: Highlight an entry and type 'i' to insert new entry below,
                'u'/'d' to move up/down, 'a' to select as active traffic list

  Local Address    M/R    Port  Proto Remote Address  M/R    Port  A  Proposal
  *192.168.2.0     M24    -     all   192.168.1.0     M24    -     PR default

       APPEND              DELETE               SAVE               CANCEL
_______________________________________________________________________________

Special settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][SPECIAL]: IPSec Peer Special Settings                x1200
_______________________________________________________________________________

     Options:

       Verify Padding:        yes
       Granularity:           default (coarse)
       Keep Alive:            no
       Heartbeats:            default

     Phase 1 >
     Phase 2 >

     Select Different Traffic List >

                          SAVE                          CANCEL
_______________________________________________________________________________

Phase 1 (IKE-SA) settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][PHASE 1]: IPsec Configuration - Phase 1 (IKE) Settings
_______________________________________________________________________________

   Proposal              :  Rijndael/SHA1 (def)
   Lifetime              :  900 Sec/0 Kb (def)
   Group                 :  5 (1536 bit MODP)
   Authentication Method :  Pre Shared Keys (def)
   Mode                  :  id_protect (def)
   Local ID              :
   Local Certificate     :  none

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

Phase 2 (IPsec-SA) settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][PHASE 2]: IPsec Configuration - Phase 2 Settings     x1200
_______________________________________________________________________________

       Proposal:               ESP(Rijndael/Sha1) (def)
       Lifetime:               900 Sec/0 Kb (def)
       Use PFS :               group 5 (1536 bit MODP)

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

Traffic entry (also known as topology definition):

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][TRAFFIC][EDIT]: Edit Traffic Entry                   x1200
_______________________________________________________________________________

     Description:   net-net

     Protocol:      dont-verify

     Local:
          Type: net   Ip: 192.168.2.0    / 24

     Remote:
          Type: net   Ip: 192.168.1.0    / 24

     Action:        protect

     Special Settings >

                    SAVE                               CANCEL
_______________________________________________________________________________

Special settings of this traffic entry:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][TRAFFIC][SPECIAL]: Customize Traffic Settings        x1200
_______________________________________________________________________________

     Proposal:           ESP(Rijndael/Sha1) (def)
     Lifetime:           900 Sec/0 Kb (def)

     Keep Alive:         default
     Force Tunnel Mode:  false
     Granularity:        default (coarse)

     View Proposals >
     Edit Lifetimes >

                    SAVE                               CANCEL
_______________________________________________________________________________

IPsec related configuration of a Check Point VPN-1 NG AI

Following screen shots are showing the relating configuration to BinTec router configuration shown above.

Setup of the gateway with BinTec router

Create an interoperable device:

General Properties

Fill-in required and additional information:

Topology

Configure topology according to your VPN and external network setup. For more complex internal network setup, you probably have to switch to "Manually defined" VPN domain and select a previous created network group containing all internal networks behind this gateway.

Configure Check Point VPN-1 object

As shown above, take care of the topology and the VPN domain

General Properties

Enable VPN-1 Pro feature, if not done before. You will need the according license to use VPN-1 Pro.

Topology

Configure topology according to your VPN and external network setup. For more complex internal network setup, you probably have to switch to "Manually defined" VPN domain and select a previously created network group containing all internal networks behind this gateway.

Setup VPN community

Edit the MyIntranet community object. You might also create a new community, if necessary.

General

For an unfiltered communications between all community members, enable the field "Accept all encrypted traffic" in this community.
Note: not really recommended, so setup dedicated rules after successful testing and disable this switch afterwards.

Participating Gateways

You'll have to add at least the BinTec router and your Check Point VPN-1 NG.

VPN properties

Setup encryption and integrity methods for IKE and IPsec according to the same values configured on the BinTec router above.

Advanced properties

Setup the advanced properties for IKE and IPsec according to the same values configured on the BinTec router above.

Shared secret

After enabling use of shared secrets, specify the proper shared secret relating to the entry done at the BinTec router.

VPN manager (result)

Successful log entries

On success, following log entries should appear in Check Point's log:

30Oct2003 15:32:30 keyinst 172.16.1.2 >daemon src: 172.16.1.2; dst: 172.16.1.1; peer gateway: 172.16.1.1;
 scheme: IKE; IKE: Main Mode completion.; CookieI: 8eeaf9f3158074d4; CookieR: 176b8db753000000;
 methods: AES-256 + SHA1, Pre shared secrets; community: MyIntranet; product: VPN-1 & FireWall-1;

30Oct2003 15:32:32 keyinst 172.16.1.2 >daemon src: 172.16.1.2; dst: 172.16.1.1; srckeyid: 0xeb2c94a8;
 dstkeyid: 0x966e3019; peer gateway: 172.16.1.1; scheme: IKE; IKE: Quick Mode completion;
 CookieI: 8eeaf9f3158074d4; CookieR: 176b8db753000000; msgid: d9f20437;
 methods: ESP: AES-256 + SHA1 + PFS + DEFLATE;
 IKE IDs: subnet: 192.168.1.0 (mask= 255.255.255.0) and subnet: 192.168.2.0 (mask= 255.255.255.0);
 community: MyIntranet; product: VPN-1 & FireWall-1;

IKE/IPsec Monitoring on a BinTec router

Using IPsec monitoring, IKE and IPsec SAs can be monitored for e.g. existance or which methods are used now.

IKE monitoring (pre-shared secret)

Goto Monitoring
Goto IKE Security Associations

Example shows a AES/SHA IKE-SA with pre-shared secret:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][MONITORING][IKE SAS]: IPsec Monitoring - IKE SAs                  x1200
_______________________________________________________________________________
  T: xch.-Type: B=Base      I=Id-prot.  O=auth-Only  A=Aggressive
  A: Auth-Meth: P=P-S-Key   D=DSA-sign. S=RSA-sign.  E=RSA-encryption
  R: Role     : I=Initiator R=Responder
  S: State    : N=Negotiate E=Establ.   D=Delete     W=Waiting-for-remove
  E: Enc.-Alg : d=DES       D=3ES       B=Blowfish   C=Cast  R=Rijndael T=Twofis
  H: Hash-Alg : M=MD5       S=SHA1      T=Tiger      R=Ripemd160
  type 'h' to toggle this help

  Remote ID                             Remote IP       Local ID        TARSEH
  172.16.1.2                            172.16.1.2      172.16.1.1      IPRERS

     DELETE              EXIT
_______________________________________________________________________________

IPsec monitoring

Goto Monitoring
Goto IPsec Security Associations

Example shows a AES/SHA IPsec-SA with IP compression method DEFLATE

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][MONITORING][IPSEC SAS]: IPsec Monitoring - IPsec SAs              x1200
_______________________________________________________________________________
    S: Sec. Proto :  E=ESP       A=AH        C=IPComP
    E: Enc. Alg.  :  D=3DES      B=Blowfish  C=Cast  d=DES T=Twofish R=Rijndael
    A: Auth. Alg. :  M=MD5       S=SHA1
    C: Comp-Alg   :  D=Deflate
    Direction     :  >=outbound  <=inbound
    Address-Syntax:  <host> or <first>+<num-following> or <netaddr>/<masklen>
   type 'h' to toggle this help

  Local                 LPort Pto  Remote                RPort SEAC Pkts  Bytes
  192.168.2.0/24        0     all <192.168.1.0/24        0     C--D     1    58
  192.168.2.0/24        0     all >192.168.1.0/24        0     C--D     1    58
  192.168.2.0/24        0     all <192.168.1.0/24        0     ERS-     1   104
  192.168.2.0/24        0     all >192.168.1.0/24        0     ERS-     1    58

     DELETE              EXIT
_______________________________________________________________________________

No warranty at all, your Feedback is welcome!
© 2003-2010 AERAsec Network Services and Security GmbH, last update 2003-11-01
back to http://www.vpn-1.de/aerasec/

Check Point VPN-1 NG

Gateway-to-Gateway IPsec with BinTec routers using a pre-shared secret

Contents

IPsec related configuration of a BinTec router

Configured peers:

Configuration of peer "Check Point NG":

Special settings of this peer:

Phase 1 (IKE-SA) settings of this peer:

Phase 2 (IPsec-SA) settings of this peer:

Traffic entry (also known as topology definition):

Special settings of this traffic entry:

IPsec related configuration of a Check Point VPN-1 NG AI

Setup of the gateway with BinTec router

General Properties

Topology

Configure Check Point VPN-1 object

General Properties

Topology

Setup VPN community

General

Participating Gateways

VPN properties

Advanced properties

Shared secret

VPN manager (result)

Successful log entries

IKE/IPsec Monitoring on a BinTec router

IKE monitoring (pre-shared secret)

IPsec monitoring