Check Point VPN-1 NG

Gateway-to-Gateway IPsec-VPN with BinTec routers

AERAsec Network Services and Security GmbH

Contents

Follow-ups

Get IPsec license from BinTec

See on their website (Service/Support - Online Serivces) for more.
Requirements:
You got after successful licensing

Install latest available IPsec firmware on a BinTec router

Latest firmware always contains more fixes (and sometimes more features, too) than earlier versions....
This test was done using:
Description
 Version
 Filename
Bootmonitor
6.2.8 bm6208.x1x
Logic 6.0
 lo0600.x1x
IPsec enabled system software
 6.3.4 patch 4
 s6304p04.x1x
How to upgrade the firmware is described in the manual.
Note: system software files starting with "b" are not IPsec enabled

Retrieve current version of running firmware

x1200:> swversion
biboAdmSWVersion( ro):  "V.6.3 Rev. 4 (Patch 8) IPSec V. 2.1.1 from 2003/10/02 00:00:00"

x1200:> show rev
Logik    :      V.2.1
Bootmon  :      V.6.1.2
Boss     :      V.6.3 Rev. 4 (Patch 8) IPSec V. 2.1.1 from 2003/10/02 00:00:00

Install and check IPsec license

Requirements:
To do:
  1. Login via serial console or telnet
  2. Start setup tool
  3. Goto Licenses menu
  4. Select Add
  5. Fill-in Serialnumber (included in IPsec software package)
  6. Fill-in Key (from registration process above)
  7. Select Save
Result should look like following.

X1200 Setup Tool                                    BinTec Access Networks GmbH
[LICENSE]: Licenses                                                       x1200
_______________________________________________________________________________

   Available Licenses:
     IP (builtin), IPSEC, CAPI


   Software License ID: X1B*******

   Serialnumber        Used for                  Description      State
   default             Software                  easy licensing   ok
   X1BIPS******        Software                  IPSEC            ok

     ADD                 DELETE              EXIT
_______________________________________________________________________________
Note 1: if State shows not ok, than the filled-in Key wasn't the proper one
Note 2: if State shows unsupported, than the current installed firmware doesn't support IPsec, see above how to solve this.

Non-IPsec related configuration of a BinTec router

This part is not scope of this document, you should already know, how to setup IP configuration on interfaces as well as a WAN partner (if required).

Support matrix of IKE/IPsec encryption and integrity methods between BinTec router and Check Point VPN-1.

IKE encryption methods
IKE encryption methods
Method:
 DES BLOWFISH 3DES CAST AES
Rijndael
 SERPENT TWOFISH

Check Point VPN-1 NG AI
yes
 no
yes
 yes
(128)
yes
(256)
 no no

BinTec firmware 6.3.4 patch 4
yes
 yes
yes
 yes
yes
(256)
 no yes
Result (AND'ed) working no working working working
 no  no

IKE integrity methods
IKE integrity methods
Method:
 MD5 SHA1 SHA2 Tiger192
 RipeMD160

Check Point VPN-1 NG AI  yes
yes
no
 no
 no

BinTec firmware 6.3.4 patch 4  yes
yes
no
 yes
 yes
Result (AND'ed) working working no no
 no

IKE authentication methods
IKE authentication methods
Method:
Pre-Shared Secret RSA Signatures
 DSA Signatures
 RSA Encryption

Check Point VPN-1 NG AI yes yes no
 no

BinTec firmware 6.3.4 patch 4 yes yes yes
 yes
Result (AND'ed) working working no
 no

IKE Diffie-Hellman Groups and Perfect Forward Secrecy
Diffie-Hellman Groups
Perfect
Forward
Secrecy
  768
 1024
 1536
 2048 3072 4096

Check Point VPN-1 NG AI  yes
yes
yes
 no no no yes

BinTec firmware 6.3.4 patch 4  yes
yes
yes
 no no no yes
Result (AND'ed) working working working no no no working

Payload encryption methods
Payload encryption
Method:
 DES BLOWFISH 3DES CAST AES
Rijndael
 SERPENT TWOFISH NULL


Check Point VPN-1 NG AI
yes
(40,56)
 no
yes
 yes
(40,128)
yes
(128,256)
 no no yes


BinTec firmware 6.3.4 patch 4
yes
(56)
 yes
yes
 yes
(128)
yes
(128,256)
 no yes yes
Result (AND'ed) working
(128) 		no working working
(128)		 working
(128,256)
 no  no working

Payload integrity and compression methods
Payload integrity
Compression
Method:
 MD5 SHA1 SHA2 DEFLATE

Check Point VPN-1 NG AI  yes
yes
no
 yes

BinTec firmware 6.3.4 patch 4  yes
yes
no
 yes
Result (AND'ed) working working no working

Debugging on a BinTec router

Packet sniffing

On console you can use the command trace to do some packet sniffing.

Examples

Sniff all packets which a device (here: external Ethernet device en3-0) sees:
x1200:> trace -i en3-0
Sniff only traffic relating to this interface by using additional MAC address based filtering:
x1200:> trace -i -d 00:A0:F9:**:**:** -o -s 00:A0:F9:**:**:** en3-0

IKE

The BinTec router supports some IPsec related logging, but it has to be enabled first
x1200:> ipsecglobals
...
ipsecGlobMaxSysLogLevel( rw):                  err
...

x1200:> ipsecGlobMaxSysLogLevel=debug
ipsecGlobMaxSysLogLevel( rw):        debug

x1200:> ipsecGlobContIkeLoggingLevel=6
00: ipsecGlobContIkeLoggingLevel( rw):        6

Debugging on a Check Point VPN-1 NG

Packet sniffing

Use tcpdump or fw monitor for packet sniffing.

IKE

IKE can be debugged by doing following.
# vpn debug ikeon
# tail -f /opt/CPfw1-50-04/log/ike.elg
No warranty at all, your Feedback is welcome!
© 2003-2010 AERAsec Network Services and Security GmbH, last update 2003-11-06
back to http://www.vpn-1.de/aerasec/