Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and (Linux) Openswan (former FreeS/WAN)

Mode: Gateway-to-Gateway

Example based on following versions:

• Gateway 1: Check Point VPN-1 NGX R61 installed on Secure Platform Build 202 FP-2 running Linux kernel 2.4.21-21cp
• Gateway 2: Fedora Core 5 running kernel 2.6.17-1.2157_FC5 with Openswan openswan-2.4.4-1.1.2.1
  

Former example(s) based on following versions:

• Gateway 1: Check Point VPN-1 NG FP-2 installed on Red Hat Linux 7.2 running kernel 2.4.9-31
  • also tested: CP VPN-1 NG FP-3 installed on RHL 7.3 running kernel 2.4.9-34
• Gateway 2  (in Pre-Shared Secret mode): Red Hat Linux 6.2 running kernel 2.2.19-6.2.15 extended with FreeS/WAN 1.96 and openwall patch
• Gateway 2  (in Public Key Signatures mode): Red Hat Linux 7.3 running kernel 2.4.18-5 extended with FreeS/WAN 1.98b (including X.509 patch 0.9.13 and algorithm patch 0.8.0) and grsecurity patch 1.9.5
  • also tested: RHL 7.3 running kernel 2.4.18-17.7.x with X.509 patch 0.9.15 and algorithm patch 0.8.0 and grsecurity patch 1.9.7d

Content

•  Check Point VPN-1 setup (mixed)
•  Openswan setup using pre-shared secrets
•  Openswan setup using X.509 certificates
•  Additional notes for Linux and FreeS/WAN

Topology

Prework

Pre-Shared Secret:

• Think about a good secret string

Public Key Signatures:

• Because it's not possible at the moment to generate certificates for external servers by Check Point Management station itself you have to create an additional Certifite Authority (CA).
• Requirements from CA:
• X.509 certificate of CA in PEM format, named ca-cert.pem
• CRL of CA in PEM format, named ca-crl.pem
• X.509 certificate of FreeS/WAN host in PEM format, named here freeswan-cert.pem
•  RSA key of FreeS/WAN host in PEM format, named here freeswan-key.pem

Setup of Check Point Firewall-1 NG(X)

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check whether VPN-1 (Pro) is enabled

Older versions of Check Point Firewall-1 require a dedicated license for VPN-1.

Define topology and VPN domain

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

Create/modify objects: Linux as VPN partner

Linux gateway has to be created as "Interoperable Device"

Define topology and VPN domain

Import external OPSEC CA certificate (only needed for Public Key Signatures)

Import a CA certificate as type OPSEC from external, is needed for validating the certificate of a remote FreeS/WAN gateway
Note: disable all CRL retrieving options for this CA, if not available - otherwise related error messages will prevent the use of this CA.

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

The DN string is not similar to the one which can be native extracted using OpenSSL, it needs to be reversed, which can be done (if no '/' is specified in an entry) by executing:
$ openssl x509 -subject -noout -in mycert.pem | sed 's/subject= \///g' | sed 's/\//,/g' | awk -F, '{ for (i = NF; i > 1; i--) printf $i ","; printf $1 "\n" }'

Create/modify policy:

Switch to traditional mode

And create a new policy afterwards

Gateway-to-gateway rulesets

Network-to-network  rulesets

Properties of encryption

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging (shared secret)

Log viewer should display following, after on Linux FreeS/WAN IPSec was restarted (use "fw log -tfln" to get log output on console):

14:30:18 accept  >eth0 product VPN-1 & FireWall-1 src 1.2.3.5 s_port IKE dst 1.2.3.4 service IKE proto udp rule 0

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion. CookieI cd4facedc444d81c
 CookieR 399e1a8b6543e4c2 methods: 3DES + MD5, Pre shared secrets

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae methods: ESP: 3DES + MD5 IKE
 IDs: subnet: 172.16.1.0 (mask= 255.255.255.0) and subnet: 172.16.2.0 (mask= 255.255.255.0)

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b methods: ESP: 3DES + MD5 IKE
 IDs: host: 1.2.3.4 and host: 1.2.3.5

Logging (public key signatures)

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion.
 CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd methods: 3DES + MD5, RSA signatures

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6 methods: ESP: 3DES + MD5 IKE 
 IDs: host: 1.2.3.4 and host: 1.2.3.5

Setup of Linux Openswan in pre-shared secret mode

Define topology

Edit /etc/ipsec.conf or store a dedicated configuration file in /etc/ipsec.d/

## Gateway-to-gateway: Check Point <-> FreeS/WAN
conn checkpoint-freeswan
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        # leftnexthop=
        # Right side is FreeS/WAN
        right=1.2.3.5
        # rightnexthop=
        keyexchange=ike
        auth=esp
        auto=start
        authby=secret        
        # Optional specify encryption/hash methods for phase 1 & 2
        #ike=aes256-sha1-modp2048
        #esp=aes256-sha1
        # Disable Perfect Forward Secrecy, if not working proper
        #pfs=no
        # Optional enable compression (if working)
        #compress=yes

conn net-checkpoint-net-freeswan
        type=tunnel
        left=1.2.3.4
        # leftnexthop=
        leftsubnet=172.16.1.0/24
        right=1.2.3.5
        # rightnexthop=
        rightsubnet=172.16.2.0/24
        keyexchange=ike
        auth=esp
        auto=start
        authby=secret
        # Optional specify encryption/hash methods for phase 1 & 2
        #ike=aes256-sha1-modp2048
        #esp=aes256-sha1
        # Disable Perfect Forward Secrecy, if not working proper
        #pfs=no
        # Optional enable compression (if working)
        #compress=yes

Create secrets

Edit /etc/ipsec.secrets

1.2.3.4   1.2.3.5:   "verysecret"

(Re-)start ipsec

Good luck!

# service ipsec restart

Logging

Mar 25 15:44:58 linux ipsec__plutorun: Starting Pluto subsystem...
Mar 25 15:44:58 linux Pluto[3160]: Starting Pluto (FreeS/WAN Version 1.96)
Mar 25 15:44:59 linux Pluto[3160]: added connection description "net-checkpoint-net-freeswan"
Mar 25 15:44:59 linux Pluto[3160]: added connection description "checkpoint-freeswan"
Mar 25 15:44:59 linux Pluto[3160]: listening for IKE messages
Mar 25 15:44:59 linux Pluto[3160]: adding interface ipsec0/eth0 1.2.3.5
Mar 25 15:44:59 linux Pluto[3160]: loading secrets from "/etc/ipsec.secrets"
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #1: initiating Main Mode
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #1: ISAKMP SA established
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: sent QI2, IPsec SA established
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: sent QI2, IPsec SA established

Setup of Linux Openswan in public key signature mode

Extract, convert and store certificates

Check Point VPN-1

• Export certificates of firewall object on the management server in PKCS7 format (note: the command option is not documented, but working, e.g. also "printcert")
• Before Since NG-FP3

• NG-FP3 and later (also NGX):
  # fwm exportcert -obj checkpoint -cert defaultCert -pem -withroot -file checkpoint-cert.pkcs7
  Note:
  Don't care about strange error messages on a management-only server, the specified file will be created regardless such messages:
   Unable to open '/dev/fw0': No such file or directory
   Failed to get interface list: No such file or directory
   cp_fw_stat: cannot get interface list: No such file or directory
   cp_get_active_policy_name: Failed to get Security Policy information
  
• Transfer certificates to Openswan host (e.g.by using a floppy disk or USB storage: )

Openswan: Check Point VPN-1 related

• Convert certificate file of firewall from PKCS7 to X.509 (results in a file containing the CA and the firewall certificate)
• # openssl pkcs7 -in checkpoint-cert.pkcs7 -print_certs >temp.pem
• Split the singe file into different ones, results in e.g. checkpoint-internal-ca.pem (CA certificate is first one in file) and checkpoint-cert.pem (firewall certificate is normally the second one in the file)
  • The header of the CA certificate is like:
    subject=/O=checkpoint.intranet.example.com..p9bkhs
    issuer= /O=checkpoint.intranet.example.com..p9bkhs
  • The header of the firewall certificate is like:
    subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
    issuer= /O=checkpoint.intranet.example.com..p9bkhs
• Copy the internal CA certificate to related Openswan directory
• # cp checkpoint-internal-ca.pem /etc/ipsec.d/cacerts/
• Copy the certificate of the module to related Openswan directory
• # cp checkpoint-cert.pem /etc/ipsec.d/certs/
• Extract RSA signature key out of the certificate for use in config (only for old FreeS/WAN needed)
• # fswcert --cert --left checkpoint-cert.pem
• Retrieving DER-encoded CRL from CheckPoint
• # wget http://checkpoint:18264/ICA_CRL1.crl
• Converting DER-encoded CRL to PEM-encoded and store it in related directory
• # openssl crl -in ICA_CRL1.crl -inform der -outform pem -out /etc/ipsec.d/crls/checkpoint.crl

Openswan: Openswan related

• Copy created CA certificate to related Openswan directory
• # cp ca-cert.pem /etc/ipsec.d/cacerts/
• Copy created CRL to related Openswan directory
• # cp ca-crl.pem /etc/ipsec.d/crls/
• Copy X.509 certificate of Openswan host to related Openswan directory
• # cp freeswan-cert.pem /etc/ipsec.d/certs
• Copy RSA key of Openswan host to related Openswan directory
• # cp freeswan-key.pem /etc/ipsec.d/private/
• Convert X.509 certificate of Openswan host into DER format and store it on expected place with expected name (because of historical issues, currently no PEM format can be used) (only needed for old FreeS/WAN)
• # openssl x509 -in freeswan-cert.pem -outform DER -out /etc/x509cert.der
• Extract subject of X.509 certificate of FreeS/WAN host, used  in config (only for old FreeS/WAN needed)
• # openssl x509 -in freeswan-cert.pem -noout -subject

Define topology like shown above

Edit /etc/ipsec.conf or store a dedicated configuration file in /etc/ipsec.d/

## Gateway-to-gateway: Check Point <-> FreeS/WAN X.509
conn freeswan-checkpoint-x509
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftcert=checkpoint-cert.pem
        leftrsasigkey=0x0103......
        # leftid=  # !do not use for Check Point!
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightid="/C=DE/ST=Bavaria/L=Hohenbrunn/O=AERAsec/OU=Lab/CN=Linux/Email=*******"
        # As an alternative, the file itself can be specified
        #rightcert=freeswan-cert.pem
        rightrsasigkey=%cert
        # rightnexthop=
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start
        authby=rsasig

Note: for full functional network to network encryption all permutations have to be configured as topology, too:

conn freeswan-checkpoint-x509-net
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=net-behind-Check-Point
        # Right side is FreeS/WAN
        right=1.2.3.5
        ...

conn net-freeswan-checkpoint-x509
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightsubnet=net-behind-FreeS/WAN
        ...

conn net-freeswan-checkpoint-x509-net
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=net-behind-Check-Point
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightsubnet=net-behind-FreeS/WAN
        ...

Create secrets

Edit /etc/ipsec.secrets

# Define RSA key
: RSA /etc/ipsec.d/private/freeswan-key.pem "optional key passphrase here"

(Re-)start ipsec

Good luck!

# service ipsec restart

Logging

Apr 16 17:15:47 linux Pluto[4269]: Starting Pluto (FreeS/WAN Version 1.96)
Apr 16 17:15:47 linux Pluto[4269]:   including X.509 patch (Version 0.9.9)
Apr 16 17:15:47 linux Pluto[4269]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 16 17:15:47 linux Pluto[4269]:   loaded cacert file 'checkpoint-internal-ca.pem' (730 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded cacert file 'ca-cert.pem' (1968 bytes)
Apr 16 17:15:47 linux Pluto[4269]: Changing to directory '/etc/ipsec.d/crls'
Apr 16 17:15:47 linux Pluto[4269]:   loaded crl file 'checkpoint.crl' (556 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded crl file 'ca-crl.pem' (772 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded my X.509 cert file '/etc/x509cert.der' (1428 bytes)
Apr 16 17:15:47 linux Pluto[4269]: added connection description "freeswan-checkpoint-x509"
Apr 16 17:15:47 linux Pluto[4269]: listening for IKE messages
Apr 16 17:15:47 linux Pluto[4269]: adding interface ipsec0/eth0 1.2.3.5
Apr 16 17:15:47 linux Pluto[4269]: loading secrets from "/etc/ipsec.secrets"
Apr 16 17:15:47 linux Pluto[4269]:   loaded private key file '/etc/ipsec.d/private/freeswan-key.pem' (1803 bytes)
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: initiating Main Mode
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: ISAKMP SA established
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: sent QI2, IPsec SA established

Additional notes for Linux FreeS/WAN

• Hints for network-to-network VPN
• Exclude destination network from masquerading on Linux gateway