Check Point Firewall-1 NG(X)

VPN between (Linux) Openswan (former FreeS/WAN) and Check Point Firewall-1 NG(X)

Mode: RoadWarrior-to-Gateway

Example based on following versions:

• Gateway: Check Point VPN-1 NGX R61 installed on Secure Platform Build 202 FP-2 running Linux kernel 2.4.21-21cp
• RoadWarrior: Fedora Core 5 running kernel 2.6.17-1.2157_FC5 with Openswan openswan-2.4.4-1.1.2.1
  

• Gateway: Check Point VPN-1 NG FP2 installed on Red Hat Linux 7.2 running kernel 2.4.9-34
• Also tested: VPN-1 NG FP3 installed on Hat Linux 7.3 running kernel 2.4.9-34
• RoadWarrior (in Public Key Signatures mode): Red Hat Linux 7.3 running kernel 2.4.18-10 extended with FreeS/WAN 1.98b (including X.509 patch 0.9.14 and algorithm patch 0.8.0) and grsecurity patch 1.9.5
• Also tested: kernel 2.4.18-18.7.x with FreeS/WAN 1.99 (including X.509 patch 0.9.15 and algo patch 0.8.1rc2) and Openwall patch

Content

•  Check Point VPN-1 NG(X) setup for Openswan RoadWarrior
•  Openswan RoadWarrior setup using X.509 certificates

Topology

Prework

Pre-Shared Secret:

• RoadWarrior configuration cannot work with preshared secret because it's currently unknown, how the id of Openswan must be configured to be accepted by VPN-1's user management (still under investigation).

Public Key Signatures:

• Can be created by using the internal CA of Check Point VPN-1 Management

RoadWarrior setup of Check Point VPN-1 NG(X)

Create/modify user

Create a new user, enable IKE and logging

Define authentication,  integrity and encryption methods

Generate certificate

You have to specify an export password for the PKCS#12 container (private and public key of user) which will be saved on floppy disk.

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check whether VPN-1 Pro is enabled

Older versions of Check Point Firewall-1 require a dedicated license for VPN-1.

Define topology and VPN domain

Define IKE properties

Create/modify objects: Linux as VPN partner

Create/modify policy:

Switch to traditional mode

And create a new policy afterwards

RoadWarrior-to-gateway rulesets

Properties of encryption

Properties of encryption are defined per user.

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging

17:02:17 authcrypt 1.2.3.4 >daemon src: 1.2.3.5; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd; rule: 0;
 reason: Client Encryption: Authenticated by RSA Signature; scheme: IKE; methods: 3DES,IKE,MD5; product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; peer gateway: 1.2.3.5; scheme: IKE;
 IKE: Main Mode completion.; CookieI: ebc3ad7a4bc1ab2f; CookieR: 79893021bf296e4f; methods: 3DES + MD5, RSA signatures;
 user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41e; dstkeyid: 0x81f632fd;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode Sent Notification: Responder Lifetime; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: df786c92; user: CN=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41e; dstkeyid: 0x81f632fd;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode completion; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: df786c92; methods: ESP: 3DES + SHA1 + PFS; IKE IDs: host: 1.2.3.4 and host: 1.2.3.5;
 user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41f; dstkeyid: 0x81f632ff;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode Sent Notification: Responder Lifetime; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: e5e7879f; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41f; dstkeyid: 0x81f632ff;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode completion; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: e5e7879f; methods: ESP: 3DES + SHA1 + PFS;
 IKE IDs: subnet: 172.16.1.0 (mask= 255.255.255.0) and host: 1.2.3.5; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;
 product: VPN-1 & FireWall-1;

RoadWarrior setup of Linux Openswan (public key signature mode)

Extract, convert and store certificates

Check Point

• Export certificates of firewall object in PKCS#7 format (note: the command option is not documented, but working, also e.g. "printcert")
• # fwm exportcert -obj checkpoint -cert defaultCert -pem -withroot -file checkpoint-cert.pkcs7
• Transfer certificates to Openswan host (e.g.by using a floppy disk or USB storage)

Openswan: Check Point VPN-1 gateway related

• Convert certificates of firewall from PKCS#7 to X.509 (results in a file containing the CA and the firewall certificate)
• # openssl pkcs7 -in checkpoint-cert.pkcs7 -print_certs >temp.pem
• Split the singe file into different ones, results in e.g. checkpoint-internal-ca.pem (CA certificate is first one in file) and checkpoint-cert.pem (firewall certificate is normally the second one in the file)
• The header of the  CA certificate is like:
  subject=/O=checkpoint.intranet.example.com..p9bkhs
  issuer= /O=checkpoint.intranet.example.com..p9bkhs
• The header of the firewall certificate is like:
  subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
  issuer= /O=checkpoint.intranet.example.com..p9bkhs
• Copy the internal CA certificate to related Openswan directory
• # cp checkpoint-internal-ca.pem /etc/ipsec.d/cacerts/
• Extract RSA signature key out of the certificate for use in config (only for old FreeS/WAN needed)
• # fswcert --cert --left checkpoint-cert.pem
• Retrieving DER-encoded CRL from CheckPoint
• # wget http://checkpoint:18264/ICA_CRL1.crl
• Converting DER-encoded CRL to PEM-encoded and store it in related directory
• # openssl crl -in ICA_CRL1.crl -inform DER -outform PEM -out /etc/ipsec.d/crls/checkpoint.crl

Openswan: Check Point VPN-1 user related

• Extract private key of user PKCS#12, you have to specify first the import password (remember: given in GUI) and an export password
• # openssl pkcs12 -in freeswan.p12 -nocerts -out /etc/ipsec.d/private/freeswan-key.pem
• Extract certificates of user from PKCS#12 to X.509 (results in a file containing the CA and the user certificate)
• # openssl pkcs12 -in freeswan.p12 -nokeys -out temp2.pem
• Split singe file into different ones, results in e.g. checkpoint-internal-ca.pem (CA certificate is first one in file) and freeswan-cert.pem (user certificate is normally the second one in file)
• The header part of the CA certificate is like:
  subject=/O=checkpoint.intranet.example.com..p9bkhs
  issuer= /O=checkpoint.intranet.example.com..p9bkhs
  
• The header of the user certificate is like:
  subject=/O=checkpoint.intranet.example.com..p9bkhs/OU=users/CN=freeswan
  issuer=/O=checkpoint.intranet.example.com..p9bkhs
• Copy user X.509 certificate to related Openswan directory
• # cp freeswan-cert.pem /etc/ipsec.d/certs
• Convert X.509 certificate of FreeS/WAN host into DER format and store it on expected place with expected name (because of historical issues, currently no PEM format can be used) (only needed for old FreeS/WAN)
• # openssl x509 -in freeswan-cert.pem -outform DER -out /etc/x509cert.der
• Extract subject of X.509 certificate of FreeS/WAN host, used  in config
• # openssl x509 -in freeswan-cert.pem -noout -subject

Define topology like shown above

Edit /etc/ipsec.conf

## RoadWarrior to Gateway: FreeS/WAN X.509 <-> Check Point
conn freeswan-checkpoint-x509
        # Right side is FreeS/WAN RoadWarrior
        right=%defaultroute
        rightrsasigkey=%cert
        rightid="/O=checkpoint.lab.aerasec.de..ab12cd/OU=users/CN=freeswan"
        #rightcert=freeswan-cert.pem # As an alternative, the file itself can be specified
        # Left side is Check Point
        left=1.2.3.4
        leftcert=checkpoint-cert.pem
        leftrsasigkey=%cert
        #leftrsasigkey=0x0103......  # only needed for old FreeS/WAN
        leftid=1.2.3.4               # Check Point VPN-1 send IP address as ID
        #leftid=                     # leave unset for old FreeS/WAN
        # config
        type=tunnel
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        auth=esp
        keyexchange=ike
        auto=start

## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point - Net
conn freeswan-checkpoint-x509-net
        # Right side is FreeS/WAN RoadWarrior
        rightrsasigkey=%cert
        right=%defaultroute
        rightid="/O=checkpoint.lab.aerasec.de..ab12cd/OU=users/CN=freeswan"
        #rightcert=freeswan-cert.pem # As an alternative, the file itself can be specified
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=172.16.1.0/24
        leftcert=checkpoint-cert.pem
        leftrsasigkey=%cert
        #leftrsasigkey=0x0103......  # only needed for old FreeS/WAN
        leftid=1.2.3.4               # Check Point VPN-1 send IP address as ID
        #leftid=                     # leave unset for old FreeS/WAN
        # config
        type=tunnel
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        auth=esp
        keyexchange=ike
        auto=start

Create secrets

Edit /etc/ipsec.secrets

# Define RSA key
: RSA /etc/ipsec.d/private/freeswan-key.pem "key passphrase here"

(Re-)start ipsec

Good luck!

# service ipsec restart

Logging

Sep 10 16:53:45 linux pluto[3777]: Starting Pluto (FreeS/WAN Version 1.98b)
Sep 10 16:53:45 linux pluto[3777]:   including X.509 patch (Version 0.9.14)
Sep 10 16:53:45 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 10 16:53:45 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_CAST_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 10 16:53:46 linux pluto[3777]:   loaded cacert file 'checkpoint-internal-ca.pem' (1149 bytes)
Sep 10 16:53:46 linux pluto[3777]: Changing to directory '/etc/ipsec.d/crls'
Sep 10 16:53:46 linux pluto[3777]:   loaded crl file 'checkpoint.crl' (556 bytes)
Sep 10 16:53:46 linux pluto[3777]:   loaded my default X.509 cert file '/etc/x509cert.der' (782 bytes)
Sep 10 16:53:46 linux pluto[3777]: listening for IKE messages
Sep 10 16:53:46 linux pluto[3777]: adding interface ipsec0/eth0 1.2.3.5
Sep 10 16:53:46 linux pluto[3777]: loading secrets from "/etc/ipsec.secrets"
Sep 10 16:53:46 linux pluto[3777]:   loaded private key file '/etc/ipsec.d/private/freeswan-key.pem' (1102 bytes)

Sep 10 16:55:24 linux pluto[3777]: | from whack: got --esp=3des
Sep 10 16:55:24 linux pluto[3777]: | from whack: got --ike=3des
Sep 10 16:55:24 linux pluto[3777]: added connection description "freeswan-checkpoint-x509"
Sep 10 16:55:28 linux pluto[3777]: | from whack: got --esp=3des
Sep 10 16:55:28 linux pluto[3777]: | from whack: got --ike=3des
Sep 10 16:55:28 linux pluto[3777]: added connection description "freeswan-checkpoint-x509-net"

Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: initiating Main Mode
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Issuer CRL not found
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Issuer CRL not found
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: ISAKMP SA established
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: sent QI2, IPsec SA established

Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: sent QI2, IPsec SA established