Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and Linux 2.6.x using IKE daemon racoon

Mode: Gateway-to-Gateway

AERAsec Network Services and Security GmbH


See introduction page for more.

Example based on following versions:

Former example(s) based on following versions:

Content

Topology

Prework

Pre-Shared Secret:

Setup of Check Point VPN-1 NG(X)

Note that some screenshots are still from NG, but the one from NGX are very similiar.

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check for VPN is enabled

Of course VPN must be licensed ;-)

Define topology and VPN domain


Create/modify objects: Linux as VPN partner

Linux gateway has to be created as "Interoperable Device"


Define topology and VPN domain


Setup VPN community

Define partners for community


Define IKE und IPsec encryption and hash methods



Define IKE und IPsec renegotiation times and Diffie-Hellmann group for IKE

Eventually enable Perfect Forward Secret (select proper Diffie-Hellmann group) and Compression

Define shared secret for the Linux gateway



Create/modify policy:

Here in this example a policy in simplified mode is shown, containing rules for gateway-to-gateway and network-to-network connectivity.

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging (shared secret)

Log viewer should display following, after on Linux-racoon policy was installed, raccon started and a ping to the VPN-1 external address was executed (use "fw log -tfln" to get log output on console): 
18Mar2004 15:32:02 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; peer gateway: 1.2.3.5; scheme: IKE;
  IKE: Main Mode completion.; CookieI: 7db8aec56a6ad625; CookieR: c456acc87d064a9e;
  methods: 3DES + MD5, Pre shared secrets;
  community: MyIntranet; product: VPN-1 & FireWall-1;

18Mar2004 15:32:02 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; peer gateway: 1.2.3.5; scheme: IKE;
  IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1); msgid: b0d43bcb;
  community: MyIntranet; product: VPN-1 & FireWall-1;

18Mar2004 15:32:04 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x085653eb; dstkeyid: 0x95651dfd;
  peer gateway: 1.2.3.5; scheme: IKE;
  IKE: Quick Mode completion; CookieI: 7db8aec56a6ad625; CookieR: c456acc87d064a9e; msgid: b334e506;
  methods: ESP: 3DES + MD5; IKE IDs: host: 1.2.3.4 and host: 1.2.3.5;
  community: MyIntranet; product: VPN-1 & FireWall-1;

18Mar2004 15:32:15 decrypt 1.2.3.4 >eth0 product: VPN-1 & FireWall-1;
  ICMP: Echo Request; src: 1.2.3.5; dst: 1.2.3.4; proto: icmp; ICMP Type: 8; ICMP Code: 0; rule: 1;
  scheme: IKE; srckeyid: 0x95651dfd; methods: ESP: 3DES + MD5 + PFS; peer gateway: 1.2.3.5; community: MyIntranet;

Setup of (Linux) racoon in pre-shared secret mode

IPsec in Linux kernel 2.6.x is split-up into two parts, the IPsec SA/SP database, maintained with setkey and racoon, the IKE daemon.
In difference to Openswan (former FreeS/WAN), currently configuration files for racoon and for setkey have to be maintained separatly, but containing related information.
Note also that in current RPM package of ipsec-tools, no initscript is contained for the IKE daemon racoon.

Define topology information for the IPsec SA/SP database

Current best practice is to create a special shell script containing proper information:

Edit/create /etc/racoon/setkey.sh

#!/sbin/setkey -f
flush;
spdflush;

# Linux-racoon -> CP VPN-1
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec esp/tunnel/1.2.3.5-1.2.3.4/require;
spdadd 1.2.3.5       1.2.3.4       any -P out ipsec esp/tunnel/1.2.3.5-1.2.3.4/require;

# CP VPN-1 > Linux-racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in  ipsec esp/tunnel/1.2.3.4-1.2.3.5/require;
spdadd 1.2.3.4       1.2.3.5       any -P in  ipsec esp/tunnel/1.2.3.4-1.2.3.5/require;

Usage of /etc/racoon/setkey.sh

Define parameters for racoon

Edit/create /etc/racoon/racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

# CP VPN-1
remote 1.2.3.4
{
        exchange_mode main;
        lifetime time 24 hour;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

# net-to-net
sainfo address 172.16.2.0/24 any address 172.16.1.0/24 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

# gateway-to-gateway
sainfo address 1.2.3.5 any address 1.2.3.4 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

sainfo address 1.2.3.4 any address 1.2.3.5 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

Configure shared-secret

Edit /etc/racoon/psk.txt

1.2.3.4		verysecret

Setup IPsec SA/SP database

Execute the created shell script
# /etc/racoon/setkey.sh
No error should be reported, otherwise fix them

Start IKE daemon racoon

For the first time it's better to start the IKE daemon racoon in foreground and debug modus.
# racoon -F -d

Logging

racoon logs with facility LOG_DAEMON to syslog.
Mar 18 17:31:03 rhel3es racoon: 2004-03-18 17:31:03: INFO: main.c:174:main(): @(#)racoon - IPsec-tools 0.2.3
Mar 18 17:31:03 rhel3es racoon: 2004-03-18 17:31:03: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Mar 18 17:31:03 rhel3es racoon: 2004-03-18 17:31:03: INFO: isakmp.c:1375:isakmp_open(): 172.16.2.1[500] used as isakmp port (fd=6)
Mar 18 17:31:03 rhel3es racoon: 2004-03-18 17:31:03: INFO: isakmp.c:1375:isakmp_open(): 1.2.3.5[500] used as isakmp port (fd=7)
Mar 18 17:31:03 rhel3es racoon: 2004-03-18 17:31:03: INFO: isakmp.c:1375:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=8)
Mar 18 17:32:00 rhel3es racoon: 2004-03-18 17:32:00: INFO: isakmp.c:1701:isakmp_post_acquire(): IPsec-SA request for 1.2.3.4 queued due to no phase1 found.
Mar 18 17:32:00 rhel3es racoon: 2004-03-18 17:32:00: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 1.2.3.5[500]<=>1.2.3.4[500]
Mar 18 17:32:00 rhel3es racoon: 2004-03-18 17:32:00: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
Mar 18 17:32:00 rhel3es racoon: 2004-03-18 17:32:00: INFO: isakmp.c:2431:log_ph1established(): ISAKMP-SA established 1.2.3.5[500]-1.2.3.4[500] spi:fe9189432afcc908:36040bb93eb2b722
Mar 18 17:32:01 rhel3es racoon: 2004-03-18 17:32:01: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 1.2.3.5[0]<=>1.2.3.4[0]
Mar 18 17:32:01 rhel3es racoon: 2004-03-18 17:32:01: INFO: pfkey.c:1127:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=86571867(0x528fb5b)
Mar 18 17:32:01 rhel3es racoon: 2004-03-18 17:32:01: INFO: pfkey.c:1348:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.5->1.2.3.4 spi=874848334(0x3425204e)

Setup of (Linux) racoon using X.509 certificates

Coming next, for now, see hints on Check Point FW-1 NG(X) - Linux racoon - RoadWarrior-to-Gateway

No warranty at all, your Feedback is welcome!
© 2004-2010 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/