Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and Linux 2.6.x using IKE daemon racoon

Mode: RoadWarrior-to-Gateway

Example based on following versions:

• Gateway 1: Check Point VPN-1 NGX R61 installed on Secure Platform Build 202 FP-2 running Linux kernel 2.4.21-21cp
• Gateway 2: Fedora Core 5 running kernel 2.6.17-1.2157_FC5 with racoon from ipsec-tools-0.6.4-1.1
  

Content

•  Check Point VPN-1 NG(X) setup
  
•  Setup of (Linux) racoon using X.509 certificates

Topology

Prework

Pre-Shared Secret:

• RoadWarrior configuration cannot work with preshared secret because it's currently unknown, how the ID in IKE phase 1 negotiation must be configured to be accepted by VPN-1's user management (still under investigation).

Public Key Signatures:

• Can be created by using the internal CA of Check Point VPN-1 Management

Setup of Check Point VPN-1 NG(X)

Setup of (Linux) racoon using X.509 certificates

Define parameters for racoon

Edit/create /etc/racoon/racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

# CP VPN-1
remote 1.2.3.4
{
        exchange_mode main;
        lifetime time 24 hour;

        certificate_type x509 "/etc/ipsec.d/certs/freeswan-cert.pem" "/etc/ipsec.d/private/freeswan-key.pem";
        ca_type x509 "/etc/ipsec.d/cacerts/checkpoint-internal-ca.pem";

        peers_identifier address 1.2.3.4;
        peers_certfile x509 "/etc/ipsec.d/certs/checkpoint-cert.pem";
        verify_identifier on;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                dh_group 2;
                authentication_method rsasig;
        }
}