Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and Linux 2.6.x using IKE daemon racoon

URLs:

Linux kernel www.kernel.org
Linux IPsec-Tools
Linux IPsec HowTo by Ralf Spenneberg
NetBSD Documentation: NetBSD IPsec
Integration of Check Point VPN-1®/Firewall-1® and FreeBSD IPsec by Jon Orbeton and Matt Hite
Fedora Core development FTP directory
IPsec related part in Linux Advanced Routing & Traffic Control HOWTO (LARTC.IPSEC.INTEROP.CHECKPOINT)
TinyCA (Perl based X11 application for CA operations)
XCA (X11 application for CA operations)
AERAsec FTP server (let's look what we are able to publish in the future...)

Preface:

How use the new IPsec code in Linux 2.6.x series

Content

Gateway-to-Gateway setup (dedicated page)
RoadWarrior-to-Gateway setup (dedicated page)
Support matrix
Specifying other algorithms in racoon
Specifying security policy in Linux kernel
Debugging and monitoring

Support matrix

Note: not all combinations are tested at the moment. Note that CAST is normally not supported by Linux kernel.

IKE encryption

Method:	DES	BLOWFISH	3DES	CAST	AES	SERPENT	TWOFISH
	IKE encryption

Check Point VPN-1 NG AI	yes	no	yes	yes (128)	yes (256)	no	no
Check Point VPN-1 NGX R61	yes	no	yes	yes (128)	yes (128,256)	no	no

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)	yes	yes	yes	no	no	no	no
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)	yes	yes	yes	yes (128)	yes (128,256)	no	no

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI	working	no	working	no	no	no	no
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61	working	no	working	working (128)	working (128,256)	no	no

IKE integrity and authentication

Method:	MD5	SHA1	SHA2	Pre-Shared Secret	Public Key Signatures
	IKE integrity			IKE authentication

Check Point VPN-1 NG AI R55 Check Point VPN-1 NGX R61	yes	yes	no	yes	yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)	yes	yes	no	yes	yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)	yes [md5]	yes [sha1]	yes (256,384,512) [sha*]	yes	yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI	working	working	no	working	not tested
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61	working	working	no	working	working

IKE Diffie-Hellman Groups and Perfect Forward Secrecy

	Diffie-Hellman Groups								Perfect Forward Secrecy
	768 #1	1024 #2	1536 #5	2048 #14	3072 #15	4096 #16	6144 #17	8192 #18	Perfect Forward Secrecy

Check Point VPN-1 NG AI R55	yes	yes	yes	no	no	no	no	no	yes
Check Point VPN-1 NGX R61	yes	yes	yes	yes	no	no	no	no	yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)	yes	yes	yes	yes	yes	yes	yes	yes	yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)	yes	yes	yes	yes	yes	yes	yes	yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI	working	working	working	no	no	no	no	no	working
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61	working	working	working	working	no	no	no	no	working

Payload encryption

Method:	DES	BLOWFISH	3DES	CAST	AES	SERPENT	TWOFISH	NULL
	Payload encryption

Check Point VPN-1 NG AI R55	yes (40,56)	no	yes	yes (40,128)	yes (128,256)	no	no	?
Check Point VPN-1 NGX R61	yes (40,56)	no	yes	yes (40,128)	yes (128,256)	no	no	yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)	yes (56)	no	yes	no	yes (128,192,256)	no	no	?
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)	yes (56)	yes	yes	yes (128)	yes (128,192,256)	no	yes	yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI	working (56)	no	working	no	working (128,256)	no	no	?
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61	working (56)	no	working	no^a)	working (128,256)	no	no	working

^a) While "cast128" is working for phase 1, racoon claims here during reading config about "algorithm CAST not supported by the kernel"

Payload integrity and compression

Method:	MD5	SHA1	SHA2	DEFLATE
	Payload integrity			Compression

Check Point VPN-1 NG AI Check Point VPN-1 NGX R61	yes	yes	no	yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)	yes	yes	no	yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)	yes	yes	yes (256,386,512)	yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI	working	working	no	problem*
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61	working	working	no	incompatible^a)

* looks like racoon has a SA problem
^a) Check Point VPN-1 claims about: "IKE: Quick Mode Failed to match proposal: Transform: DEFLATE Reason: Not configured to support: IPComp." (same happen using kernel 2.6.x and Openswan, reason is currently unknown)

Specifying encryption and hash methods in (Linux) racoon

The configuration file for racoon is normally /etc/racoon/racoon.conf

IKE (phase 1)

A known peer is defined like:

# CP VPN-1
remote 1.2.3.4
{
	exchange_mode main;
	lifetime time 24 hour;
        proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

See man-page racoon.conf.5 for more information.

IPsec (phase 2)

Relating to the setup of a security policy (SP) with setkey, racoon has also to know about. A SA is defined like:

# net-to-net
sainfo address 172.16.2.0/24 any address 172.16.1.0/24 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
	pfs_group modp2048;
}

Note that hash methods specified for phase 2 have "hmac_" prepended.
See man-page racoon.conf.5 for more information.

Specifying security policy in Linux kernel

The security policy (SP) in Linux kernel will be modified with program setkey. Current best practice is to create shell script containing the commands for setkey. Example:

#!/sbin/setkey -f
flush;
spdflush;

# Linux-racoon -> CP VPN-1
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
	esp/tunnel/1.2.3.5-1.2.3.4/require;
spdadd 1.2.3.5       1.2.3.4       any -P out ipsec
	esp/tunnel/1.2.3.5-1.2.3.4/require;

# CP VPN-1 > Linux-racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in  ipsec
	esp/tunnel/1.2.3.4-1.2.3.5/require;
spdadd 1.2.3.4       1.2.3.5       any -P in  ipsec
	esp/tunnel/1.2.3.4-1.2.3.5/require;

Example to enable IPcompression for a tunnel (note: currently there is a problem with racoon).

#!/sbin/setkey -f
flush;
spdflush;

# Linux-racoon -> CP VPN-1
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
	ipcomp/transport//use
	esp/tunnel/1.2.3.5-1.2.3.4/require;
spdadd 1.2.3.5       1.2.3.4       any -P out ipsec
	ipcomp/transport//use
	esp/tunnel/1.2.3.5-1.2.3.4/require;

# CP VPN-1 > Linux-racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in  ipsec
	ipcomp/transport//use
	esp/tunnel/1.2.3.4-1.2.3.5/require;
spdadd 1.2.3.4       1.2.3.5       any -P in  ipsec
	ipcomp/transport//use
	esp/tunnel/1.2.3.4-1.2.3.5/require;

Debugging and monitoring

IKE daemon racoon

Starting IKE daemon racoon with option -F -d will result in foreground running, sending debug log to stdout

Security policy

Monitoring

Dump SPD (current policy) entries with:

# setkey -D -P

Dump SAD (current associations) entries with:

# setkey -D

No warranty at all, your Feedback is welcome!
© 2003-2010 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/