Check Point VPN-1 NG

Gateway-to-Gateway IPsec with BinTec routers using a pre-shared secret


AERAsec Network Services and Security GmbH


Contents

Back to main page

IPsec related configuration of a BinTec router

It's important to use the Wizard here at first time because some initial values are set during this run.

Used topology in this example:
192.168.1.0/24 --- [.1] CP NG [.2] --- 172.16.1.0/24 --- [.1] BinTec [.1] ---192.168.2.0/24

Requirements:
To do:
  1. Login via serial console or telnet
  2. Start setup tool
  3. Goto IPSEC menu (if missing, current firmware doesn't support it, see above for more)
  4. Change Enable IPSec to yes
  5. Goto IKE (Phase 1) Defaults
  6. Goto IPsec (Phase 2) Defaults
  7. Goto Wizard
  8. Select Save
Result should look like following (some values are not overtaken from default so check setup and change it, if required).

Configured peers:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS]: IPsec Configuration - Configure Peer List                 x1200
_______________________________________________________________________________
  Highlight an entry and type 'i' to insert new entry below,
  'u'/'d' to move up/down, 'a' to select as active peer list

  Description       PeerID            PeerAddr        IKEProp  TrafficList
  *Check Point NG                     172.16.1.2      default           2

     APPEND              DELETE              EXIT
______________________________________________________________________________

Configuration of peer "Check Point NG":

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT]: IPsec Configuration - Configure Peer List           x1200
_______________________________________________________________________________

     Description:   Check Point NG
     Peer Address:  172.16.1.2
     Peer IDs:
     Pre Shared Key:*
     ISDN Callback: disabled

     Special Settings >

  Traffic List: Highlight an entry and type 'i' to insert new entry below,
                'u'/'d' to move up/down, 'a' to select as active traffic list

  Local Address    M/R    Port  Proto Remote Address  M/R    Port  A  Proposal
  *192.168.2.0     M24    -     all   192.168.1.0     M24    -     PR default

       APPEND              DELETE               SAVE               CANCEL
_______________________________________________________________________________

Special settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][SPECIAL]: IPSec Peer Special Settings                x1200
_______________________________________________________________________________

     Options:

       Verify Padding:        yes
       Granularity:           default (coarse)
       Keep Alive:            no
       Heartbeats:            default

     Phase 1 >
     Phase 2 >

     Select Different Traffic List >

                          SAVE                          CANCEL
_______________________________________________________________________________

Phase 1 (IKE-SA) settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][PHASE 1]: IPsec Configuration - Phase 1 (IKE) Settings
_______________________________________________________________________________

   Proposal              :  Rijndael/SHA1 (def)
   Lifetime              :  900 Sec/0 Kb (def)
   Group                 :  5 (1536 bit MODP)
   Authentication Method :  Pre Shared Keys (def)
   Mode                  :  id_protect (def)
   Local ID              :
   Local Certificate     :  none

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

Phase 2 (IPsec-SA) settings of this peer:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][PHASE 2]: IPsec Configuration - Phase 2 Settings     x1200
_______________________________________________________________________________

       Proposal:               ESP(Rijndael/Sha1) (def)
       Lifetime:               900 Sec/0 Kb (def)
       Use PFS :               group 5 (1536 bit MODP)

   View Proposals >
   Edit Lifetimes >

                         SAVE                          CANCEL
_______________________________________________________________________________

Traffic entry (also known as topology definition):

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][TRAFFIC][EDIT]: Edit Traffic Entry                   x1200
_______________________________________________________________________________

     Description:   net-net

     Protocol:      dont-verify

     Local:
          Type: net   Ip: 192.168.2.0    / 24

     Remote:
          Type: net   Ip: 192.168.1.0    / 24

     Action:        protect

     Special Settings >

                    SAVE                               CANCEL
_______________________________________________________________________________

Special settings of this traffic entry:

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][TRAFFIC][SPECIAL]: Customize Traffic Settings        x1200
_______________________________________________________________________________

     Proposal:           ESP(Rijndael/Sha1) (def)
     Lifetime:           900 Sec/0 Kb (def)

     Keep Alive:         default
     Force Tunnel Mode:  false
     Granularity:        default (coarse)

     View Proposals >
     Edit Lifetimes >

                    SAVE                               CANCEL
_______________________________________________________________________________

IPsec related configuration of a Check Point VPN-1 NG AI

Following screen shots are showing the relating configuration to BinTec router configuration shown above.

Setup of the gateway with BinTec router

Create an interoperable device:

General Properties

Fill-in required and additional information:

Topology

Configure topology according to your VPN and external network setup. For more complex internal network setup, you probably have to switch to "Manually defined" VPN domain and select a previous created network group containing all internal networks behind this gateway.


Configure Check Point VPN-1 object

As shown above, take care of the topology and the VPN domain

General Properties

Enable VPN-1 Pro feature, if not done before. You will need the according license to use VPN-1 Pro.


Topology

Configure topology according to your VPN and external network setup. For more complex internal network setup, you probably have to switch to "Manually defined" VPN domain and select a previously created network group containing all internal networks behind this gateway.


Setup VPN community

Edit the MyIntranet community object. You might also create a new community, if necessary.


General

For an unfiltered communications between all community members, enable the field "Accept all encrypted traffic" in this community.
Note: not really recommended, so setup dedicated rules after successful testing and disable this switch afterwards.


Participating Gateways

You'll have to add at least the BinTec router and your Check Point VPN-1 NG.


VPN properties

Setup encryption and integrity methods for IKE and IPsec according to the same values configured on the BinTec router above.

Advanced properties

Setup the advanced properties  for IKE and IPsec according to the same values configured on the BinTec router above.

Shared secret

After enabling use of shared secrets, specify the proper shared secret relating to the entry done at the BinTec router.

VPN manager (result)


Successful log entries

On success, following log entries should appear in Check Point's log:
30Oct2003 15:32:30 keyinst 172.16.1.2 >daemon src: 172.16.1.2; dst: 172.16.1.1; peer gateway: 172.16.1.1;
 scheme: IKE; IKE: Main Mode completion.; CookieI: 8eeaf9f3158074d4; CookieR: 176b8db753000000;
 methods: AES-256 + SHA1, Pre shared secrets; community: MyIntranet; product: VPN-1 & FireWall-1;

30Oct2003 15:32:32 keyinst 172.16.1.2 >daemon src: 172.16.1.2; dst: 172.16.1.1; srckeyid: 0xeb2c94a8;
 dstkeyid: 0x966e3019; peer gateway: 172.16.1.1; scheme: IKE; IKE: Quick Mode completion;
 CookieI: 8eeaf9f3158074d4; CookieR: 176b8db753000000; msgid: d9f20437;
 methods: ESP: AES-256 + SHA1 + PFS + DEFLATE;
 IKE IDs: subnet: 192.168.1.0 (mask= 255.255.255.0) and subnet: 192.168.2.0 (mask= 255.255.255.0);
 community: MyIntranet; product: VPN-1 & FireWall-1;

IKE/IPsec Monitoring on a BinTec router

Using IPsec monitoring, IKE and IPsec SAs can be monitored for e.g. existance or which methods are used now.

IKE monitoring (pre-shared secret)

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][MONITORING][IKE SAS]: IPsec Monitoring - IKE SAs                  x1200
_______________________________________________________________________________
  T: xch.-Type: B=Base      I=Id-prot.  O=auth-Only  A=Aggressive
  A: Auth-Meth: P=P-S-Key   D=DSA-sign. S=RSA-sign.  E=RSA-encryption
  R: Role     : I=Initiator R=Responder
  S: State    : N=Negotiate E=Establ.   D=Delete     W=Waiting-for-remove
  E: Enc.-Alg : d=DES       D=3ES       B=Blowfish   C=Cast  R=Rijndael T=Twofis
  H: Hash-Alg : M=MD5       S=SHA1      T=Tiger      R=Ripemd160
  type 'h' to toggle this help

  Remote ID                             Remote IP       Local ID        TARSEH
  172.16.1.2                            172.16.1.2      172.16.1.1      IPRERS

     DELETE              EXIT
_______________________________________________________________________________

IPsec monitoring

X1200 Setup Tool                                    BinTec Access Networks GmbH
[IPSEC][MONITORING][IPSEC SAS]: IPsec Monitoring - IPsec SAs              x1200
_______________________________________________________________________________
    S: Sec. Proto :  E=ESP       A=AH        C=IPComP
    E: Enc. Alg.  :  D=3DES      B=Blowfish  C=Cast  d=DES T=Twofish R=Rijndael
    A: Auth. Alg. :  M=MD5       S=SHA1
    C: Comp-Alg   :  D=Deflate
    Direction     :  >=outbound  <=inbound
    Address-Syntax:  <host> or <first>+<num-following> or <netaddr>/<masklen>
   type 'h' to toggle this help

  Local                 LPort Pto  Remote                RPort SEAC Pkts  Bytes
  192.168.2.0/24        0     all <192.168.1.0/24        0     C--D     1    58
  192.168.2.0/24        0     all >192.168.1.0/24        0     C--D     1    58
  192.168.2.0/24        0     all <192.168.1.0/24        0     ERS-     1   104
  192.168.2.0/24        0     all >192.168.1.0/24        0     ERS-     1    58

     DELETE              EXIT
_______________________________________________________________________________

No warranty at all, your Feedback is welcome!
© 2003-2011 AERAsec Network Services and Security GmbH, last update 2003-11-01
back to http://www.vpn-1.de/aerasec/