Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and (Linux) Openswan (former FreeS/WAN)

Mode: Gateway-to-Gateway


AERAsec Network Services and Security GmbH



See introduction page for more.

Example based on following versions:

Former example(s) based on following versions:


Content


Topology


Prework

Pre-Shared Secret:

Public Key Signatures:


Setup of Check Point Firewall-1 NG(X)

Note that some screenshots are still from NG, but the one from NGX are very similiar.

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check whether VPN-1 (Pro) is enabled

Older versions of Check Point Firewall-1 require a dedicated license for VPN-1.

Define topology and VPN domain

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

Create/modify objects: Linux as VPN partner

Linux gateway has to be created as "Interoperable Device"

Define topology and VPN domain

Import external OPSEC CA certificate (only needed for Public Key Signatures)

Import a CA certificate as type OPSEC from external, is needed for validating the certificate of a remote FreeS/WAN gateway
Note: disable all CRL retrieving options for this CA, if not available - otherwise related error messages will prevent the use of this CA.

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

The DN string is not similar to the one which can be native extracted using OpenSSL, it needs to be reversed, which can be done (if no '/' is specified in an entry) by executing:
$ openssl x509 -subject -noout -in mycert.pem | sed 's/subject= \///g' | sed 's/\//,/g' | awk -F, '{ for (i = NF; i > 1; i--) printf $i ","; printf $1 "\n" }'

Create/modify policy:

Currenty, simple mode has only limited support, so traditional mode will be better

Switch to traditional mode

And create a new policy afterwards

Gateway-to-gateway rulesets

Network-to-network  rulesets

Properties of encryption

 

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging (shared secret)

Log viewer should display following, after on Linux FreeS/WAN IPSec was restarted (use "fw log -tfln" to get log output on console):
14:30:18 accept  >eth0 product VPN-1 & FireWall-1 src 1.2.3.5 s_port IKE dst 1.2.3.4 service IKE proto udp rule 0
14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion. CookieI cd4facedc444d81c
 CookieR 399e1a8b6543e4c2 methods: 3DES + MD5, Pre shared secrets
14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae
14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae methods: ESP: 3DES + MD5 IKE
 IDs: subnet: 172.16.1.0 (mask= 255.255.255.0) and subnet: 172.16.2.0 (mask= 255.255.255.0)
14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b
14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b methods: ESP: 3DES + MD5 IKE
 IDs: host: 1.2.3.4 and host: 1.2.3.5

Logging (public key signatures)

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion.
 CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd methods: 3DES + MD5, RSA signatures
16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6
16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6 methods: ESP: 3DES + MD5 IKE 
 IDs: host: 1.2.3.4 and host: 1.2.3.5


Setup of Linux Openswan in pre-shared secret mode

Define topology

Edit /etc/ipsec.conf or store a dedicated configuration file in /etc/ipsec.d/

## Gateway-to-gateway: Check Point <-> FreeS/WAN
conn checkpoint-freeswan
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        # leftnexthop=
        # Right side is FreeS/WAN
        right=1.2.3.5
        # rightnexthop=
        keyexchange=ike
        auth=esp
        auto=start
        authby=secret
# Optional specify encryption/hash methods for phase 1 & 2
#ike=aes256-sha1-modp2048
#esp=aes256-sha1
# Disable Perfect Forward Secrecy, if not working proper
        #pfs=no
# Optional enable compression (if working)
#compress=yes

conn net-checkpoint-net-freeswan
        type=tunnel
        left=1.2.3.4
        # leftnexthop=
        leftsubnet=172.16.1.0/24
        right=1.2.3.5
        # rightnexthop=
        rightsubnet=172.16.2.0/24
        keyexchange=ike
        auth=esp
        auto=start
        authby=secret
# Optional specify encryption/hash methods for phase 1 & 2
#ike=aes256-sha1-modp2048
#esp=aes256-sha1
# Disable Perfect Forward Secrecy, if not working proper
        #pfs=no
# Optional enable compression (if working)
#compress=yes

Create secrets

Edit /etc/ipsec.secrets

1.2.3.4   1.2.3.5:   "verysecret"

(Re-)start ipsec

Good luck!
# service ipsec restart

Logging

/var/log/secure normally contains the log of ipsec:
Mar 25 15:44:58 linux ipsec__plutorun: Starting Pluto subsystem...
Mar 25 15:44:58 linux Pluto[3160]: Starting Pluto (FreeS/WAN Version 1.96)
Mar 25 15:44:59 linux Pluto[3160]: added connection description "net-checkpoint-net-freeswan"
Mar 25 15:44:59 linux Pluto[3160]: added connection description "checkpoint-freeswan"
Mar 25 15:44:59 linux Pluto[3160]: listening for IKE messages
Mar 25 15:44:59 linux Pluto[3160]: adding interface ipsec0/eth0 1.2.3.5
Mar 25 15:44:59 linux Pluto[3160]: loading secrets from "/etc/ipsec.secrets"
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #1: initiating Main Mode
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #1: ISAKMP SA established
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 linux Pluto[3160]: "net-checkpoint-net-freeswan" #2: sent QI2, IPsec SA established
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 linux Pluto[3160]: "checkpoint-freeswan" #3: sent QI2, IPsec SA established


Setup of Linux Openswan in public key signature mode

Extract, convert and store certificates

Check Point VPN-1

# fwm exportcert -obj checkpoint -cert defaultCert -pem -file checkpoint-cert.pkcs7

Openswan: Check Point VPN-1 related

Openswan: Openswan related

Define topology like shown above

Edit /etc/ipsec.conf or store a dedicated configuration file in /etc/ipsec.d/

## Gateway-to-gateway: Check Point <-> FreeS/WAN X.509
conn freeswan-checkpoint-x509
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
leftcert=checkpoint-cert.pem
        leftrsasigkey=0x0103......
        # leftid=  # !do not use for Check Point!
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightid="/C=DE/ST=Bavaria/L=Hohenbrunn/O=AERAsec/OU=Lab/CN=Linux/Email=*******"
# As an alternative, the file itself can be specified
#rightcert=freeswan-cert.pem
        rightrsasigkey=%cert
        # rightnexthop=
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start
        authby=rsasig

Note: for full functional network to network encryption all permutations have to be configured as topology, too:
conn freeswan-checkpoint-x509-net
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=net-behind-Check-Point         # Right side is FreeS/WAN         right=1.2.3.5
        ...
conn net-freeswan-checkpoint-x509
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightsubnet=net-behind-FreeS/WAN         ...
conn net-freeswan-checkpoint-x509-net
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=net-behind-Check-Point         # Right side is FreeS/WAN         right=1.2.3.5
        rightsubnet=net-behind-FreeS/WAN         ...

Create secrets

Edit /etc/ipsec.secrets

# Define RSA key
: RSA /etc/ipsec.d/private/freeswan-key.pem "optional key passphrase here"

(Re-)start ipsec

Good luck!
# service ipsec restart

Logging

/var/log/secure normally contains the log of ipsec:
Apr 16 17:15:47 linux Pluto[4269]: Starting Pluto (FreeS/WAN Version 1.96)
Apr 16 17:15:47 linux Pluto[4269]:   including X.509 patch (Version 0.9.9)
Apr 16 17:15:47 linux Pluto[4269]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 16 17:15:47 linux Pluto[4269]:   loaded cacert file 'checkpoint-internal-ca.pem' (730 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded cacert file 'ca-cert.pem' (1968 bytes)
Apr 16 17:15:47 linux Pluto[4269]: Changing to directory '/etc/ipsec.d/crls'
Apr 16 17:15:47 linux Pluto[4269]:   loaded crl file 'checkpoint.crl' (556 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded crl file 'ca-crl.pem' (772 bytes)
Apr 16 17:15:47 linux Pluto[4269]:   loaded my X.509 cert file '/etc/x509cert.der' (1428 bytes)
Apr 16 17:15:47 linux Pluto[4269]: added connection description "freeswan-checkpoint-x509"
Apr 16 17:15:47 linux Pluto[4269]: listening for IKE messages
Apr 16 17:15:47 linux Pluto[4269]: adding interface ipsec0/eth0 1.2.3.5
Apr 16 17:15:47 linux Pluto[4269]: loading secrets from "/etc/ipsec.secrets"
Apr 16 17:15:47 linux Pluto[4269]:   loaded private key file '/etc/ipsec.d/private/freeswan-key.pem' (1803 bytes)
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: initiating Main Mode
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #1: ISAKMP SA established
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 16 17:15:48 linux Pluto[4269]: "freeswan-checkpoint-x509" #2: sent QI2, IPsec SA established


Additional notes for Linux FreeS/WAN



No warranty at all, your Feedback is welcome!
© 2002-2011 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/