Check Point Firewall-1 NG(X)

VPN between (Linux) Openswan (former FreeS/WAN) and Check Point Firewall-1 NG(X)

Mode: RoadWarrior-to-Gateway


AERAsec Network Services and Security GmbH



See introduction page for more.

Example based on following versions:

Former example(s) based on following versions:

Content


Topology


Prework

Pre-Shared Secret:

Public Key Signatures:


RoadWarrior setup of Check Point VPN-1 NG(X)

Note that some screenshots are still from NG, but the one from NGX are very similiar.

Create/modify user

Create a new user, enable IKE and logging

Define authentication,  integrity and encryption methods

Generate certificate

You have to specify an export password for the PKCS#12 container (private and public key of user) which will be saved on floppy disk.

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check whether VPN-1 Pro is enabled

Older versions of Check Point Firewall-1 require a dedicated license for VPN-1.

Define topology and VPN domain

Define IKE properties


Public Key Signatures:

Create/modify objects: Linux as VPN partner

Not needed in RoadWarrior setup

Create/modify policy:

Currenty, simple mode has only limited support, so traditional mode will be better

Switch to traditional mode

And create a new policy afterwards

RoadWarrior-to-gateway rulesets

Properties of encryption

Properties of encryption are defined per user.

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging

17:02:17 authcrypt 1.2.3.4 >daemon src: 1.2.3.5; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd; rule: 0;
 reason: Client Encryption: Authenticated by RSA Signature; scheme: IKE; methods: 3DES,IKE,MD5; product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; peer gateway: 1.2.3.5; scheme: IKE;
 IKE: Main Mode completion.; CookieI: ebc3ad7a4bc1ab2f; CookieR: 79893021bf296e4f; methods: 3DES + MD5, RSA signatures;
 user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41e; dstkeyid: 0x81f632fd;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode Sent Notification: Responder Lifetime; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: df786c92; user: CN=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41e; dstkeyid: 0x81f632fd;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode completion; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: df786c92; methods: ESP: 3DES + SHA1 + PFS; IKE IDs: host: 1.2.3.4 and host: 1.2.3.5;
 user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41f; dstkeyid: 0x81f632ff;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode Sent Notification: Responder Lifetime; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: e5e7879f; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;  product: VPN-1 & FireWall-1;

17:02:17 keyinst 1.2.3.4 >daemon src: 1.2.3.5; dst: 1.2.3.4; srckeyid: 0x26cbc41f; dstkeyid: 0x81f632ff;
 peer gateway: 1.2.3.5; scheme: IKE; IKE: Quick Mode completion; CookieI: ebc3ad7a4bc1ab2f;
 CookieR: 79893021bf296e4f; msgid: e5e7879f; methods: ESP: 3DES + SHA1 + PFS;
 IKE IDs: subnet: 172.16.1.0 (mask= 255.255.255.0) and host: 1.2.3.5; user: CN=freeswan,OU=users,O=checkpoint.lab.aerasec.de..ab12cd;
 product: VPN-1 & FireWall-1;


RoadWarrior setup of Linux Openswan (public key signature mode)

Extract, convert and store certificates

Check Point

Openswan: Check Point VPN-1 gateway related

Openswan: Check Point VPN-1 user related

Convert user certificate generated by Check Point Management from PKCS#12 to X.509

Define topology like shown above

Edit /etc/ipsec.conf

## RoadWarrior to Gateway: FreeS/WAN X.509 <-> Check Point
conn freeswan-checkpoint-x509
        # Right side is FreeS/WAN RoadWarrior
        right=%defaultroute
        rightrsasigkey=%cert
        rightid="/O=checkpoint.lab.aerasec.de..ab12cd/OU=users/CN=freeswan"
#rightcert=freeswan-cert.pem # As an alternative, the file itself can be specified
        # Left side is Check Point
        left=1.2.3.4
leftcert=checkpoint-cert.pem
leftrsasigkey=%cert
        #leftrsasigkey=0x0103...... # only needed for old FreeS/WAN
        leftid=1.2.3.4 # Check Point VPN-1 send IP address as ID
        #leftid= # leave unset for old FreeS/WAN
        # config
        type=tunnel
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        auth=esp
        keyexchange=ike
        auto=start
## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point - Net
conn freeswan-checkpoint-x509-net
        # Right side is FreeS/WAN RoadWarrior
        rightrsasigkey=%cert
        right=%defaultroute
        rightid="/O=checkpoint.lab.aerasec.de..ab12cd/OU=users/CN=freeswan"
#rightcert=freeswan-cert.pem # As an alternative, the file itself can be specified
        # Left side is Check Point
        left=1.2.3.4
        leftsubnet=172.16.1.0/24
leftcert=checkpoint-cert.pem
leftrsasigkey=%cert
        #leftrsasigkey=0x0103...... # only needed for old FreeS/WAN
        leftid=1.2.3.4 # Check Point VPN-1 send IP address as ID
        #leftid= # leave unset for old FreeS/WAN
        # config
        type=tunnel
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        auth=esp
        keyexchange=ike
        auto=start

Create secrets

Edit /etc/ipsec.secrets

# Define RSA key
: RSA /etc/ipsec.d/private/freeswan-key.pem "key passphrase here"

(Re-)start ipsec

Good luck!
# service ipsec restart

Logging

/var/log/secure normally contains the log of ipsec:
Sep 10 16:53:45 linux pluto[3777]: Starting Pluto (FreeS/WAN Version 1.98b)
Sep 10 16:53:45 linux pluto[3777]:   including X.509 patch (Version 0.9.14)
Sep 10 16:53:45 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 10 16:53:45 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_CAST_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Sep 10 16:53:46 linux pluto[3777]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 10 16:53:46 linux pluto[3777]:   loaded cacert file 'checkpoint-internal-ca.pem' (1149 bytes)
Sep 10 16:53:46 linux pluto[3777]: Changing to directory '/etc/ipsec.d/crls'
Sep 10 16:53:46 linux pluto[3777]:   loaded crl file 'checkpoint.crl' (556 bytes)
Sep 10 16:53:46 linux pluto[3777]:   loaded my default X.509 cert file '/etc/x509cert.der' (782 bytes)
Sep 10 16:53:46 linux pluto[3777]: listening for IKE messages
Sep 10 16:53:46 linux pluto[3777]: adding interface ipsec0/eth0 1.2.3.5
Sep 10 16:53:46 linux pluto[3777]: loading secrets from "/etc/ipsec.secrets"
Sep 10 16:53:46 linux pluto[3777]:   loaded private key file '/etc/ipsec.d/private/freeswan-key.pem' (1102 bytes)
Sep 10 16:55:24 linux pluto[3777]: | from whack: got --esp=3des
Sep 10 16:55:24 linux pluto[3777]: | from whack: got --ike=3des
Sep 10 16:55:24 linux pluto[3777]: added connection description "freeswan-checkpoint-x509"
Sep 10 16:55:28 linux pluto[3777]: | from whack: got --esp=3des
Sep 10 16:55:28 linux pluto[3777]: | from whack: got --ike=3des
Sep 10 16:55:28 linux pluto[3777]: added connection description "freeswan-checkpoint-x509-net"
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: initiating Main Mode
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Issuer CRL not found
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: Issuer CRL not found
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #3: ISAKMP SA established
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep 10 16:56:07 linux pluto[3777]: "freeswan-checkpoint-x509" #4: sent QI2, IPsec SA established

Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep 10 16:57:01 linux pluto[3777]: "freeswan-checkpoint-x509-net" #5: sent QI2, IPsec SA established


No warranty at all, your Feedback is welcome!
© 2002-2011 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/