Check Point Firewall-1 NG(X)

VPN between Check Point Firewall-1 NG(X) and Linux 2.6.x using IKE daemon racoon


AERAsec Network Services and Security GmbH


URLs: Preface:

Content


Support matrix

Note: not all combinations are tested at the moment. Note that CAST is normally not supported by Linux kernel.

IKE encryption



IKE encryption
Method:
DES BLOWFISH 3DES CAST AES SERPENT TWOFISH

Check Point VPN-1 NG AI
yes
no
yes
yes
(128)
yes
(256)
no no
Check Point VPN-1 NGX R61 yes no
yes
yes
(128)
yes
(128,256)
no
no

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)
yes
yes
yes
no
no
no   no
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)
yes
yes
yes
yes
(128)
yes
(128,256)
no   no

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI working no working no
no
no  no
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61 working no working working
(128)
working
(128,256)
no  no

IKE integrity and authentication



IKE integrity
IKE authentication
Method:
MD5
SHA1 SHA2 Pre-Shared Secret Public Key Signatures

Check Point VPN-1 NG AI R55
Check Point VPN-1 NGX R61
 yes
yes
no
yes yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)
 yes
yes
no
yes yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)  yes
[md5]
yes
[sha1]
yes
(256,384,512)
[sha*]
yes
yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI
working working no working not tested
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61 working working no working working

IKE Diffie-Hellman Groups and Perfect Forward Secrecy



Diffie-Hellman Groups
Perfect
Forward
Secrecy
  768
#1
1024
#2
1536
#5
2048
#14
3072
#15
4096
#16
6144
#17
8192
#18

Check Point VPN-1 NG AI R55
 yes
yes
yes
no no no no
no
yes
Check Point VPN-1 NGX R61  yes
yes
yes
yes no no no
no
yes

Linux kernel 2.6.3 / racoon  (ipsec-tools 0.2.3)
 yes
yes
yes
yes yes yes yes yes yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)  yes
yes
yes
yes yes yes yes yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI working working working no no no no no working
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61 working working working working no no no no working

Payload encryption



Payload encryption
Method:
DES BLOWFISH 3DES CAST AES SERPENT TWOFISH NULL

Check Point VPN-1 NG AI R55
yes
(40,56)
no
yes
yes
(40,128)
yes
(128,256)
no no ?
Check Point VPN-1 NGX R61 yes
(40,56)
no
yes
yes
(40,128)
yes
(128,256)
no
no
yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)
yes
(56)
no
yes
no
yes
(128,192,256)
no   no ?
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)
yes
(56)
yes
yes
yes
(128)
yes
(128,192,256)
no  yes yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI working
(56)
no working no working
(128,256)
no  no ?
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61 working
(56)
no working noa) working
(128,256)
no  no working
a) While "cast128" is working for phase 1, racoon claims here during reading config about "algorithm CAST not supported by the kernel"

Payload integrity and compression



Payload integrity
Compression
Method:
MD5 SHA1 SHA2 DEFLATE

Check Point VPN-1 NG AI
Check Point VPN-1 NGX R61
 yes
yes
no
yes

Linux kernel 2.6.3 / racoon (ipsec-tools 0.2.3)
 yes
yes
no
yes
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4)  yes
yes
yes
(256,386,512)
yes

kernel 2.6.3 / racoon (ipsec-tools 0.2.3) vs. Check Point VPN-1 NG AI working working no problem*
Linux kernel 2.6.17 / racoon (ipsec-tools-0.6.4) vs. Check Point VPN-1 NGX R61 working working no incompatiblea)

* looks like racoon has a SA problem
a) Check Point VPN-1 claims about: "IKE: Quick Mode Failed to match proposal: Transform: DEFLATE Reason: Not configured to support: IPComp." (same happen using kernel 2.6.x and Openswan, reason is currently unknown)

Specifying encryption and hash methods in (Linux) racoon

The configuration file for racoon is normally /etc/racoon/racoon.conf

IKE (phase 1)

A known peer is defined like:
# CP VPN-1
remote 1.2.3.4
{
exchange_mode main;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}

See man-page racoon.conf.5 for more information.

IPsec (phase 2)

Relating to the setup of a security policy (SP) with setkey, racoon has also to know about. A SA is defined like:
# net-to-net
sainfo address 172.16.2.0/24 any address 172.16.1.0/24 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group modp2048;
}
Note that hash methods specified for phase 2 have "hmac_" prepended.
See man-page racoon.conf.5 for more information.

Specifying security policy in Linux kernel

The security policy (SP) in Linux kernel will be modified with program setkey. Current best practice is to create shell script containing the commands for setkey. Example:
#!/sbin/setkey -f
flush;
spdflush;

# Linux-racoon -> CP VPN-1
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
esp/tunnel/1.2.3.5-1.2.3.4/require;
spdadd 1.2.3.5 1.2.3.4 any -P out ipsec
esp/tunnel/1.2.3.5-1.2.3.4/require;

# CP VPN-1 > Linux-racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec
esp/tunnel/1.2.3.4-1.2.3.5/require;
spdadd 1.2.3.4 1.2.3.5 any -P in ipsec
esp/tunnel/1.2.3.4-1.2.3.5/require;

Example to enable IPcompression for a tunnel (note: currently there is a problem with racoon).
#!/sbin/setkey -f
flush;
spdflush;

# Linux-racoon -> CP VPN-1
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
ipcomp/transport//use
esp/tunnel/1.2.3.5-1.2.3.4/require;
spdadd 1.2.3.5 1.2.3.4 any -P out ipsec
ipcomp/transport//use
esp/tunnel/1.2.3.5-1.2.3.4/require;

# CP VPN-1 > Linux-racoon
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec
ipcomp/transport//use
esp/tunnel/1.2.3.4-1.2.3.5/require;
spdadd 1.2.3.4 1.2.3.5 any -P in ipsec
ipcomp/transport//use
esp/tunnel/1.2.3.4-1.2.3.5/require;

Debugging and monitoring

IKE daemon racoon

Starting IKE daemon racoon with option -F -d will result in foreground running, sending debug log to stdout

Security policy

Monitoring


No warranty at all, your Feedback is welcome!
© 2003-2011 AERAsec Network Services and Security GmbH, last change 2006-08-07
back to http://www.vpn-1.de/aerasec/