Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Transcription

1 Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard VPN-1/FireWall-1 NG with Application Intelligence R55 HFA 13 Windows 2000 Server VPN-1 Edge X Series Firmware x The following setup will be utilized for sample configuration procedures:

2 Network objects to create: 1) Check Point Gateway network object to represent the VPN-1 Gateway/SmartCenter Server: Name: jupiter IP Address: Version: NG with Application Intelligence Type: Check Point Enterprise/Pro Check Point Products: Firewall, VPN, Primary Management Station, SVN Foundation, Log Server 2) Network object to represent the VPN domain of the VPN-1 Gateway: Name: net_ Network Address: Net Mask: Overview of required configuration steps for a site-to-site VPN between the VPN-1 Gateway and VPN-1 Edge endpoint: Create the Security Gateway, SmartDashboard, VPN-1 Edge, SmartPortal, and VPN domain objects h Create the Security Gateway VPN Community for the Site to Site VPN h Create the VPN Community rules in the Security Rule Base h Create the topology download user h Export the VPN-1 Edge VPN Certificate Step-by-step Site-to-site VPN-1 Edge Configuration Specify the VPN domain for the VPN-1 Gateway 1) Select Manage > Network Objects. 2) In the Network Objects dialog box, select the VPN-1 Gateway network object (ie. jupiter) from the network objects list. 3) Click Edit. 4) In the Check Point Gateway dialog box, select the Topology branch in the left pane. 5) In the Topology page, select the Manually defined option in the VPN Domain section. 6) Select the network object representing the VPN domain (net_ ) from Manually defined drop down list. 7) Click OK in the Check Point Gateway dialog box. 8) Click Close in the Network Objects dialog box.

3 Create the network object respresenting the VPN domain of the VPN-1 Edge 1) Select Manage > Network Objects. 2) In the Network Objects dialog box, select New > Network. 3) In the Network Properties dialog box, select the General tab. 4) Configure the General tab per the following: Name: net_ Network Address: Net Mask: ) Click OK in the Network Properties dialog box. 6) Click Close in the Network Objects dialog box. Create the VPN-1 Edge Gateway network object 1) Select Manage > Network Objects. 2) In the Network Objects dialog box, select New > Check Point > VPN-1 Edge Gateway. 3) In VPN-1 Edge/Embedded Gateway dialog box, select General Properties branch in the left pane. 4) Configure the General Properties page per the following: Name: edge_box VPN Enabled: checked VPN connection method: Site To Site IP Address: Dynamic Address: unchecked Type: VPN-1 Edge X Series Externally Managed Gateway: checked 5) Click the Edit Registration Key button. 6) In the Edit Registration Key dialog box, enter the VPN-1 Edge registration key (ie. abc123) in the blank field. 7) Click Set in the Edit Registration Key dialog box. 8) In the VPN-1 Edge/Embedded Gateway dialog box, select the Topology branch in the left pane. 9) In the Topology page, select the Manually defined option in the VPN Domain section. 10) Select the network object representing the VPN domain of the VPN-1 Edge (ie. net_ ) from the Manually defined drop down list.

4 11) Click OK in the VPN-1 Edge/Embedded Gateway dialog box. System dialog box displays message: Check Point SmartDashboard This node is defined as VPN-1 installed, an internal CA certificate will be created now 12) Click OK. System dialog box displays message: Check Point SmartDashboard Certificate operation succeeded 13) Click OK. 14) Click Close in the Network Objects dialog box. Create the VPN Community for the Site to Site VPN 1) Select Manage > VPN Communities. 2) In the VPN Communities dialog box, select New > Site To Site > Star. 3) In the Star Community Properties dialog box, select the General branch in the left pane. 4) Configure the General page per the following: Name: star_community Enable VPN routing for satellites: To center only Accept all encrypted traffic: unchecked 5) In the Star Community Properties dialog box, select the Central Gateways branch in the left pane. 6) In the Central Gateways page, click Add. 7) In the Add Central Gateways dialog box, select the VPN-1 Gateway network object (ie. jupiter) from the central gateways list. 8) Click OK in the Add Central Gateways dialog box. 9) Uncheck the Mesh center gateways check box. 10) In the Star Community Properties dialog box, select the Satellite Gateways branch in the left pane. 11) In the Satellite Gateways page, click Add. 12) In the Add Satellite Gateways dialog box, select the VPN-1 Edge network object (ie. edge_box) from the satellite gateways list. 13) Click OK in the Add Satellite Gateways dialog box.

5 14) In the Star Community Properties dialog box, select the VPN Properties branch in the left pane. 15) In the VPN Properties page, configure the IKE (Phase 1) Properties section per the following: Perform key exchange encryption with: AES-256 Perform data integrity with: MD5 16) Configure the IPsec (Phase 2) Properties section per the following: Perform IPsec data encryption with: AES-128 Perform data integrity with: MD5 17) In the Star Community Properties dialog box, select Advanced Properties branch in the left pane. 18) In the Advanced Properties page, configure the IKE (Phase 1) section per the following: Use Diffie-Hellman group: Group 2 (1024 bit) Renegotiate IKE security associations every 1440 minutes Use aggressive mode: unchecked 19) Configure the IPsec (Phase 2) section per the following: Use Perfect Forward Secrecy: unchecked Renegotiate IPsec security associations every 3600 seconds Support Site to Site IP compression: unchecked 20) Configure the NAT section per the following: Disable NAT inside the VPN community: checked 21) In the Star Community Properties dialog box, select the Shared Secret branch in the left pane. 22) In the Shared Secret page, uncheck the Use only Shared Secret for all External members check box. 23) Click OK in the Star Community Properties dialog box. 24) Click Close in the VPN Communities dialog box. Create the VPN Community rules 1) Select the Security tab.

6 2) In the Security tab, create the following two rules at the top of the Rule Base: NO: 1 SOURCE: net_ DESTINATION: net_ VPN: star_community SERVICE: Any ACTION: Accept TRACK: Log INSTALL ON: jupiter NO: 2 SOURCE: net_ DESTINATION: net_ VPN: star_community SERVICE: Any ACTION: Accept TRACK: Log INSTALL ON: jupiter To specify the star_community VPN community in the VPN column of a rule, proceed with the following: 1) Right click on Any Traffic in the VPN column of the appropriate rule and select Edit Cell. 2) In the VPN Match Conditions dialog box, select the Only connections encrypted in specific VPN Communities option. 3) Click Add. 4) In the Add Community to rule dialog box, select the VPN community (ie. star_community) in the community list. 5) Click OK in the Add Community to rule dialog box. 6) Click OK in the VPN Match Conditions dialog box. Create the topology download user 1) Select Manage > Users and Administrators. 2) In the Users and Administrators dialog box, select New > User by Template > Default. 3) In the User Properties dialog box, select the General tab. 4) In the General tab, enter the topology download user name (ie. topo_user) in the Login Name field. 5) In the User Properties dialog box, select the Personal tab. 6) In the Personal tab, enter the expiration date of the topology download user (ie. 31-dec-2008) in the Expiration Date field. 7) In the User Properties field, select the Authentication tab. 8) In the Authentication tab, select Undefined from the Authentication Scheme drop down list. 9) In the User Properties dialog box, select the Encrytpion dialog box.

7 10) In the Encryption dialog box, check the IKE check box in the Client Encryption Methods section. 11) Click Edit. 12) In the IKE Phase 2 Properties dialog box, select the Authentication tab. 13) In the Authentication tab, check the Password (Pre-shared secret) check box. 14) Enter the topology download user password (ie. ghi789) in the Password (Pre-shared secret) field. 15) Enter the topology download user password (ie. ghi789) again in the Confirm Password field. 16) Uncheck the Public Key check box. 17) Click OK in the IKE Phase 2 Properties dialog box. 18) Click OK in the User Properties dialog box. 19) Click Close in the Users and Administrators dialog box. Export the VPN-1 Edge VPN Certificate 1) Select Manage > Network Objects. 2) In the Network Objects dialgo box, select the VPN-1 Edge network object (ie. edge_box) in the network objects list. 3) Click Edit. 4) In the VPN-1 Edge/Embedded Gateway dialog box, select the VPN branch in the left pane. 5) In the VPN page, select the defaultcert certificate in the Certificate List window. 6) Click Edit. 7) In the Certificate Properties dialog box, click on Save As in the Certificate Creation section. 8) In the Enter Password dialog box, enter the VPN certificate password (ie. def456) in the Password field. 9) Enter the VPN certificate password (ie. def456) in the Confirm Password field. 10) Click OK in the Enter Password dialog box. 11) Insert a blank floppy disk in the SmartDashboard machine floppy disk drive. 12) In the Save Certificate As dialog box, set the parameters per the following: Save in: 3 1/2 Floppy (A:) File name: edge_box.p12 Save as type: Certificate Files (*.p12) 13) Click Save. 14) Click OK in the Certificate Properties dialog box. 15) Click OK in the VPN-1 Edge/Embedded Gateway dialog box. 16) Click Close in the Network Objects dialog box. 17) Install Security Policy on the VPN-1 Gateway (jupiter).

8 Configure the VPN-1 Edge side Delete the default VPN certificate on the VPN-1 Edge In the VPN-1 Edge Portal 1) Select VPN from the left pane. 2) Select the Certificate tab. 3) In the Certificate tab, click on Uninstall Certificate. System dialog box display following message: Microsoft Internet Explorer This will uninstall the certificate. Are you sure? 4) Click OK. 5) Click OK in the Certificate tab. Import the VPN-1 Edge VPN Certificate In the VPN-1 Edge SmartPortal 1) Select VPN from the left pane. 2) Select the Certificate tab. 3) In the Certificate tab, click on Install Certificate to initiate the VPN-1 Edge Certificate Wizard. 4) In the Welcome to the Certificate Wizard dialog box, select the Import a security certificate in PKCS#12 format option. 5) Click Next. 6) Insert the floppy disk containing the edge_box.p12 file in the VPN-1 Edge SmartPortal machine floppy disk drive. 7) In the Import Certificate dialog box, click on the Browse button 8) In the Open dialog box, set the parameters per the following: Look in: 3 1/2 Floppy (A:) File name: edge_box.p12 Files of type: All Documents (*.*) 9) Click Open. 10) In the Import Certificate dialog box, verify the filename is seen in the certificate file name field: A:\edge_box.p12 11) Click Next. 12) In the Import Certificate > Passphrase dialog box, enter the VPN certificate password (ie. def456) in the passphrase field. 13) Click Next. 14) In the Done dialog box, click Finish.

9 Establish the Site-to-Site VPN with the VPN Wizard In the VPN-1 Edge SmartPortal 1) Select VPN from the left pane. 2) Select the VPN Sites tab. 3) In the VPN Sites tab, click New Site to initiate the VPN-1 Edge VPN Site Wizard. 4) In the Welcome to the VPN Site Wizard dialog box, select the Site-To-Site option. 5) Click Next. 6) In the VPN Gateway Address dialog box, enter the VPN-1 gateway IP address (ie ) in the VPN Gateway field. 7) Check the Bypass NAT check box. 8) Check the Bypass the firewall check box. 9) Click Next. 10) In the VPN Network Configuration dialog box, select the Specify Configuration option. 11) Click Next. 12) In the VPN Network Configuration dialog box, enter the network address of the VPN-1 Gateway VPN domain (ie ) in the top Destination network 1. field. 13) Set the subnet mask of the VPN-1 Gateway VPN domain network in the Subnet mask 1. drop down list to [/24]. 14) Click Next. 15) In the Authentication Method dialog box, select the Certificate option. 16) Click Next. 17) In the Connect dialog box, check the Try to Connect to the VPN Gateway check box. 18) Click Next. 19) In the Contacting VPN Site dialog box, click on Next. 20) In the Site Name dialog box, enter the name of the VPN site (ie. edge_site) in the Site Name field. 21) Uncheck the Keep this site alive check box. 22) Click on Next. 23) In the VPN Site Created dialog box, click Finish.