Version 2.0 HOW-TO GUIDELINES. Setting up a Clustered VPN between StoneGate and Check Point NG TECHN11SG2.1-3/4/03

Transcription

1 Version 2.0 HOW-TO GUIDELINES Setting up a Clustered VPN between StoneGate and Check Point NG TECHN11SG2.1-3/4/03

2 Introduction This document outlines the steps necessary to set up a clustered site-to-site VPN between StoneGate v2.0.6 and Check Point Next Generation (NG) Feature Pack 3 (FP3). Ensure that StoneBeat FullCluster, Check Point NG and StoneGate have already been installed. Network Environment The example network setting depicted in Figure 1.1 illustrates the network environment you are going to configure. FIGURE 1.1 Network Environment There are two different firewalls: StoneGate firewall cluster v2.0.6 that connects the following networks: the external IP address ( ) the internal network (encryption domain internal-sg-lan.) ( / 24) HOW-TO GUIDELINES 2

3 the Control and Heartbeat LAN ( /24). Check Point NG FP3 (build 53225) running on SUN Solaris 2.8 (64-bit) with recommended patches clustered with StoneBeat FullCluster 3.0 SP 2-1 (build 3041). It connects the following networks: the external IP address ( ) the internal network (encryption domain intra.) ( /24) the Control and Heartbeat LAN ( /24). Getting Started In order to configure the VPN parameters in Check Point NG with FullCluster, you need to have completed the following steps as they are essential: 1. Delete the routes through the alias interfaces (cluster IP address). 2. In case you are using a Cisco router, you must statically add router ARP entry in the cluster nodes and corresponding cluster multicast MAC addresses on the Cisco router. 3. Define the correct load balancing filter settings ($SBFCHOME/etc/filter.conf) for the VPN. (In this example, we will use the following IP addresses for the tunnel , and netmask ). In order to configure the VPN parameters in StoneGate firewall cluster v2.0.6, make sure that you have completed the following steps before configuring the StoneGate VPN: 1. In case you are using a Cisco router, you must statically add router ARP entry in the cluster nodes and corresponding cluster multicast MAC addresses on the Cisco router. 2. Create all the required network elements. In Check Point NG the gateway cluster object must be used for the VPN. HOW-TO GUIDELINES 3

4 Configuring the VPN VPN Parameters First, you will configure the VPN settings in Check Point NG. Then, you will configure the VPN settings in StoneGate. The following IPSec parameters will be used to create the VPN tunnel between StoneGate and Check Point NG: IKE Phase 1: Authentication method: Pre-shared secret Diffie-Hellman Group 2 IKE Negotiation mode: Main 3DES + SHA1 IKE Phase 2: ESP 3DES + SHA1 VPN settings in Check Point NG To configure the VPN settings in Check Point NG follow the instructions: 1. Open the Check Point NG - Smart Dashboard. 2. Open the Global Properties window from the menu: Policy Global Properties. HOW-TO GUIDELINES 4

5 ILLUSTRATION 1.1 Choosing the VPN Configuration Method 3. The Global Properties window will appear on the screen. Select VPN-1 Pro from the tree on the left side of the window. Mark the checkbox labelled Simplified mode to all new Security Policies as in Illustration 1.1 on page 5. Click OK. 4. Right-click on the Check Point gateway cluster object from the tree on the left side of the screen by clicking on the plus ( + ). Select Properties. HOW-TO GUIDELINES 5

6 ILLUSTRATION 1.2 Gateway Cluster Properties window 5. The Gateway Cluster Properties window will appear on screen. Select Topology from the tree on the left side of the window. 6. Check the radio button Manually defined. Then, select the defined VPN domain to be your internal LAN (in our example, we will select intra). 7. Select VPN in the tree on the left side of the Gateway Cluster Properties window. Then, click on Traditional mode configuration. 8. Click OK. HOW-TO GUIDELINES 6

7 ILLUSTRATION 1.3 Traditional Mode IKE Properties 9. The Traditional mode IKE Properties window will appear on screen: scroll down the list under the Support key exchange encryption with panel and select 3DES, DES by clicking on the checkboxes on the left side select MD-5 and SHA-1 under the Support data integrity with panel mark the Pre-Shared Secret click on Advanced HOW-TO GUIDELINES 7

8 ILLUSTRATION 1.4 Advanced IKE Properties the traditional mode advanced IKE properties window will appear on the screen. Select the Group 2 (1024 bit) checkbox under Support Diffie-Hellman groups for IKE (phase 1) Security associations and click OK. Click OK to apply the traditional mode IKE properties for the gateway cluster object. HOW-TO GUIDELINES 8

9 ILLUSTRATION 1.5 Interoperable Device - StoneGate window 10. Right-click on Interoperable Devices from the tree on the left side of the screen and select New Interoperable Device. 11. In the General Properties section, name the object and write its IP address (In our example, we will name it StoneGate and use the IP Address ) HOW-TO GUIDELINES 9

10 ILLUSTRATION 1.6 Interoperable Device - StoneGate 12. Click on Topology from the tree on the left side: Click the radio button under the VPN Domain panel to indicate Manually defined. Then, select your remote encryption domain (in our example, we will select sginternal-lan). 13. Now, you will configure the IKE phase-1 settings for StoneGate. Click on VPN from the tree on the left side. Then, click on Translation mode configuration. The traditional mode IKE properties window will appear on screen. HOW-TO GUIDELINES 10

11 ILLUSTRATION 1.7 Traditional Mode IKE Properties window Select 3DES, DES under Support key exchange encryption with; MD5 and SHA-1 checkboxes under Support data integrity with; then, check Pre-Shared Secret under Support authentication methods and click on Edit Secrets button. ILLUSTRATION 1.8 Shared Secret dialog box HOW-TO GUIDELINES 11

12 The Shared Secret dialog box will appear on the screen. Click on the cluster for which you want to define the shared secret (in our example, clusteri). Then, click on Edit and write the shared secret. Finally, click OK. Click on Advanced. The traditional mode advanced IKE properties window will appear on the screen. Select the Group 2 (1024 bit) checkbox under Support Diffie- Hellman groups for IKE (phase 1) Security associations and click OK. Illustration 1.4 on page 8 shows a completed example. 14. Open the VPN manager and select Meshed topology (MyIntranet). ILLUSTRATION 1.9 Meshed Community Properties - My Intranet 15. The Meshed Community Properties window will appear on the screen. Click on Participating Gateways from the tree on the left side of the window. 16. Then, click on Add and add the participating security gateways. (In our example, we will add clusteri and StoneGate.) 17. Edit the VPN properties by clicking on VPN Properties from the tree on the left side of the window. HOW-TO GUIDELINES 12

13 ILLUSTRATION 1.10 VPN Properties 18. Use the scroll list to select the following properties: Perform key exchange encryption with: 3DES Perform data integrity with: SHA1 Perform IPsec data encryption with: 3DES Perform data integrity with: SHA1 19. Next, click on Advanced Properties from the tree on the left side of the window. HOW-TO GUIDELINES 13

14 ILLUSTRATION 1.11 Advanced VPN Properties 20. The Advanced Properties options will appear on the right side of the window. Select Group 2 (1024 bit) as Diffie-Hellman group for IKE phase Click on Shared Secret from the tree. ILLUSTRATION 1.12 Shared Secret Configuration HOW-TO GUIDELINES 14

15 22. Select Use only Shared Secret for all External members. Then, define a shared secret for StoneGate by clicking on Edit. (In our example, the shared secret is abc123 as in Illustration 1.12 on page 14.) ILLUSTRATION After you have configured the VPN between the two gateways, you can create access rules to test how VPN traffic is handled by Check Point NG. Open the SmartDashboard to design the rules as in Illustration VPN settings in StoneGate To configure the VPN settings in StoneGate follow the instructions: 1. In the StoneGate Control Panel, open the VPN Manager by clicking on its icon. HOW-TO GUIDELINES 15

16 ILLUSTRATION 1.14 Internal Security Gateway 2. Create a new Internal Security Gateway element by selecting its icon on the toolbar. In the General tab, name the gateway (e.g. Finland) and select your local firewall from the options provide. The default SGW Settings in the other tab needn t be changed. 3. The VPN Client NAT Pool will be left blank. See Illustration HOW-TO GUIDELINES 16

17 ILLUSTRATION 1.15 End-Points Tab 4. Switch to the End-points Tab and then name the end points. Select your firewall s external IP address, and click Add to insert the name and IP address of the end-point in the text box. (In our example, ) 5. Click OK. 6. You need to define the other end of the VPN next. Therefore, you must create also your partner s security gateway as an element. In the VPN Manager, click the External Security Gateway icon to open the External Security Gateway Properties dialog box. HOW-TO GUIDELINES 17

18 ILLUSTRATION 1.16 External Security Gateway Properties 7. In the General tab, name the external gateway (e.g. NG). Select Check Point NG as the Gateway Type. HOW-TO GUIDELINES 18

19 ILLUSTRATION 1.17 External End-Points Tab 8. Switch to the End-points tab, click the radio button Static IP. 9. Give the end-point a name (NG FP3) and select its external IP address ( ). 10. Click the Add button to insert the name and IP address of the end-point in the text box. 11. Click OK. HOW-TO GUIDELINES 19

20 ILLUSTRATION 1.18 Capabilities 12. Define the capabilities as in Illustration Configuring the Encryption Domains You need to assign sites to both defined security gateways. 1. In the VPN Manager, select the Gateways and Sites tab. Ensure that you have the Repository View on the left panel. HOW-TO GUIDELINES 20

21 ILLUSTRATION 1.19 New VPN site behind the security gateway 2. Drag and drop your internal network from the left onto your internal security gateway on the right panel. Now, you will repeat the previous step for the external security gateway: 1. Drag and drop your partner s internal network from the left onto the external security gateway on the right panel. 2. When finished, your Security Gateway View should resemble Illustration Creating a VPN Element After defining the security gateways functioning as end-points of the VPN, you can create the actual VPN element. 1. In the VPN Manager, click the VPN icon. 2. In the displayed dialog box, specify the name of the VPN (NG to SG). Click OK. HOW-TO GUIDELINES 21

22 ILLUSTRATION 1.20 VPN view 3. Switch to the VPNs tab to see the newly created VPN element. 4. In the VPNs window, drag and drop both gateway elements from the left panel onto the VPN element you created on the right panel. See Illustration Set the properties of the VPN by selecting the VPN you just created. Right-click on it and select Properties from the contextual menu. The VPN Editor window will open. ILLUSTRATION 1.21 VPN Editor HOW-TO GUIDELINES 22

23 6. In the VPN Editor window, click on the IKE proposal button located in the Logical Tunnels panel on the left. ILLUSTRATION 1.22 IKE Phase I HOW-TO GUIDELINES 23

24 7. The IKE Phase 1 window will open. Select the IKE Phase 1 tab. Select 3DES, SHA-1, Pre-shared key and set the Diffie-Hellman Group for IKE to the value 2. Then, select Main as the IKE Negotiation Mode. 8. Switch to the Pre-Shared Key tab. ILLUSTRATION 1.23 Pre-Shared Key tab 9. Type in the same pre-shared key used previously with NG VPN configuration. (In our example, abc123). The Certificate Authorities tab needn t be changed. 10. Click OK to return to the VPN Properties dialog box. 11. Click on Encryption Policy from the VPN Editor. HOW-TO GUIDELINES 24

25 ILLUSTRATION 1.24 Connection Encryption Policy window 12. Select Override VPN Policy Settings For this Connection. Check the radio buttons Net under Security Association Granularity and Use IKE under IPsec Mode. See Illustration Click on IPsec Proposals to define the IKE phase-2 settings. HOW-TO GUIDELINES 25

26 ILLUSTRATION 1.25 IPsec Proposals 14. Select ESP (SHA-1 + 3DES) 60min / KB under the Ipsec Proposals panel. Click OK to return to the Connection Encryption Policy window. 15. Click OK. 16. Now your tunnel mode is set to Normal. Create a VPN Rule Base After you have configured the VPN between the two gateways, you can create access rules to test how VPN traffic is handled by StoneGate. Open the Security Policy Manager to design the rules. 1. Create a new policy by clicking the New icon on the tool bar. 2. In the opened dialog box, set the type as Normal, name the rule base as SG-NG VPN, and select Template as default. HOW-TO GUIDELINES 26

27 3. Once your new rule base opens, click on the green line saying Access rule: insert point, and click Add Rule. 4. For the new rule, fill in the cells as follows: Source: drag and drop the StoneGate internal network here. Destination: drag and drop the Check Point NG internal network here. Service: ANY. Action: select Enforce VPN NG to SG VPN. Options: set the Log Level as Essential. 5. Create a new rule under the one you just created by right-clicking on its row and selecting Add Rule After. 6. Fill in the cells as follows: Source: drag and drop the Check Point internal network here. Destination: drag and drop The StoneGate internal network here. Service: ANY. Action: select Enforce VPN NG to SG VPN. Options: set the Log Level as Essential. 7. Save and install the policy by clicking the Save and Install icon. ILLUSTRATION 1.26 VPN rules HOW-TO GUIDELINES 27

28 Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology - as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. The Stonesoft Secure Application Partnership Program is a validation service offered by Stonesoft to allow end users to make an informed decision when choosing hardware for their StoneGate High Availability Firewall and VPN solutions. Under Stonesoft s Secure Application Partnership Program, certification is granted based on tests performed under specific operating conditions in a controlled environment. The details of these tests are available from Stonesoft upon request. Stonesoft does not guarantee the accuracy, adequacy or completeness of its certification testing of third party hardware products and shall not be liable if the testing results and/or determinations are incaccurate, inadequate or incomplete. End users are solely responsible for determining on their own whether a given third party hardware configuration is suitable for their needs. BY CERTIFYING THIRD PARTY HARDWARE PRODUCTS, STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO TESTING RESULTS, INFORMATION CONTAINED IN THESE MATERIALS, OR ANY INFORMATION OR DATA PROVIDED IN RELATION TO THE SECURE APPLICATION PARTNERSHIP PROGRAM. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES. INCLUDING, BUT NO LIMITED TO. LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: HWTO11SG20-3/4/03 International Headquarters Stonesoft Corp. Itälahdenkatu 22a FIN Helsinki, Finland tel fax. info.emea@stonesoft.com Business ID: VAT number: FI Americas Headquarters Stonesoft Inc. 115 Perimeter Center Place South Terraces, Suite 1000 Atlanta, GA tel fax. info.americas@stonesoft.com Asia Pacific Headquarters Stonesoft Corp. 90 Cecil Street # Singapore tel fax. info.asiapacific@stonesoft.com