VPN Tracker for Mac OS X How-to: Interoperability with Check Point VPN-1 GateWay Rev. 1.1 Copyright 2003 equinux USA Inc. All rights reserved.
1. Introduction 1. Introduction This document describes how VPN Tracker can be used to establish a connection between a Macintosh running Mac OS X and a Check Point VPN-1 GateWay. equinux has tested the Check Point VPN-1 GateWay with FP3 and FP4. The Check Point VPN-1 GateWay is configured as a router, connecting a company LAN to the Internet. The example demonstrates a connection scenario, with a dial-in Mac connecting to a Check Point VPN-1 GateWay. This paper is only a supplement to, not a replacement for, the instructions that have been included with your Check Point VPN-1 GateWay. Please be sure to read and understand those instructions before beginning. All trademarks, product names, company names, logos, screenshots displayed, cited or otherwise indicated on the How-to are the property of their respective owners. EQUINUX SHALL HAVE ABSOLUTELY NO LIABILITY FOR ANY DIRECT OR INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE USE OF THE HOW-TO OR ANY CHANGE TO THE ROUTER GENERALLY, INCLUDING WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS, OR DATA, EVEN IF EQUINUX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 2
2. Prerequisites 2. Prerequisites Firstly, you should use a recent software version. For this document, VPN-1 FP3 and FP4 has been used. The type of the VPN Tracker license needed (personal or professional edition) depends on the connection scenario you are using: If you connect a dial-in Mac without it s own subnet to the Check Point VPN-1 GateWay you need a Personal License. If you want to establish a LAN-to-LAN connection from your Mac to the Check Point VPN-1 GateWay, you need a VPN Tracker Professional License. If you connect a dial-in Mac without it s own subnet to multiple Networks on CheckPoint side you also need the Professional License. VPN Tracker is compatible with Mac OS X 10.2 or higher. Be sure to use VPN Tracker 2.0.3 or higher. 1 For this document VPN Tracker version 2.0.3 has been used. 1 All VPN Tracker versions prior to 2.0.3 did not include a correct connection type for CheckPoint VPN-1. 3
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets In this example, the Mac running VPN Tracker is directly connected to the internet via a dialup or PPP connection. 2 The Check Point VPN-1 GateWay is configured in NAT mode and has the static WAN IP address 169.1.2.3 with gateway 169.1.2.1 and the private LAN IP address 192.168.1.1. The stations in the LAN behind the Check Point VPN-1 GateWay use 192.168.1.1 as their default gateway and should have a working Internet connection. The firewall rules are already defined and the VPN connection between the windows clients and the Check Point VPN-1 GateWay works. VPN Tracker Mac (dynamic IP) cpmodule WAN 169.1.2.3 LAN 192.168.1.1 192.168.1.10 192.168.1.20 192.168.1.30 LAN 192.168.1.0/24 Figure 1: VPN Tracker - Check Point VPN-1 GateWay connection diagram (host to network) 2 Please note that the connection via a router, which uses Network Address Translation (NAT), only works if the NAT router supports IPsec passthrough. Please contact your router s manufacturer for details. 4
3.1 Check P oint VPN-1 GateW ay configuration The pre-defined VPN Tracker connection type has been created using the default settings on Check Point VPN-1 GateWay. If you change any of the settings on the Check Point VPN-1 GateWay, you will subsequently have to adjust the connection type in VPN Tracker. Step 1 VPN - Basic Setup: Please enable the Pre-Shared Secret Feature in the Global Properties, witch is disabled by default. Figure 2: Global Properties 5
Step 2 VPN Advanced Setup: Please check all the settings. The VPN Tracker connection type uses these settings. Figure 3: Global Properties - Advanced 6
Step 3 User properties: Please enter a Login Name in the form user@domain. If you use a VPN Tracker version prior to 2.0.5, the username must contain the "@" sign. With VPN Tracker 2.0.5 you can also use a Login Name in the form: vpntracker. Figure 4: User Properties - General Please check the other user settings. Please use no authentication scheme and don t generate a certificate for the pre-shared key based connection. 7
Figure 5: User Properties - Authentication Figure 6: User Properties - Certificates 8
Enable the IKE Encryption Method and the Log. Figure 7: User Properties - Encryption Edit the IKE encryption method and enter your Password (Pre-shared secret). Please be sure that Public Key isn t enabled. Figure 8: IKE Phase 2 Properties 9
Step 4 Add user in a RemoteAccess Group. The screenshots are only a example of adding the previously created user in a group called RemoteAccessUsers. You may already have existing Access Groups. We used the following. Figure 9: Group Properties - RemoteAccessusers Figure 10: Main Screen - cpmodule 10
Step 4 Tradition mode configuration. Please be sure that the previously created group is in the VPN community. Click on the Tradition mode configuration button. Figure 11: Check Point Gateway - cpmodule Please enable Pre-Shared Secret and click on the Advanced... button. Figure 12: Traditional mode IKE Properties 11
Enable in the Traditional mode advanced IKE properties the Support for aggressive mode. This is very import for the pre-shared key based communication. If you want to use certificates with VPN Tracker you ll always use the main mode. Figure 13: Traditional mode advanced IKE properties > Multiple VPN Tracker Hosts Just create another user with the same settings. 12
3.2 VPN T racker configuration Step 1 Add a new connection with the following options: Choose Check Point (Pre-shared key) as the Connection Type, Host to Network as Topology, then type in the remote endpoint (169.1.2.3) and the remote network (192.168.1.0/24). Figure 14: VPN Tracker main dialog (with PSK) Step 2 Click select Pre-shared key and click Edit.... Type in the same pre-shared secret that you typed-in in the Check Point VPN-1 GateWay configuration (Figure 2). Use the login name as local identifier. If you have typed in a correct username, the word "email" should be visible beside the input field. With VPN Tracker version 2.0.5 you can use a username in the form vpntracker but you have to type in @vpntracker as local identifier. An identifier of the form "@user" will be interpreted as "user" with a type of "email" (User-FQDN). This is to help all Check Point users who have usernames without an "@" in them, as Check Point always expects an User-FQDN identifier. 13
Figure 15: Pre-shared key dialog Step 3 Save the connection and Click Start IPsec in the VPN Tracker main window. You re done. After 10-20 seconds the red status indicator for the connection should change to green, which means you re securely connected to the Check Point VPN-1 GateWay. After IPsec has been started, you may quit VPN Tracker. The IPsec service will keep running. Now to test your connection simply ping a host in the Check Point VPN-1 GateWay network from the dialed-in Mac in the Terminal utility: ping 192.168.1.10 > Debugging If the status indicator does not change to green please have a look at the log file on both sides. You can define the amount of information available in the log file in the VPN Tracker preferences. 14
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates 4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates 4.1 Check P oint VPN-1 GateW ay configuration Step 1 Step 2 The setup of enabling IPsec works the same way as described in section 4. User Properties: Please enter a Login Name in the form certificateuser or certificateuser@domain Figure 16: User Properties - General 15
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates Figure 17: User Properties - Groups Generate and save the certificate. The PKCS#12 file contains the certificate, your private key and the CA. Figure 18: user Properties - Certificates 16
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates Please be sure that you enable the Public Key Authentication in the IKE Phase 2 Properties. Figure 19: IKE Phase 2 Properties Step 4 Tradition mode IKE properties: Please enable the Public key Signatures. You can leave the Pre-Shared Secrets enabled. Figure 20: Traditional mode IKE properties 17
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates 4.2 VPN T racker configuration Step 1 Open the Certificate manager (File -> Show certificates) of VPN Tracker and import the PKCS#12 file you previously exported from your Check Point VPN-1 GateWay. Figure 21: VPN Tracker - Certificate Import Step 2 Add a new connection with the following options: Choose CheckPoint (Certificates) as the Connection Type, Host to Network as Topology, then type in the remote endpoint (169.1.2.3) and the remote network (192.168.1.0/24). Figure 22: VPN Tracker main dialog (with certificates) 18
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates Step 3 Choose as own certificate the certificate you imported in step 1 and verify the remote certificate with CAs. Choose own certificate as local identifier and IP address as remote identifier. Do not Verify the remote certificate. Figure 23: Certificate dialog 19