Note: This document assumes the reader is familiar with the basic network installation of a Check Point Embedded NG appliance and a Cisco VPN 3000 Series Concentrator.
Overview
This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG security appliance and a Cisco VPN 3000 Series Concentrator. In particular, it describes the configuration of the following sample network:
Figure 1: Site-to-Site VPN with Check Point Embedded NG Appliance and Cisco VPN 3000 Series Concentrator
This sample network uses the parameters shown in the table below; however, you can change any of these parameters as desired, so long as they are the same on both appliances.
Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.
1. Configure the encryption domain. The encryption domain represents the networks to and from which you want to encrypt. These are the networks behind the VPN gateways. Do the following: a. Create a Network List for the VPN 3000 Series Concentrators internal network. See Creating a Network List for the VPN 3000 Series Concentrators Internal Network, page 3. b. Create a Network List for the Embedded NG gateways internal network. See Creating a Network List for the Embedded NG VPN Gateways Internal Network, page 3. 2. Configure an IKE proposal. See Configuring IKE Proposals, page 4. 3. Configure a LAN-to-LAN connection. See Configuring LAN-to-LAN Connection, page 5.
1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > Policy Management > Traffic Management > Network Lists. The Network Lists page appears. 2. Click Add. The Add a Network List page appears. 3. In the List Name field, type a name for the VPN 3000 Series Concentrator internal networks Network List. For example: Cisco_Internal. 4. In the Network List text box, type the VPN 3000 Series Concentrators internal network address and wildcard mask on a single line. A wildcard mask uses 1s in bit positions that should be ignored, and 0s in bit positions that should be matched. For example: 192.168.1.0/0.0.0.255. 5. Click Apply. The Network Lists page reappears. 6. Click Save.
Creating a Network List for the Embedded NG VPN Gateways Internal Network
To create a Network List for the Embedded NG VPN gateways internal network
1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > Policy Management > Traffic Management > Network Lists. The Network Lists page appears. 2. Click Add. The Add a Network List page appears. 3. In the List Name field, type a name for the Embedded NG VPN gateway internal network object. For example: CP_Internal.
4. In the Network List text box, type the Check Point Embedded NG VPN gateways internal network address and wildcard mask on a single line. A wildcard mask uses 1s in bit positions that should be ignored, and 0s in bit positions that should be matched. For example: 192.168.0.0/0.0.0.255. 5. Click Apply. The Network Lists page reappears. 6. Click Save.
1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > System > Tunneling Protocols > IPSec > IKE Proposals. The IKE Proposals page appears. 2. Click Add. The Add an IKE Proposal page appears. 3. Fill in the fields as described in the table below. 4. Click Add. The IKE Proposals page reappears. 5. In the Inactive Proposals list, select the proposal you created. 6. Click Activate. The proposal appears in the Active Proposals list. Table 2: IKE Proposal Fields
In this field Proposal Name Authentication Mode Authentication Algorithm Do this Type a name for this IKE proposal. Select the authentication mode to use. Select the packet authentication algorithm to use. Encryption Algorithm Diffie-Hellman Group Select the encryption algorithm to use. Select the Diffie-Hellman group to use. AES-256 or 3DES-168 Group 2 (1024-bits) In the sample network CheckPoint Preshared Keys SHA/HMAC-160
Type the data lifetime in kilobytes (KB). Type the time lifetime in seconds.
1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN. The LAN-to-LAN page appears. 2. Click Add. The Add an IPSec LAN-to-LAN Connection page appears. 3. Fill in the fields as described in the table below. 4. Click Apply. The LAN-to-LAN page reappears. 5. Click Save needed to save the configuration. Table 3: LAN-to-LAN Connection Fields
In this field Enable Do this Select this option to enable this LAN-to-LAN connection. Name Interface Type a name for this LAN-to-LAN connection. Select the interface for this LAN-to-LAN connection. To_CheckPoint Choose the public interface configured on the VPN 3000 Series Concentrator. Connection Type Peers Select the type of LAN-to-LAN connection. Type remote IP addresses for this LAN-toLAN connection. Bi-directional Type the Embedded NG VPN gateways WAN IP address. In the sample network Select this option.
In the sample network None (The authentication method is Preshared Key, so no certificate is needed.)
Certificate Transmission
Choose how to send the certificate to the IKE peers specified in the Peers field.
Preshared Key
Use the same pre-shared key as configured on the Embedded NG VPN gateway.
Authentication
ESP/MD5/HMAC-128 ESP/SHA/HMAC-160
Encryption
IKE Proposal
Filter
Choose the filter to apply to the traffic that is tunneled through this LAN-to-LAN connection.
None
IPSEC NAT-T
Select this option to let NAT-T compatible IPSEC peers establish this LAN-to-LAN connection through a NAT device.
Bandwidth Policy
None
Select the routing mechanism to use. Select the local network address list or the IP address and wildcard mask for this LAN-toLAN connection.
None Choose the Network List you created in Creating a Network List for the VPN 3000 Series Concentrators Internal Network, page 3.
Do this Select the remote network address list or the IP address and wildcard mask for this LANto-LAN connection.
In the sample network Choose the Network List you created in Creating a Network List for the Embedded NG VPN Gateways Internal Network, page 3.
1. Add the VPN 3000 Series Concentrator as a Site-to-Site gateway. See Adding the VPN 3000 Series Concentrator as a Site-to-Site VPN Gateway, page 8. 2. Configure IPSEC parameters to match those you configured on the VPN 3000 Series Concentrator. Do the following: a. Modify IKE Phase-1 encryption parameters. See Modifying IKE Phase-1 Encryption Parameters, page 13. b. Modify IKE Phase-2 encryption parameters. See Modifying IKE Phase-2 Encryption Parameters , page 13. c. Modify the IKE Phase-1 key lifetime. See Modifying the IKE Phase-1 Key Lifetime , page 14. d. Modify the IKE Phase-2 key lifetime. See Modifying the IKE Phase-2 Key Lifetime , page 14.
1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears.
2. Click New Site. The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.
5. In the VPN Gateway field, type the IP address of the VPN 3000 Series Concentrator VPN gateway. 6. Select Bypass NAT. This setting enables the VPN 3000 Series Concentrator VPN gateway to bypass NAT when connecting to the Embedded NG VPN gateway internal network. 7. Select Bypass the firewall. This setting enables the VPN 3000 Series Concentrator VPN gateway to bypass the firewall and access the Embedded NG VPN gateways internal network without restriction over the VPN tunnel only. 8. Click Next. The VPN Network Configuration dialog box appears.
10. Click Next. A second VPN Network Configuration dialog box appears.
11. In the Destination network fields, type up to three destination network addresses at the VPN 3000 Series Concentrator VPN gateway. 12. In the Subnet mask fields, select the subnet masks for the destination network addresses. 13. Click Next. The Authentication Method dialog box appears.
10
16. In the Use Shared Secret field, type the shared secret to use for secure communications with the VPN 3000 Series Concentrator VPN gateway. This should be the pre-shared key you configured on the VPN 3000 Series Concentrator VPN gateway in Configuring LAN-to-LAN Connection, page 5. 17. Click Next. The Connect dialog box appears.
18. If you configured the VPN 3000 Series Concentrator as described in Configuring the VPN 3000 Series Concentrator , page 2, select the Try to Connect to the VPN Gateway check box to try to connect to it. This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated.
11
19. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears.
20. Type a name for the VPN site. You may choose any name. For example: Cisco.
22. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list.
12
Use the following command syntax: set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase1ikealgs 3des/sha1
Use the following command syntax: set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase2ikealgs 3des/sha1
13
Use the following command syntax: set vpn sites number phase1exptime seconds where: number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-1 key lifetime in seconds. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run the command:
set vpn sites 2 phase1exptime 86400
Use the following command syntax: set vpn sites number phase2exptime seconds where: number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-2 key lifetime in seconds. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the command:
set vpn sites 2 phase2exptime 3600
14