Configuring a Site-to-Site IPSEC VPN with a Check Point Security Appliance and a Cisco VPN 3000 Series Concentrator

Note: This document assumes the reader is familiar with the basic network installation of a Check Point Embedded NG appliance and a Cisco VPN 3000 Series Concentrator.

Overview
This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG security appliance and a Cisco VPN 3000 Series Concentrator. In particular, it describes the configuration of the following sample network:

Figure 1: Site-to-Site VPN with Check Point Embedded NG Appliance and Cisco VPN 3000 Series Concentrator

This sample network uses the parameters shown in the table below; however, you can change any of these parameters as desired, so long as they are the same on both appliances.

Table 1: Site-to-Site VPN Configuration Parameters

Parameter Encryption Integrity Authentication Diffie-Hellman (DH) Perfect Forward Secrecy (PFS) Phase-1 key lifetime Phase-2 key lifetime Value AES-256 or 3DES SHA/HMAC-160 or MD5/HMAC-128 Pre-shared Key (Shared Secret) Group 2 Disabled 24 hours (86400 seconds) 1 hour (3600 seconds)

Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.

Configuring the VPN 3000 Series Concentrator

To configure the VPN 3000 Series Concentrator for Site-to-Site VPN

1. Configure the encryption domain. The encryption domain represents the networks to and from which you want to encrypt. These are the networks behind the VPN gateways. Do the following: a. Create a Network List for the VPN 3000 Series Concentrators internal network. See Creating a Network List for the VPN 3000 Series Concentrators Internal Network, page 3. b. Create a Network List for the Embedded NG gateways internal network. See Creating a Network List for the Embedded NG VPN Gateways Internal Network, page 3. 2. Configure an IKE proposal. See Configuring IKE Proposals, page 4. 3. Configure a LAN-to-LAN connection. See Configuring LAN-to-LAN Connection, page 5.

Configuring the Encryption Domain

Creating a Network List for the VPN 3000 Series Concentrators Internal Network
To create a Network List for the VPN 3000 Series Concentrators internal network

1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > Policy Management > Traffic Management > Network Lists. The Network Lists page appears. 2. Click Add. The Add a Network List page appears. 3. In the List Name field, type a name for the VPN 3000 Series Concentrator internal networks Network List. For example: Cisco_Internal. 4. In the Network List text box, type the VPN 3000 Series Concentrators internal network address and wildcard mask on a single line. A wildcard mask uses 1s in bit positions that should be ignored, and 0s in bit positions that should be matched. For example: 192.168.1.0/0.0.0.255. 5. Click Apply. The Network Lists page reappears. 6. Click Save.

Creating a Network List for the Embedded NG VPN Gateways Internal Network
To create a Network List for the Embedded NG VPN gateways internal network

1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > Policy Management > Traffic Management > Network Lists. The Network Lists page appears. 2. Click Add. The Add a Network List page appears. 3. In the List Name field, type a name for the Embedded NG VPN gateway internal network object. For example: CP_Internal.

4. In the Network List text box, type the Check Point Embedded NG VPN gateways internal network address and wildcard mask on a single line. A wildcard mask uses 1s in bit positions that should be ignored, and 0s in bit positions that should be matched. For example: 192.168.0.0/0.0.0.255. 5. Click Apply. The Network Lists page reappears. 6. Click Save.

Configuring IKE Proposals

To configure an IKE proposal

1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > System > Tunneling Protocols > IPSec > IKE Proposals. The IKE Proposals page appears. 2. Click Add. The Add an IKE Proposal page appears. 3. Fill in the fields as described in the table below. 4. Click Add. The IKE Proposals page reappears. 5. In the Inactive Proposals list, select the proposal you created. 6. Click Activate. The proposal appears in the Active Proposals list. Table 2: IKE Proposal Fields
In this field Proposal Name Authentication Mode Authentication Algorithm Do this Type a name for this IKE proposal. Select the authentication mode to use. Select the packet authentication algorithm to use. Encryption Algorithm Diffie-Hellman Group Select the encryption algorithm to use. Select the Diffie-Hellman group to use. AES-256 or 3DES-168 Group 2 (1024-bits) In the sample network CheckPoint Preshared Keys SHA/HMAC-160

In this field Lifetime Measurement

Do this Select the lifetime measurement of the IKE keys.

In the sample network Time

Data Lifetime Time Lifetime

Type the data lifetime in kilobytes (KB). Type the time lifetime in seconds.

Default is 10000. Do not change. 86400

Configuring LAN-to-LAN Connection

To configure a LAN-to-LAN connection

1. In the VPN 3000 Series Concentrator Manager tree, select Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN. The LAN-to-LAN page appears. 2. Click Add. The Add an IPSec LAN-to-LAN Connection page appears. 3. Fill in the fields as described in the table below. 4. Click Apply. The LAN-to-LAN page reappears. 5. Click Save needed to save the configuration. Table 3: LAN-to-LAN Connection Fields
In this field Enable Do this Select this option to enable this LAN-to-LAN connection. Name Interface Type a name for this LAN-to-LAN connection. Select the interface for this LAN-to-LAN connection. To_CheckPoint Choose the public interface configured on the VPN 3000 Series Concentrator. Connection Type Peers Select the type of LAN-to-LAN connection. Type remote IP addresses for this LAN-toLAN connection. Bi-directional Type the Embedded NG VPN gateways WAN IP address. In the sample network Select this option.

In this field Digital Certificate

Do this Select the digital certificate to use.

In the sample network None (The authentication method is Preshared Key, so no certificate is needed.)

Certificate Transmission

Choose how to send the certificate to the IKE peers specified in the Peers field.

Use the default setting.

Preshared Key

Type the pre-shared key for this LAN-to-LAN connection.

Use the same pre-shared key as configured on the Embedded NG VPN gateway.

Authentication

Specify the packet authentication mechanism to use.

Choose one of the following:

ESP/MD5/HMAC-128 ESP/SHA/HMAC-160

Encryption

Specify the encryption mechanism to use.

Choose one of the following:

AES-256 AES-128 3DES-168

IKE Proposal

Select the IKE proposal to use for the LANto-LAN connection.

Choose the proposal you configured in Configuring IKE Proposals, page 4.

Filter

Choose the filter to apply to the traffic that is tunneled through this LAN-to-LAN connection.

None

IPSEC NAT-T

Select this option to let NAT-T compatible IPSEC peers establish this LAN-to-LAN connection through a NAT device.

Select this option.

Bandwidth Policy

Select the bandwidth policy to apply to this LAN-to-LAN connection.

None

Routing Local Network > Network List

Select the routing mechanism to use. Select the local network address list or the IP address and wildcard mask for this LAN-toLAN connection.

None Choose the Network List you created in Creating a Network List for the VPN 3000 Series Concentrators Internal Network, page 3.

In this field Remote Network > Network List

Do this Select the remote network address list or the IP address and wildcard mask for this LANto-LAN connection.

In the sample network Choose the Network List you created in Creating a Network List for the Embedded NG VPN Gateways Internal Network, page 3.

Configuring the Embedded NG Security Appliance

To configure the Embedded NG security appliance for Site-to-Site VPN

1. Add the VPN 3000 Series Concentrator as a Site-to-Site gateway. See Adding the VPN 3000 Series Concentrator as a Site-to-Site VPN Gateway, page 8. 2. Configure IPSEC parameters to match those you configured on the VPN 3000 Series Concentrator. Do the following: a. Modify IKE Phase-1 encryption parameters. See Modifying IKE Phase-1 Encryption Parameters, page 13. b. Modify IKE Phase-2 encryption parameters. See Modifying IKE Phase-2 Encryption Parameters , page 13. c. Modify the IKE Phase-1 key lifetime. See Modifying the IKE Phase-1 Key Lifetime , page 14. d. Modify the IKE Phase-2 key lifetime. See Modifying the IKE Phase-2 Key Lifetime , page 14.

Adding the VPN 3000 Series Concentrator as a Site-to-Site VPN Gateway

To add the VPN 3000 Series Concentrator as a Site-to-Site VPN gateway

1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears.

2. Click New Site. The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Select Site-to-Site VPN.

4. Click Next. The VPN Gateway Address dialog box appears.

5. In the VPN Gateway field, type the IP address of the VPN 3000 Series Concentrator VPN gateway. 6. Select Bypass NAT. This setting enables the VPN 3000 Series Concentrator VPN gateway to bypass NAT when connecting to the Embedded NG VPN gateway internal network. 7. Select Bypass the firewall. This setting enables the VPN 3000 Series Concentrator VPN gateway to bypass the firewall and access the Embedded NG VPN gateways internal network without restriction over the VPN tunnel only. 8. Click Next. The VPN Network Configuration dialog box appears.

9. Select Specify Configuration.

10. Click Next. A second VPN Network Configuration dialog box appears.

11. In the Destination network fields, type up to three destination network addresses at the VPN 3000 Series Concentrator VPN gateway. 12. In the Subnet mask fields, select the subnet masks for the destination network addresses. 13. Click Next. The Authentication Method dialog box appears.

14. Select Shared Secret.

10

15. Click Next. The Authentication dialog box appears.

16. In the Use Shared Secret field, type the shared secret to use for secure communications with the VPN 3000 Series Concentrator VPN gateway. This should be the pre-shared key you configured on the VPN 3000 Series Concentrator VPN gateway in Configuring LAN-to-LAN Connection, page 5. 17. Click Next. The Connect dialog box appears.

18. If you configured the VPN 3000 Series Concentrator as described in Configuring the VPN 3000 Series Concentrator , page 2, select the Try to Connect to the VPN Gateway check box to try to connect to it. This allows you to test the VPN connection.

Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated.

11

19. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears.

20. Type a name for the VPN site. You may choose any name. For example: Cisco.

Note: Do not select Keep this site alive.

21. Click Next. The VPN Site Created screen appears.

22. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list.

12

Configuring IPSEC Parameters

Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliances command line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax, refer to the Check Point Embedded NG CLI Reference Guide.

Modifying IKE Phase-1 Encryption Parameters

To modify IKE Phase-1 encryption parameters

Use the following command syntax: set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase1ikealgs 3des/sha1

Modifying IKE Phase-2 Encryption Parameters

To modify IKE Phase-2 encryption parameters

Use the following command syntax: set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run the command:
set vpn sites 2 phase2ikealgs 3des/sha1

13

Modifying the IKE Phase-1 Key Lifetime

To modify the IKE Phase-1 key lifetime

Use the following command syntax: set vpn sites number phase1exptime seconds where: number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-1 key lifetime in seconds. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run the command:
set vpn sites 2 phase1exptime 86400

Modifying the IKE Phase-2 Key Lifetime

To modify IKE Phase-2 key lifetime

Use the following command syntax: set vpn sites number phase2exptime seconds where: number is the number of the VPN 3000 Series Concentrator VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-2 key lifetime in seconds. For example, if the VPN 3000 Series Concentrator VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the command:
set vpn sites 2 phase2exptime 3600

14