Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Transcription

1 Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520 This document describes how to configure an IPSec tunnel with a WatchGuard Firebox II or Firebox III (software version 4.5 or later) at one end and the Cisco PIX 520 (software version 5.2.1) at the other. The following diagram illustrates the machines and addresses involved in the connection. The examples used in this document are taken from this set-up.

2 Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 This procedure describes how to configure a WatchGuard Firebox II, II Plus or II Fast VPN to create an IPSec Virtual Private Network (VPN) with a Cisco PIX 520 device at the other end of the tunnel. NOTE In the following documentation, Firebox is used to refer to the Firebox II or Firebox III family of WatchGuard firewalls. To configure the Firebox for an IPSec tunnel, use the WatchGuard Policy Manager to configure the IPSec gateway, tunnel, routing information, and enable the associated policy. For more information about configuring a Firebox for an IPSec VPN tunnel, consult the WatchGuard LiveSecurity System User Guide. Setting Up the Gateway You must first define the remote gateway of the Cisco PIX 520. From the WatchGuard Policy Manager: 1 Select Network => Branch Office VPN => IPSec. The IPSEC Configuration dialog box appears. 2 Click Gateways. Click Add. The IPSec Gateway dialog box appears 3 Enter the gateway information as described below: Name The name used to identify this gateway. 2 WatchGuard SOHO with VPN Manager 2.1

3 Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 Key Negotiation Type Select isakmp (dynamic). Remote Gateway IP The external IP address of the remote device that the Firebox will negotiate with when creating the IPSec tunnel. In this case, the PIX 520. Shared Key Similar to a password, this is used to authenticate both ends of the tunnel to each other; the shared key must be identical on both sites. 4 When you finish adding gateways, click OK. The Configure Gateways dialog box appears displaying the new gateway. 5 Click Tunnels to continue with Setting up the Tunnel (see below). Setting up the Tunnel A tunnel encapsulates packets between two gateways. It specifies encryption type, authentication method, or both. A tunnel also specifies endpoints these are the public, external addresses of the two devices. The following describes how to configure a tunnel using a gateway with the isakmp (dynamic) key negotiation type, which is required for creating a tunnel between a Firebox and a Cisco PIX 520. From the IPSec Configuration dialog box: 1 Click Tunnels. The Configure Tunnels dialog box appears. IPSec Tunnel Configuration 3

4 2 To add a new tunnel, click Add. The Select Gateway dialog box appears. 3 Click the gateway that you created in Setting Up the Gateway on page 2. Click OK. The Configure Tunnel dialog box appears. 4 Enter a tunnel name. The Policy Manager uses the tunnel name as an identifier. 5 Click the Dynamic Security tab. The Configure Tunnel dialog box appears. 6 Enter the following information: 4 WatchGuard SOHO with VPN Manager 2.1

5 Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 Type Select ESP (Encapsulated Security Payload). This must match the Security Association Proposal type on the PIX device. Authentication Select SHA1-HMAC (a 160-bit algorithm). This must match the authentication type on the PIX device. Encryption Select 3DES-CBC (168-bit). This must match the encryption level on the PIX device. 7 To have a new key generated periodically, check the box labelled Force Key Expiration. With this option, transparent to the user, the isakmp controller generates and negotiates a new key for each session. For no key expiration, enter 0 (zero) here. If you enable the Force key expiration box, set the number of kilobytes transferred or hours passed in the session before a new key is generated for continuation of the VPN session. 8 Click OK. The Configure Tunnels dialog box appears displaying the newly created tunnel. 9 After you add all tunnels for this gateway, click OK. The Configure Gateways dialog box appears. Creating an IPSec Policy Policies are sets of rules, much like static routes, for defining how IPSec traffic is routed through the tunnel. Policies are defined by their endpoints. These are not the same as tunnel or gateway endpoints they are the specific hosts, networks, or both behind the two IPSec devices (for our purposes, the Firebox and the Check Point FireWall-1), which communicate through the tunnel. NOTE You can configure an IPSec VPN tunnel to securely allow two computers to talk to each other (if you specify by host), or you can configure an IPSec VPN tunnel to securely allow two networks to talk to each other (if you specify by network). From the IPSec Configuration dialog box: 1 Click Add. The Edit Routing Policy dialog box appears. 2 Enter the following information: Local Host or Network. You can create a policy for a single host or an entire network behind the local device. Following our example, select Network and enter the network address of the private, internal network behind the Firebox, /24. IPSec Tunnel Configuration 5

6 Remote Host or Network. You can create a policy for a single host or an entire network behind the remote device. Following our example, select Network and enter the network address of the private, internal network behind the PIX, /24. Disposition This determines how the Firebox will handle traffic travelling between the tunnel endpoints. Select secure. Tunnel You can choose the tunnel you want to use between these networks. Following our example, select cisco_pix. 3 Click OK. The IPSec Configuration dialog box appears listing the newly created policy. Policies are initially listed in the order in which they were created. 4 Click OK again to close the IPSec Configuration dialog box. Creating Services The last step defines what services are going to be allowed through this tunnel. Users behind the Cisco PIX 520 are outside the trusted Firebox network; you must therefore configure the Firebox specifically to allow traffic through the VPN connection. A quick method is to create a host alias that corresponds to the remote VPN hosts, networks, or both. Either use this alias or individually enter the IP addresses when configuring the properties for the service or services you wish to allow. For more information on creating an alias, consult the WatchGuard LiveSecurity System User Guide. You can modify your Firebox security policy to allow the VPN traffic on a service-byservice basis. However, the easiest method is to create an Any service which allows all traffic over any port. From the Policy Manager: 1 Select Edit =>Add Service. 6 WatchGuard SOHO with VPN Manager 2.1

7 Configuring Firebox II for an IPSec Tunnel to a Cisco PIX Expand Packet Filters. 3 Select the Any service. Click Add. The Add Service dialog box appears. 4 Click OK. The service s Properties dialog box appears. 5 At the Incoming tab, select Enabled and Allowed from the drop list. 6 Under From, click Add. 7 Click Add Other. The Add Member dialog box appears. 8 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the PIX. Following our example, /24. 9 Click OK. 10 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the From portion of the dialog box. 11 Under To, click Add. 12 Click Add Other. The Add Member dialog box appears. 13 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox. Following our example, / Click OK. 15 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the To portion of the dialog box as well as the IP address of the From portion you entered earlier. IPSec Tunnel Configuration 7

8 16 Click the Outgoing tab. Select Enabled and Allowed from the drop list. 17 Under From, click Add. 18 Click Add Other. The Add Member dialog box appears. 19 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox. Following our example, / Click OK. 21 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the From portion of the dialog box. 22 Under To, click Add. 23 Click Add Other. The Add Member dialog box appears. 24 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the PIX. Following our example, / Click OK. 26 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the To portion of the dialog box as well as the IP address of the From portion you entered earlier. 27 Click OK to close the Any Properties dialog box. Click Close to close the Add Service dialog box. 8 WatchGuard SOHO with VPN Manager 2.1

9 Configuring the Cisco PIX 520 for an IPSec Tunnel with a Firebox Saving the Configuration to the Firebox Finally, save the changes made to the configuration file to the Firebox. 1 Select File => Save => To Firebox. 2 Use the Firebox drop list to select the Firebox. 3 Enter the configuration (read/write) pass phrase. Click OK. The configuration file is saved first to the local hard drive and then to the primary area of the Firebox flash disk. You are prompted to reboot the Firebox. The new Firebox configuration will not be enabled until the Firebox is rebooted. Configuring the Cisco PIX 520 for an IPSec Tunnel with a Firebox This section describes how to configure the Cisco PIX 520 for a tunnel that has a WatchGuard Firebox at the other end. To create an IPSec tunnel between the Firebox and the Cisco PIX 520, you will need to add the following: Access Lists These are similar to the IPSec Routing Policies used by WatchGuard Products. They define on the PIX device which networks will communicate. Specifically, you will define a rule that allows traffic between the private, internal network behind the Firebox and the private, internal network behind the PIX device. Crypto Information This defines the parameters of both Phase 1 and Phase 2 of the IPSec negotiation, including what kind of encryption to use, the pre-shared key and tunnel expiration parameters. Traffic permissions You will need to instruct the PIX device to permit traffic from the IPSec tunnel through to the internal, local networks. If your PIX is also running NAT this will need to be disabled to permit traffic to pass through the tunnel to the remote network behind the Firebox. Defining Access Lists Add the following to your Cisco PIX configuration file: access-list 101 permit IP [IP address behind Pix][netmask] [IP address behind Firebox][netmask] access-list 101 permit IP [IP address behind Firebox][netmask] [IP address behind Pix][netmask] These lines instruct the PIX device to allow traffic between the two private, internal networks, protected by both the Firebox and the PIX. NOTE The numeric identifier in the example above, 101, is arbitrary and merely defines a unique rule for the PIX. Defining Crypto Information There are two sections to configure for actual data encryption, Phase 1 and Phase 2. IPSec Tunnel Configuration 9

10 NOTE The default settings on the Firebox for Phase 1 negotiations are DES, SHA1, and Diffie Helman group 1. These settings cannot be changed. Therefore, it is absolutely critical that the PIX 520 is configured to use DES, SHA1, and Diffie Helman group 1 for this Phase of the negotiation. Add the following to your Cisco PIX configuration file for Phase 1 negotiation: isakmp enable [interface name] isakmp key [pre-shared key] address [remote IP address] netmask [netmask] isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime NOTE The numeric identifier in the example above, 20, is arbitrary and merely defines a unique rule for the PIX. 1 The first line enables ISAKMP on an interface of the PIX device. In our example, outside. 2 The second line sets the pre-shared key and associates it with the peer, that is the remote host--the external, public IP of the Firebox. (The characters entered as the pre-shared key will be replaced with * when later queried.) 3 The third line specifies that IP addresses will be used for negotiations between peers. 4 The fourth line specifies that pre-shared keys will be used for authentication in Phase 1. 5 The fifth line sets encryption for Phase 1. This must match the settings on the Firebox for Phase 1 negotiation therefore it must be, des. 6 The sixth line sets the hash for Phase 1. This must match the settings on the Firebox for Phase 1 negotiation, therefore it must be sha. 7 The seventh line determines which Diffie Helman group will be used. This must match the settings on the Firebox, therefore it must be, group 1. 8 The eighth line sets the number of seconds after which the tunnel will be renegotiated. This is the default value of the Firebox. Add the following to your Cisco PIX configuration file for Phase 2 negotiation: crypto ipsec transform-set [transform name] [encryption] [hash] crypto map testmap 10 ipsec-[sa] crypto map testmap 10 match address [access list] crypto map testmap 10 set peer [peer IP address] crypto map testmap 10 set transform-set [transform name] crypto map testmap 10 set security-association lifetime seconds 360 kilobytes 8192 crypto map testmap interface [interface name] 10 WatchGuard SOHO with VPN Manager 2.1

11 The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: NOTE The identifier in the example above, testmap, is arbitrary and merely defines a unique rule for the PIX. 1 The first line defines a name, encryption, and hash type that will be used in the transform during Phase 2 negotiation. This must match the settings on the Firebox for Phase 2 negotiation. For example, crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac. 2 The second line defines how the Security Association (SA) will be created. For example, ISAKAMP. 3 The third line defines what traffic will be passed via the tunnel. For example, the traffic associated with access list 101 created earlier, crypto map testmap 10 match address The fourth line directs the PIX to the peer to use when negotiating this tunnel. This should be the External interface of the Firebox. For example, crypto map testmap 10 set peer The fifth line defines which Phase 2 transform to use. For example, the one we defined earlier, pixtransform. 6 The sixth line instructs the PIX to renegotiate the keys every hour and every 8 MB. These are the default values of the Firebox. 7 The seventh line associates all the above crypto information to an interface on the PIX device, for example, outside. All traffic on the outside interface will then be matched against the IPSec tunnel information you have defined. Any traffic matching these parameters will be encrypted and passed via the IPSec tunnel. 8 Save these additions to your PIX configuration. Permitting traffic through the IPSec tunnel Add the following to your Cisco PIX configuration file in order to permit traffic from the IPSec tunnel through the PIX and into your local network: sysopt connection permit-ipsec If you are using NAT on your PIX, then you MUST create a rule which disables NAT on traffic using the IPSec tunnel. Add the following to your Cisco PIX configuration file: nat 0 access-list 101 The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: PIX Version 5.2(1) nameif eithernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall IPSec Tunnel Configuration 11

12 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list 101 permit ip access-list 101 permit ip access-list 102 permit ip pager lines 24 logging on logging timestamp no logging standby no logging console no logging monitor logging buffered debugging logging trap debugging no logging history logging facility 20 logging queue 512 logging host inside /1468 interface ethernet0 auto interface ehternet1 auto mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside failover ip address inside arp timeout nat (inside) access-group 102 in interface outside route outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public floodguard enable no sysopt route dnat crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac crypto map testmap 10 ipsec-isakmp crypto map testmap 10 match address 101 crypto map testmap 10 set peer crypto map testmap 10 set transform-set pixtransform crypto map testmap interface outside isakmp enable outside 12 WatchGuard SOHO with VPN Manager 2.1

13 The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: isakmp key ******** address netmask isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime telnet inside telnet timeout 15 ssh timeout 5 terminal width 80 Copyright and Patent Information Copyright WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. DocVer B-4.6 Firebox to Cisco PIX-1 IPSec Tunnel Configuration 13