2.0 HOW-TO GUIDELINES

Transcription

1 Version 2.0 HOW-TO GUIDELINES Setting up a VPN between a StoneGate cluster and a Cisco PIX firewall TECHN10-6/3/03

2 Introduction This document highlights a tested method to configure a VPN tunnel between a Cisco PIX firewall (PIX) and a StoneGate High Availability Firewall and VPN. To proceed with the configuration guidelines, you need to have a running StoneGate Management application with configured StoneGate firewall engines. This document is not a tutorial on either StoneGate or PIX firewall implementation. Only those elements pertaining to the actual encryption of a VPN tunnel between the two firewalls will be addressed. For example, explanations on configuring NAT statements and access lists on the PIX firewall will not be explained in detail even though they are necessary parts of the VPN tunnel. It is assumed that the reader has sufficient prior knowledge of PIX firewalls to create those elements. This document includes a full working configuration taken directly from a PIX firewall that includes all the elements required to build a VPN tunnel between StoneGate and PIX. The reader could simply change a few parameters (IP addresses, passwords, etc.), and copy and paste the configuration into a PIX firewall to get a working configuration. The VPN parameters used in this example configuration are not the only ones that can work. It is important to remember that changes at one end of the VPN tunnel need to also be matched by changes at the other end. Network Environment The example network setting depicted in Figure 1.1 illustrates the network environment you are going to configure. FIGURE 1.1 Network Environment There are two different firewalls: StoneGate firewall cluster. The engine is a Compaq Deskpro EN with D-Link 570 quad card. The engine version is build 902. The management version is build The StoneGate firewall cluster connects the following networks: the external network /24; external IP address Introduction 2

3 the internal network /24; internal IP address Cisco PIX firewall running on Cisco PIX 515 firewall HW and PIX 6.2(1) SW. The PDM is version 2.1(1). The Cisco PIX firewall connects the following networks: the external network /24; external IP address the internal network ; internal IP address Getting Started Before creating the VPN it is assumed that both PIX and StoneGate are operating so that traffic can be carried over them (routing, interfaces, etc.). No other steps need to be done beforehand. Introduction 3

4 Configuring the VPN VPN Parameters First, you will configure the VPN settings in StoneGate. Then, you will configure the VPN settings in Cisco PIX. Cisco PIX can be configured using the command line interface or a GUI wizard. Both methods are shown in this document, but only one method should be used. The following IPsec parameters will be used to create the VPN tunnel between StoneGate and Cisco PIX: IKE Phase 1: DES for Cipher Algorithm for Key Exchange MD5 for Message Digest Algorithm for Key Exchange Pre-Shared Key for Authentication method 1 for Diffie-Hellman Group for IKE 1440 for IKE SA Lifetime in Minutes (listed as seconds in PIX) IKE Phase 2: ESP for IPsec Type DES for Cipher Algorithm MD5 for Message Digest Algorithm 60 minutes or KB for IPsec Tunnel Lifetime VPN settings at the StoneGate end When configuring the VPN settings at the StoneGate end the following steps need to be performed: 1. Configure Internal Security Gateway 2. Configure External Security Gateway 3. Configure the Encryption Domains 4. Create a VPN Element 5. Create a VPN Rule Base Below you will find each of these steps explained in more detail. To configure the VPN settings in StoneGate follow these instructions: Create an Internal Security Gateway 1. In the StoneGate Control Panel, open the VPN Manager by clicking on its icon. Configuring the VPN 4

5 Internal Security Gateway - General Tab 2. Create a new Internal Security Gateway element by selecting its icon on the toolbar. In the General tab, name the gateway (e.g. SG) and select your local firewall from the options provided. The VPN Client NAT Pool will be left blank. The default SGW Settings in the other tab needn t be changed. Configuring the VPN 5

6 ILLUSTRATION 1.1 Internal Security Gateway - End-Points Tab 3. Switch to the End-Points Tab and then name the end points. Select your firewall s external IP address, and click Add to insert the name and IP address of the end point in the text box. (In our example, ) 4. Click OK. Configuring the VPN 6

7 Create an External Security Gateway 1. You need to define the other end of the VPN next. Therefore, you must create also your partner s security gateway as an element. In the VPN Manager, click the External Security Gateway icon to open the External Security Gateway Properties dialog box. ILLUSTRATION 1.2 External Security Gateway - General Tab 2. In the General tab, name the external gateway (e.g., PIX). Select Cisco PIX as the Gateway Type. Configuring the VPN 7

8 ILLUSTRATION 1.3 External Security Gateway - End-Points Tab 3. Switch to the End-Points tab, click the radio button Static IP. 4. In the End-Point Data section give the end point a name (e.g., PIXoutside) and its external IP address ( ). 5. Click the Add button to insert the name and IP address of the end-point in the text box. 6. Click OK. Configuring the Encryption Domains You need to assign sites to both defined security gateways. Configuring the VPN 8

9 ILLUSTRATION 1.4 VPN Manager - Gateway and Sites Tab 1. In the VPN Manager, select the Gateways and Sites tab. Ensure that you have the Repository View on the left panel. 2. Drag and drop your internal network ( /24) from the left onto your internal security gateway on the right panel. Now, you will repeat the previous step for the external security gateway: 1. Drag and drop your partner s internal network ( /24) from the left onto the external security gateway on the right panel. 2. When finished, your VPN Manager should resemble Illustration 1.4 Creating a VPN Element After defining the security gateways functioning as end-points of the VPN, you can create the actual VPN element. Configuring the VPN 9

10 ILLUSTRATION 1.5 VPN Manager - VPNs Tab 1. In the VPN Manager, click the VPN icon. 2. In the displayed dialog box, specify the name of the VPN (e.g., NG to SG). Click OK. 3. Switch to the VPNs tab to see the newly created VPN element. 4. In the VPNs window, drag and drop both gateway elements from the left panel onto the VPN element you created on the right panel. 5. Set the properties of the VPN by selecting the VPN you just created. Right-click on it and select Properties from the contextual menu. The VPN Editor window will open. 6. In the VPN Editor window, click on the IKE Proposal button located in the Logical Tunnels panel on the left. Configuring the VPN 10

11 ILLUSTRATION 1.6 IKE Phase 1 - IKE Phase 1 Tab 7. The IKE Phase 1 window will open. Select the IKE Phase 1 tab. Configuring the VPN 11

12 Select the DES radio button for Cipher Algorithm for Key Exchange. Click the MD5 radio button for Message Digest Algorithm for Key Exchange. Select the Pre-shared Key radio button for Authentication Method. Set the Diffie-Hellman Group for IKE to the value of 1. Enter 1440 for the IKE SA Lifetime in Minutes. Then select Main as the IKE Negotiation Mode. 8. Switch to the Pre-Shared Key tab. ILLUSTRATION 1.7 IKE - Pre-Share Key Tab 9. Type in the same pre-shared key used previously with PIX VPN configuration. (In our example, abc123.) The Certificate Authorities tab needn t be changed. 10. Click OK to return to the VPN Editor dialog box. 11. Click on Policy box in the Connections Between Site End-Points panel. The Connection Encryption Policy dialog box appears. Configuring the VPN 12

13 ILLUSTRATION 1.8 Connection Encryption Policy 12. Select Override VPN Policy Settings For this Connection. Then select the radio button Net under Security Association Granularity. Click the Use IKE radio button under IPsec Mode. Ensure that Don t Verify ESP Padding, Keep IPsec Tunnels Alive, and Use PFS check boxes are unselected. 13. Click on IPsec Proposals to define the IKE phase-2 settings. Configuring the VPN 13

14 ILLUSTRATION 1.9 IPsec Proposals 14. Select the ESP radio button under IPsec Type. Select the DES radio button under Cipher Algorithm. Click the MD5 radio button under the Message Digest Algorithm. Enter 60 min., and KB under IPsec Tunnel Lifetime text boxes. 15. Click on the Add button to add this IPsec proposal. In Ipsec Proposals view make sure that just added proposal is first one on IPsec Proposals list. 16. Click OK twice, closing the IPsec Proposals box and the Connections Between Site End- Points box. You are now back in the VPN Editor. Configuring the VPN 14

15 ILLUSTRATION 1.10 VPN Editor 17. On the right side of the VPN Editor you will see the Mode heading in the Connections Between Site End-Points panel. The entry should be a greyed-out Disabled icon. Click on the entry and select the blue Normal icon. Close the VPN Editor and the VPN Manager. Create a VPN Rule Base After you have configured the VPN between the two gateways, you need to create access rules to allow VPN traffic to be handled by StoneGate. From the Control Panel open the Security Policy Manager to design the rules. ILLUSTRATION 1.11 Security Policy Manager 1. Create a new policy by clicking the New icon on the tool bar. 2. In the opened dialog box, set the type as Normal, name the rule base as VPN_SG_PIX, and select default as the new template. Configuring the VPN 15

16 3. Once your new rule base opens, click on the green line saying Access rule: insert point, and right-click Add Rule. 4. You will now allow for VPN traffic from StoneGate to PIX. For the new rule, fill in the cells as follows: Source: drag and drop the StoneGate internal network ( /24) here. Destination: drag and drop the PIX internal network ( /24) here. Service: ANY. Action: select Enforce VPN and then SG-PIX. Options: if wanted, set the Log Level under the Logging tab as Transient or whichever log setting you desire. ILLUSTRATION 1.12 Log Level 5. This time you will be allowing VPN traffic from PIX to StoneGate. Create a new rule under the one you just created by right-clicking on its row and selecting Add Rule After. Essentially, you will be recreating the previous rule, but reversing the Source and Destination fields. 6. Fill in the cells as follows: Source: drag and drop the PIX internal network ( /24) here. Destination: drag and drop the StoneGate internal network ( /24) here. Service: ANY. Action: select Enforce VPN and then SG-PIX. Options: if wanted, set the Log Level under the Logging tab as Transient or whichever log setting you desire. 7. Save and install the policy by clicking the Save and Install icon. Configuring the VPN 16

17 VPN settings at the CISCO PIX end using the command line The Command Line Interface (CLI) is the original configuration method for PIX devices and is included here for reference. This can be accessed through several methods, including Telnet, Secure Shell (SSH), or through a console port session. To configure the VPN tunnel in Cisco PIX end using the command line 1. Define the access list and NAT statements. This line creates/modifies an access list called VPN that runs between the two networks listed and expressly permits traffic between them. pix(config)# access-list vpn permit ip Deny all other traffic from network to any other point. pix(config)# access-list vpn deny ip any 3. Specify that NAT is not to be performed for traffic covered in the VPN access list. pix(config)# nat (inside) 0 access-list vpn 4. Use the following command to define StoneGate s end of the tunnel. pix(config)# crypto map PIX_SG 10 set peer Enable IKE on the outside interface pix(config)# crypto map PIX_SG 10 set peer Set the pre-shared key (in this case, abc123) for communications with the peer (StoneGate). pix(config)# isakmp key abc123 address netmask Set the security association granularity on PIX. pix(config)# isakmp identity address 8. The pre-shared key will be used in authentication. pix(config)# isakmp policy 10 authentication pre-share 9. Define the IKE settings for Phase 1 to be same as defined in StoneGate end. pix(config)# isakmp policy 10 encryption des pix(config)# isakmp policy 10 hash md5 pix(config)# isakmp policy 10 group 1 pix(config)# isakmp policy 10 lifetime Configuring the VPN 17

18 10. Configure the IPsec Proposal settings for Phase 2 to activate the settings from the previous three steps for the VPN defined in step 4. Set both the Cipher Algorithm and the Message Digest Algorithm for ESP. pix(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac 11. The following line will activate the IKE settings defined above in step 9. pix(config)# crypto map PIX_SG 10 ipsec-isakmp 12. The encryption domains of the firewalls are set to be the ones defined in the VPN accesslist from step 1. pix(config)# crypto map PIX_SG 10 match address vpn 13. The IKE Phase 2 settings from step 8 are activated for this tunnel. pix(config)# crypto map PIX_SG 10 set transform-set myset 14. Set both the minutes and kilobyte value for the IPsec Tunnel Lifetime on PIX. pix(config)# crypto map PIX_SG 10 set security-association lifetime seconds 3600 kilobytes Activate the tunnel on the external interface. pix(config)# crypto map PIX_SG interface outside 16. Implicitly allow any packet that comes from IPsec tunnel. pix(config)# sysopt connection permit-ipsec VPN settings at the CISCO PIX end using PDM In PIX, instead of using the command line interface the VPN tunnel between StoneGate and PIX can also be configured by using the PIX Device Manager (PDM) graphical user interface. PDM software can be installed on PIX, after which the firewall can be accessed using HTTPS. In PDM the VPNs can be setup in the VPN section or by using the VPN Wizard. Configuring the VPN 18

19 To configure the VPN tunnel in Cisco PIX end using PDM ILLUSTRATION 1.13 Cisco PIX Device Manager (PDM) 1. From the Cisco PIX Device Manager go to the Wizards menu and open the VPN Wizard. Configuring the VPN 19

20 ILLUSTRATION 1.14 VPN Wizard 2. From the first window of the VPN Wizard select the Site to Site VPN radio button. Enable the VPN on the outside interface that leads to StoneGate. Configuring the VPN 20

21 ILLUSTRATION 1.15 VPN Wizard - Remote Site Peer 3. Specify the remote peer (the StoneGate firewall) by entering its IP address and defining the authentication method. Enter the same Pre-shared key as used when configuring the StoneGate end. (In our example, abc123.) Configuring the VPN 21

22 ILLUSTRATION 1.16 VPN Wizard - IKE Policy 4. For IKE negotiation select the used encryption (DES), and authentication (MD5) algorithms, and Diffie-Hellman group (1). The values should be same as when configuring the StoneGate end. Configuring the VPN 22

23 ILLUSTRATION 1.17 VPN Wizard - Transform Set 5. For IPsec select used encryption (DES), and authentication algorithms (MD5). Values should be same as those used to configure the StoneGate end. Configuring the VPN 23

24 ILLUSTRATION 1.18 VPN Wizard - IPsec Traffic Selector 6. Define the local network (e.g., inside) protected by PIX. Use PIX s local network IP Address ( ) and mask ( ). To move this information to the Selected box press the right-hand arrow pointing to the box. Configuring the VPN 24

25 ILLUSTRATION 1.19 VPN Wizard - IPsec Traffic Selector (Continue) 7. Define the remote site s internal network (outside) protected by StoneGate. Use StoneGate s local network IP Address ( ) and mask ( ). Press the right-hand arrow to move this information to the Selected box. 8. To complete the VPN Wizard and apply the configuration to PIX select the Finish button. Configuring the VPN 25

26 ILLUSTRATION 1.20 VPN System Options 9. From the Cisco PIX Device Manager select the VPN tab, then select VPN System Options from the left-hand panel. In the right-hand panel select Bypass access check for IPSec and L2TP traffic. This will permit IPsec inbound sessions without interference. PIX configuration used Below is a full Cisco PIX configuration taken with show running configuration (can also be shortened to sh run) command while traffic was flowing through the VPN tunnel. This configuration was generated with the command line interface. This can be accessed through several methods, including Telnet, Secure Shell (SSH), or through a console port session. pix(config)# sh run : Saved : PIX Version 6.2(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password NuLKvvWGg.x9HEKO encrypted passwd NuLKvvWGg.x9HEKO encrypted hostname pix domain-name stonesoft.com Configuring the VPN 26

27 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h fixup protocol h323 ras fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list vpn permit ip access-list vpn deny ip any pager lines 24 logging on logging console debugging logging monitor debugging logging buffered debugging logging trap debugging interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside failover ip address inside pdm history enable arp timeout global (outside) global (outside) nat (inside) 0 access-list vpn nat (inside) route outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable Configuring the VPN 27

28 sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map PIX_SG 10 ipsec-isakmp crypto map PIX_SG 10 match address vpn crypto map PIX_SG 10 set peer crypto map PIX_SG 10 set transform-set myset crypto map PIX_SG 10 set security-association lifetime seconds 3600 kilobytes crypto map PIX_SG interface outside isakmp enable outside isakmp key ******** address netmask isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime telnet inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:b91242fd64b5e52eecbf30371a9a5329 : end Crypto map and transform set on PIX The following shows the active crypto map and transform set details on PIX while traffic was flowing through the VPN tunnel: pix(config)# show crypto map interface outside Crypto Map: "PIX_SG" interfaces: { outside } Crypto Map "PIX_SG" 10 ipsec-isakmp Peer = access-list vpn; 2 elements access-list vpn permit ip (hitcnt=311) access-list vpn deny ip any (hitcnt=0) Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } pix(config)# show crypto ipsec transform-set Transform set myset: { esp-des esp-md5-hmac } will negotiate = { Tunnel, }, Configuring the VPN 28

29 Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology - as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. The Stonesoft Secure Application Partnership Program is a validation service offered by Stonesoft to allow end users to make an informed decision when choosing hardware for their StoneGate High Availability Firewall and VPN solutions. Under Stonesoft s Secure Application Partnership Program, certification is granted based on tests performed under specific operating conditions in a controlled environment. The details of these tests are available from Stonesoft upon request. Stonesoft does not guarantee the accuracy, adequacy or completeness of its certification testing of third party hardware products and shall not be liable if the testing results and/or determinations are incaccurate, inadequate or incomplete. End users are solely responsible for determining on their own whether a given third party hardware configuration is suitable for their needs. BY CERTIFYING THIRD PARTY HARDWARE PRODUCTS, STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO TESTING RESULTS, INFORMATION CONTAINED IN THESE MATERIALS, OR ANY INFORMATION OR DATA PROVIDED IN RELATION TO THE SECURE APPLICATION PARTNERSHIP PROGRAM. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES. INCLUDING, BUT NO LIMITED TO. LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM International Headquarters Stonesoft Corp. Itälahdenkatu 22a FIN Helsinki, Finland tel fax. info.emea@stonesoft.com Business ID: VAT number: FI Americas Headquarters Stonesoft Inc. 115 Perimeter Center Place South Terraces, Suite 1000 Atlanta, GA tel fax. info.americas@stonesoft.com Asia Pacific Headquarters Stonesoft Corp. 90 Cecil Street # Singapore tel fax. info.asiapacific@stonesoft.com