Overview. Route Based VPN Deployment with Cisco VPN Devices. In This Document:

Transcription

1 Route Based VPN Deployment with Cisco VPN Devices December 24, 2006 In This Document: Overview Overview page 1 System and Installation Requirements page 2 Configuring VPN Tunnel page 2 Configuring VPN on a Cisco Router page 5 Testing a VPN tunnel establishment page 6 Configuring VPN Tunnel Interface (VTI) on VPN-1 module page 6 Configuring Tunnel Interface on Cisco router page 7 GRE over IPsec Configuration page 8 Testing VPN Connectivity Using VTIs page 9 Configuring Route Based VPN - Using Static Routes page 9 Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) page 10 Configuration Verification and Connectivity Test page 12 Check that OSPF Adjacency is Established page 13 Final Connectivity Test page 13 This document describes a proper way of how to configure Route Based VPN between VPN-1 modules and interoperable Cisco devices that support IPsec, GRE and OSPF protocols. The document provides a step by step configuration flow, based on an example scenario of Check Point VPN-1 module and Cisco router (IOS 12.X - C2800 series). The main aspects covered in this example are: Establishing VPN (IPsec) tunnel between a VPN-1 module and an interoperable Cisco device (supporting GRE over IPsec) using a Simplified Policy. Creating a VPN Tunnel interface on a VPN-1 module (VTI). Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved 1

2 System and Installation Requirements Creating tunnel interfaces on Cisco devices. Allow and configure GRE over IPsec support on VPN-1 and Cisco devices. Configure OSPF and establishing adjacency for VPN-1 and Cisco devices. Define Route Based VPN and provide connectivity. System and Installation Requirements The following components should be installed and configured: SPLAT Pro installed machines with a proper license. Check Point VPN-1 installed with internal and external interfaces defined. Cisco router. Clear text connectivity should be allowed and tested. Figure 1 Configuring VPN Tunnel 1. Enable VPN-1 module on all gateway objects. 2. In SmartDashboard, create an empty group. 3. In the Topology page of each gateway, define the VPN Domain as the empty encryption domain created in step 2. Route Based VPN Deployment with Cisco VPN Devices December 24,

3 Configuring VPN Tunnel Figure 2 4. Create an Interoperable device and configure it according to the Cisco router information (i.e., name IP addresses, etc.): Figure 3 5. On the Topology page of the Cisco device, click Add and enter the tunnel IP address information. This IP address is used in the Rule Base for security purposes and not related to connectivity. Route Based VPN Deployment with Cisco VPN Devices December 24,

4 Configuring VPN Tunnel Figure 4 6. Create a meshed community. In the Participating Gateways page, add the VPN-1 module(s) and Cisco object. Configure the required encryption methods and IKE authentication for the community. Note - In this example, define IKE authentication based on pre-shared secrets, however VPN-1 has full support of IKE PKI based on RSA digital signatures (certificates) with Interoperable devices. Route Based VPN Deployment with Cisco VPN Devices December 24,

5 Configuring VPN on a Cisco Router Figure 5 Figure 6 7. Create a rule in the security Rule Base which allows ICMP and OSPF services. Keep in mind that the VPN column should remain as Any Traffic. Additionally, there is no need to define Source and Destination. In this example, the focus is on the VPN dynamic routing, and not on creating a proper security Rule Base. Table 1 Sample Rule Source Destination VPN Service Action Track Any Any Any Traffic icmp accept Log ospf Note - VPN access control (VPN column), in Route Based VPN configurations, must be defined by "Directional VPN" only. Regular settings won't function and drop corresponding traffic. (For more information refer to the Directional VPN Enforcement chapter in the VPN User Guide). 8. Install the policy on the VPN-1 module. Configuring VPN on a Cisco Router Table 2 details the configuration for the Cisco device to establish basic VPN connectivity with the VPN-1 module: Route Based VPN Deployment with Cisco VPN Devices December 24,

6 Testing a VPN tunnel establishment Table 2 crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key address crypto isakmp peer address crypto ipsec security-association lifetime seconds 120 crypto ipsec transform-set testset esp-3des esp-sha-hmac crypto map testmap 73 ipsec-isakmp set peer set transform-set testset match address 141 interface FastEthernet0/0 ip address speed 100 full-duplex crypto map testmap access-list 141 permit ip host host access-list 141 permit ip host host Testing a VPN tunnel establishment Check that a basic VPN tunnel is successfully established between the VPN-1 module and the Cisco device by performing an ICMP (ping) connectivity test. Using the SPLAT Pro command prompt on the VPN-1 module, ping an external interface of the Cisco device. The same should be done in the other direction. Ping an external interface of the VPN-1 module from the Cisco device. In SmartView Tracker, check that IKE key exchanges were completed without errors and failures and the ICMP traffic is encrypted and decrypted by the VPN-1 module. Check that proper logs are received by SmartTracker. Configuring VPN Tunnel Interface (VTI) on VPN-1 module For the detailed description of how to configure VTI using VPN SHELL command line interface, refer to the Route Based VPN chapter and VPN Shell appendix in the VPN User Guide. Using the VPN Shell, create a VTI attached to a Cisco interoperable device object, with local IP and remote IP : Route Based VPN Deployment with Cisco VPN Devices December 24,

7 Configuring Tunnel Interface on Cisco router Table 3 vpn shell i a n cisco Interface 'vt-cisco' was added successfully to the system [admin@gw_a ~]$ vpn shell i s d vt-cisco vt-cisco Type:numbered MTU:1500 inet addr: P-t-P: Mask: Peer:cisco Peer ID: Status:attached Confirm that the VTI was fetched and properly configured in the Topology page of the VPN-1 module. When this is confirmed, install the policy. Figure 7 Configuring Tunnel Interface on Cisco router Table 4 Create and configure a tunnel interface on the Cisco device with the settings in Table 4: interface Tunnel0 ip address ip ospf network point-to-point ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination Route Based VPN Deployment with Cisco VPN Devices December 24,

8 GRE over IPsec Configuration GRE over IPsec Configuration In SmartDashboard, 1. Navigate to the VPN > VPN Advanced page of the interoperable object (Cisco device). Figure 8 Table 5 Table 6 2. Select Custom settings > One VPN tunnel per Gateway pair. 3. In the drop down menu, select GRE on IPsec. 4. Install policy. 5. On the Cisco device, GRE encapsulation should be enabled by default. To confirm this, see Table 5. Cisco# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is /24 MTU 1514 bytes, BW 9 Kbit, DLY usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source (FastEthernet0/0), destination Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled 6. Edit a current access-list on the Cisco device, which allows GRE traffic between two IPsec endpoints as shown in Table 6. access-list 141 permit gre host host access-list 141 permit gre host host Route Based VPN Deployment with Cisco VPN Devices December 24,

9 Testing VPN Connectivity Using VTIs Testing VPN Connectivity Using VTIs To confirm connectivity between the VPN-1 module and the Cisco device, proceed as follows: 1. On the VPN-1 module, ping the IP address of the Cisco device ( ) from the command line. 2. On the Cisco device, ping the address of the VPN-1 module ( ). Before proceeding to the next step: Check that pinging was successful when initiated from both sides. Check that proper logs of IKE successful negotiation and Encrypt/Decrypt are received within ICMP connection. See Encrypt/Decrypt log information and check that GRE is used. Configuring Route Based VPN - Using Static Routes To provide Route based VPN connectivity between the VPN-1 module and Cisco device, define static routes in the operating system, where a dedicated interface device should be a chosen VTI. Create a following static routes: On the VPN-1 module: route add -net netmask dev vt-cisco On the Cisco device: ip route tunnel 0 Confirm that the static routes are defined in the operating system routing tables on the VPN-1 module: [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface * UHD lo * UH vt-cisco localhost.local UGH lo localhost.local UGH lo localhost.local * UH lo * U vt-cisco * U eth * U eth !D default UG eth0 Route Based VPN Deployment with Cisco VPN Devices December 24,

10 Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) Confirm that the static routes are defined in the operating system routing tables on the Cisco device: show ip route Gateway of last resort is to network /24 is subnetted, 1 subnets C is directly connected, Tunnel /8 is variably subnetted, 4 subnets, 2 masks C /24 is directly connected, FastEthernet0/0 S /24 is directly connected, Tunnel /24 is subnetted, 1 subnets C is directly connected, FastEthernet0/1 S* /0 [1/0] via Perform cross "ping" from one of the hosts allocated in internal networks behind the VPN-1 module and the Cisco device. For example, if the host IP address behind VPN-1 is , and host's IP behind Cisco is then establish a ping session from both hosts: VPN-1-host: ping ; Cisco-host: ping ICMP traffic to and from the VPN-1 gateways should be encrypted and decrypted properly and the correct logs should be received by SmartView Tracker. Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) If static routes have been configured, which represent internal networks of both VPN peers, these routes are removed before beginning OSPF configuration. 1. On the VPN-1 module, verify that the operating system is equipped with SPLAT Pro license, which supports Advanced routing suite (dynamic routing daemon). 2. From the SPLAT Pro command prompt run one of the following commands to enter into the GateD CLI shell: router or cligated Follow the commands in Table 7 to configure OSPF on the VPN-1 module. Route Based VPN Deployment with Cisco VPN Devices December 24,

11 Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) Table 7 [admin@gw_a ~]$ router localhost.localdomain>ena localhost.localdomain#conf t localhost.localdomain(config)#router ospf 1 localhost.localdomain(config-router-ospf)#router-id localhost.localdomain(config-router-ospf)#network area localhost.localdomain(config-router-ospf)#redistribute kernel localhost.localdomain(config-router-ospf)#end Review the settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id network area redistribute kernel exit Check that VTI is OSPF related interface: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate localhost.localdomain#show ip ospf interface vt-cisco is up Internet Address , Area Network Type Point-To-Point, Cost: 10 Transmit Delay is 1 sec, State Pt2Pt, Priority 1 No Designated Router on this network No Backup Designated Router on this network Timer intervals configured, Hello 10, Dead 40, Retransmit 5 Neighbor Count is 0 localhost.localdomain# Note - We have chosen redistribution policy - "kernel", to advertise kernel routes allocated in SPLAT Pro OS routing table. There are different policies supported by GateD dynamic routing daemon (for example, bgp, direct, ospf, rip, and static). Refer to additional documents, describing how to use all redistribute policy options. 3. Create a kernel (static) route in SPLAT Pro OS routing table which is considered as a VPN encryption domain and advertised via VTI towards the Cisco device. Table 8 illustrates how to redistribute specific range located behind a VPN-1 gateway: Route Based VPN Deployment with Cisco VPN Devices December 24,

12 Configuration Verification and Connectivity Test Table 8 [admin@gw_a ~]$ route add -net netmask gw [admin@gw_a ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface * UHD lo * UH vt-cisco localhost.local UGH lo * UHD lo * UHD lo localhost.local UGH lo localhost.local * UH lo UG eth * U eth * U eth !D default UG eth0 In this example, the internal interface is and has 24-bit, we created a route which has the same network , but with netmask of 25-bit. 4. On Cisco device, define the following settings: router ospf 1 router-id log-adjacency-changes redistribute static subnets network area Create static routes, that point to a host located behind the Cisco device: ip route FastEthernet0/1 Configuration Verification and Connectivity Test On the VPN-1 module, enter into the GateD CLI shell and check the OSPF settings: localhost.localdomain#show running-config Building configuration... router ospf 1 router-id network area redistribute kernel exit localhost.localdomain# Route Based VPN Deployment with Cisco VPN Devices December 24,

13 Check that OSPF Adjacency is Established Check that OSPF Adjacency is Established On the Cisco device, confirm adjacency as follows: localhost.localdomain#show ip ospf neighbor Routing Process "ospf 1": Neighbor , interface address In area interface vt-cisco Neighbor priority is 1, state is Full 6 state changes DR is BDR is Options is 18 Dead timer is due in 36 seconds Cisco routes are shown on the VPN-1 module. Check that proper routes from the Cisco device are learned by the VPN-1 module and appear in the OS routing table via Cisco's VTI: localhost.localdomain#show ip route ospf Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel A - Aggregate /24 [11121/10] via , 00:12:41, vt-cisco /32 [10/150] via , 00:04:46, vt-cisco localhost.localdomain# On the Cisco device, check that adjacency and route injection have the same configuration: router ospf 1 router-id log-adjacency-changes redistribute static subnets network area Final Connectivity Test Confirm that both the VPN-1 module and the Cisco device contain redistributed routes which function as additional encryption domains. VPN-1 module: O /32 10/150] via , 00:04:46, vt-cisco Cisco device: O E /25 [110/1] via , 00:07:59, Tunnel0 Cisco#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface FULL/ - 00:00: Tunnel0 Check routing table: Cisco#show ip route ospf /8 is variably subnetted, 4 subnets, 3 masks E /25 [110/1] via , 00:07:59, Tunnel0 Route Based VPN Deployment with Cisco VPN Devices December 24,

14 Final Connectivity Test Perform ping tests between hosts located behind VPN-1 and Cisco devices. Connection should be successfully established within encryption and decryption of all traffic. Check that proper logs are received in SmartView Tracker. Route Based VPN Deployment with Cisco VPN Devices December 24,