How To Set Up Checkpoint Vpn For A Home Office Worker

Transcription

1 SofaWare VPN Configuration Guide Part No.: Oct 2002 For gateway version 3

2 COPYRIGHT & TRADEMARKS Copyright 2002 SofaWare, All Rights Reserved. SofaWare, SofaWare S-box, and are trademarks, service marks, or registered trademarks of SofaWare Technologies Ltd. Check Point, the Check Point logo, FireWall-1, FireWall-1 SecureServer, FireWall-1 SmallOffice, FloodGate-1, INSPECT, IQ Engine, Meta IP, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecureUpdate, SiteManager-1, SVN, UAM, User-to-Address Mapping, UserAuthority, Visual Policy Editor, VPN-1, VPN-1 Accelerator Card, VPN-1 Gateway, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice, and ConnectControl are trademarks, service marks, or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications. 2 SofaWare VPN Configuration Guide

3 Contents Contents...3 Introduction...5 SofaWare 6 SofaWare Pro... 6 SofaWare Safe@Office... 6 SofaWare Safe@Office Plus... 6 About This Guide... 6 Typological Conventions... 7 Contacting Technical Support... 7 VPN Connectivity Solution Models...9 Safe@Office to Safe@Office (Site-to-Site VPN) Safe@Office to VPN-1 (Site-to-Site VPN) VPN RAS Client to VPN-1 VPN RAS Server VPN RAS Client to Safe@Office VPN RAS Server Using Safe@Home Pro as a VPN RAS Client Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN...15 Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN Configuring VPN for Site-to-Site VPN...37 Configuring VPN for Site-to-Site VPN SofaWare VPN Configuration Guide 3

4 Contents Configuring VPN-1 for RAS VPN...53 Configuring VPN-1 NG for RAS VPN Configuring VPN for RAS VPN Configuring VPN-1 NG FP Configuring gateway to NG FP3 In Client to Site Mode Configuring gateway to NG FP3 in Site To Site mode SofaWare VPN Configuration Guide

5 Chapter 1 Introduction The SofaWare S-box is available with the following software configurations: SofaWare Safe@Home, SofaWare Safe@Home Pro, SofaWare Safe@Office and SofaWare Safe@Office Plus. All four provide a web-based management interface, which enables you to manage and configure the S-box operation and options. Table1 summarizes the differences between the available Safe@ software configurations. Table 1: Safe@ Product Summary Safe@Home Safe@Home Pro Safe@Office and Safe@Office Plus Solution Home user firewall Telecommuter and home office Small branch offices Nodes /25 Standalone firewall Yes Yes Yes VPN functionality No Remote Access Client Remote Access Client/Server Your S-box can be upgraded to a more advanced product level, without replacing the hardware. For more information, contact your reseller or order@checkpoint.com. SofaWare VPN Configuration Guide 5

6 Introduction SofaWare protects your home network from hostile Internet activity. It is intended for home users and can be used by up to five computers and users. SofaWare Pro In addition to all the benefits of SofaWare SofaWare Pro provides Virtual Private Networking (VPN) functionality. SofaWare Pro contains a remote access VPN client, which enables employees working from home to securely connect to the corporate network. SofaWare Safe@Home Pro is intended for home users who are part of an extended enterprise network. It can be used by up to five computers and users. SofaWare Safe@Office SofaWare Safe@Office provides all the benefits of SofaWare Safe@Home Pro, along with expanded VPN functionality. It acts not only as a remote access VPN client, but as a remote access VPN server which is installed office-side to protect the company s VPN and make it available to telecommuting employees. SofaWare Safe@Office can also be configured as a VPN gateway, which allows permanent Site-to-Site VPN connections between two gateways, such as two company offices. SofaWare Safe@Office is intended both for companies with extended enterprise networks and for their employees working from home. It can be used by up to ten computers and users. SofaWare Safe@Office Plus SofaWare Safe@Office Plus extends SofaWare Safe@Office to support up to 25 computers and users. About This Guide This guide describes supported VPN solutions and provides instructions for implementing them. You should be familiar with the following before using this guide:! Basic FW-1/VPN-1 use. For information, refer to the Check Point VPN-1/FireWall-1 Administration Guide.! S-box use for your software configuration. For information, refer to the SofaWare S-box Getting Started Guide. 6 SofaWare VPN Configuration Guide

7 Introduction Typological Conventions To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Important: Important notes are denoted by indented text and preceded by the Important icon. Contacting Technical Support To contact technical support, send an to: SofaWare VPN Configuration Guide 7

8

9 Chapter 2 VPN Connectivity Solution Models A virtual private network (VPN) consists of at least one VPN remote access (RAS) server or VPN gateway, and several VPN RAS clients. A VPN RAS server makes the corporate network remotely available to authorized users, such as employees working from home, who connect to the VPN RAS server using VPN RAS clients. A VPN gateway can be connected to another VPN gateway in a permanent, bi-directional relationship (Site-to-Site VPN). The two connected networks function as a single network. A connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic passing through them. Through these tunnels, employees can safely use their company s network resources when working at home. For example, they can securely read , use the company s intranet, or access the company s database from home. SofaWare Safe@Home Pro and SofaWare Safe@Office provide VPN functionality. SofaWare Safe@Home Pro contains a VPN RAS client. SofaWare Safe@Office can act as a VPN RAS client, a VPN RAS server, or a Siteto-Site VPN gateway. Both SofaWare Safe@Office and Safe@Home Pro enable an exciting number of solutions to support your VPN connectivity needs. This chapter describes the following four basic solutions:! Safe@Office to Safe@Office (Site-to-Site VPN), page 10! Safe@Office to VPN-1 (Site-to-Site VPN), page 11! VPN RAS Client to VPN-1 VPN RAS Server, page 12! VPN RAS Client to Safe@Office VPN RAS Server, page 13 SofaWare VPN Configuration Guide 9

10 VPN Connectivity Solution Models to (Site-to-Site VPN) This solution enables you to establish Site-to-Site VPN connections between Site-to-Site VPN gateways. Note: In this solution model, both Site-to-Site VPN gateways must have a static IP address. Figure 1 shows a sample implementation of the Safe@Office to Safe@Office solution with three Safe@Office appliances (sbox1, sbox2, and sbox3). Each S-box acts as a Site-to-Site VPN gateway for a fully secure network. The networks communicate via VPN connections. Figure 1: Safe@Office to Safe@Office (Site-to-Site VPN) For information on configuring Safe@Office for Site-to-Site VPN, refer to the SofaWare S-box Getting Started Guide. 10 SofaWare VPN Configuration Guide

11 VPN Connectivity Solution Models to VPN-1 (Site-to-Site VPN) This solution enables you to establish Site-to-Site VPN connections between a Safe@Office Site-to-Site VPN gateway and a VPN-1 Site-to-Site VPN gateway. Note: In this solution model, both the VPN-1 and Safe@Office Site-to-Site VPN gateways must have a static IP address. Dynamic IP in Site-to-Site VPN is supported using a certificate. For more information refer to or contact support@sofaware.com. Figure 2 shows a sample implementation of the Safe@Office to VPN-1 solution, in which two Safe@Office appliances (sbox1 and sbox2) are connected to a VPN-1 Site-to-Site VPN gateway. Figure 2: Safe@Office to VPN-1 (Site-to-Site VPN) For information on configuring VPN-1 NG for Site-to-Site VPN, see Configuring VPN-1 NG FP3, page 73. For information on configuring VPN for Site-to-Site VPN, see Configuring VPN for Site-to-Site VPN, page 37. SofaWare VPN Configuration Guide 11

12 VPN Connectivity Solution Models VPN RAS Client to VPN-1 VPN RAS Server This solution enables Check Point SecureClient, and Check Point SecuRemote VPN RAS clients to connect to a VPN-1 VPN RAS server. Note: In this solution model, the VPN-1 VPN RAS server must have a static IP address. Figure 3 shows a sample implementation of the VPN RAS Client to VPN-1 VPN RAS Server solution, in which two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act as VPN RAS clients that download topology information from a VPN-1 VPN RAS gateway. Figure 3: VPN RAS Client to VPN-1 VPN RAS Server For information on configuring a VPN-1 NG or VPN as a VPN RAS Server, see Configuring VPN for Safe@ RAS VPN, page SofaWare VPN Configuration Guide

13 VPN Connectivity Solution Models VPN RAS Client to VPN RAS Server This solution enables Pro, Check Point SecureClient, and Check Point SecuRemote VPN RAS clients to connect to a Safe@Office VPN RAS server. Note: In this solution model, the Safe@Office VPN RAS server must have a static IP address. Figure 4 shows a sample implementation of the VPN RAS Client to Safe@Office VPN RAS Server solution, in which two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act as VPN RAS clients that download topology information from the Safe@Office VPN RAS server (sbox3). Figure 4: VPN RAS Client to Safe@Office VPN RAS Server For information on configuring Safe@Home Pro, Safe@Office, Check Point SecuRemote, or Check Point SecureClient as a VPN RAS client to a Safe@Office VPN RAS server, refer to the SofaWare S-box Getting Started Guide. SofaWare VPN Configuration Guide 13

14 VPN Connectivity Solution Models Using Pro as a VPN RAS Client Safe@Home Pro functions in VPN RAS client mode, in which connection is initiated only by the VPN RAS client. Safe@Home Pro uses only Manual mode VPN connection, in which the end-user surfs to and selects the VPN RAS server to which they want to establish a VPN connection. Figure 5 shows Safe@Home Pro acting as a VPN RAS client to VPN-1 and Safe@Office VPN RAS servers. Figure 5: Safe@Home Pro VPN RAS Client 14 SofaWare VPN Configuration Guide

15 Chapter 3 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN This chapter explains how to configure Check Point VPN-1 NG FP1/FP2 for the Safe@Office to VPN-1 (Site-to- Site VPN) solution described in Safe@Office to VPN-1 (Site-to-Site VPN), page 11. Note: To configure NG FP3, refer to chapter 6 Configure VPN-1 NG FP3 page 75 This chapter contains the following sections:! Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN, page 16 VPN-1 NG FP2 must be configured to work in Traditional Mode. Note: The screens shown in this chapter appear in both VPN-1 NG FP1 and FP2. Where FP1 and FP2 screens differ, both are shown. Note: You must configure the VPN-1 object to use a pre-shared secret before you configure VPN-1 NG FP1/FP2 for Site-to-Site. Note: Working with Dynamic IP s and certificates is supported. For more information, please refer to or contact support@sofaware.com. SofaWare VPN Configuration Guide 15

16 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN To configure VPN-1 NG FP1/FP2 for Site-to-Site VPN 1. Open the Check Point Policy Editor. 2. Create an S-box object by doing the following: a. In the Manage menu, click Network Objects. The Network Objects dialog box appears. b. If you are using FP1, click New and then click Workstation. The Workstation Properties dialog box appears with the General tab displayed. Do the following: 16 SofaWare VPN Configuration Guide

17 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN 1) In the Name field, type the object s name. 2) In the IP Address field, type the S-box s hiding address. 3) In the Type area, select Gateway. 4) Select Check Point products installed. 5) In the Version list, select ) In the Check Point Products list, select Firewall-1 and VPN-1. 7) In the Object Management area, select Managed by another Management Server [External]. c. If you are using FP2, click New, Check Point, and then Externally Managed Gateway. The Externally Managed Check Point Gateway dialog box opens with General Properties tab displayed. Do the following: SofaWare VPN Configuration Guide 17

18 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN 1) In the Name field, type the object s name. 2) In the Version list, select ) In the IP Address field, type the S-box s hiding address. 4) In the Check Point Products list, select Firewall-1 and VPN-1 Pro. d. Click Topology. The Topology tab is displayed. By default, no interfaces are defined. e. Add both an internal and external S-box interface. Do the following for each interface: 1) Click Add. The Interface Properties dialog box appears with the General tab displayed. 2) Type the interface s name, IP address, and subnet mask in the appropriate fields. 3) Click on the Topology tab. The Topology tab is displayed. 18 SofaWare VPN Configuration Guide

19 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN 4) If you are configuring the external interface, select External (leads out to the Internet) in the Topology area. Do not change the other settings. 5) If you are configuring the internal interface, select Internal (leads to the local network) in the Topology area, and select Network defined by the interface IP in the IP address Behind this interface area. Do not change the other settings. SofaWare VPN Configuration Guide 19

20 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN 6) Select All IP Address behind Gateway based on Topology 7) Click OK. f. In the menu, click VPN. The VPN tab is displayed. 20 SofaWare VPN Configuration Guide

21 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN g. Click Edit. Note: In FP1, FWZ appears in the Encryption Schemes list. Do not select FWZ. The IKE Properties dialog box appears. SofaWare VPN Configuration Guide 21

22 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN h. In the Support authentication methods area, select Pre-shared Secret, and click Edit Secrets... The Shared Secret dialog box appears. Do the following: 1) In the Peer Name column, click on the S-box s peer name. 22 SofaWare VPN Configuration Guide

23 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Note: If the VPN-1 object was not configured to use a pre-shared secret, the peer name will not be listed. 2) In the Enter Secrets field, type the unique password that should be used by the S-box and VPN-1 when establishing VPN connections to each other. 3) Click Set. 4) Click OK. The IKE Properties dialog box reappears. i. Click Advanced. The Advanced IKE properties dialog box appears. j. Optional - Select the Support aggressive mode check box. SofaWare VPN Configuration Guide 23

24 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Note: Main mode is supported in Site to Site configuration. k. Click OK. The IKE Properties dialog box reappears. l. Click OK. The Externally Managed VPN Host dialog box reappears with the VPN tab is displayed. m. Click OK. 3. Set VPN properties for the VPN-1 NG FP1/FP2 object by doing the following: a. In the Manage menu, click Network Objects. The Network Objects dialog box appears. b. Select the VPN-1 NG object and click Edit. The Check Point Gateway dialog box opens with General Properties tab displayed. 24 SofaWare VPN Configuration Guide

25 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN c. In the menu, click VPN. The VPN tab is displayed. d. Select IKE and click Edit. The IKE Properties dialog box appears. e. Click Advanced. The Advanced IKE properties dialog box appears. f. Select the Support aggressive mode check box. g. Click OK. The IKE Properties dialog box reappears. h. Click OK. The VPN tab reappears with certificate information displayed. SofaWare VPN Configuration Guide 25

26 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN 4. If desired, create a Topology user by doing the following: Note: A Topology user is a User object that enables the S-box to download the VPN-1 NG FP1/FP2 topology. If you do not create a Topology user, you must specify the VPN-1 s network configuration in the S-box VPN wizard. a. In the menu, click Topology. The Topology tab is displayed. 26 SofaWare VPN Configuration Guide

27 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN b. Select Exportable for SecuRemote/SecureClient. c. Click OK. d. In the Manage menu, choose Users and Administrators. The Users window opens. SofaWare VPN Configuration Guide 27

28 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN e. Click New, Users by Template, and then Default. The Users Properties dialog box appears with the General tab displayed. 28 SofaWare VPN Configuration Guide

29 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN f. Type the login name. In this example the name Topology is used. g. Click on the Encryption tab. The Encryption tab is displayed. SofaWare VPN Configuration Guide 29

30 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Note: In FP1, FWZ appears in the Client Encryption Methods list. Do not select FWZ. h. Select IKE and click Edit. The IKE Properties dialog box appears. 30 SofaWare VPN Configuration Guide

31 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Do the following: 1) Select the Password (pre-shared Secret) checkbox. The Password and Confirm Password fields are enabled. 2) In the Password and Confirm Password fields, type the pre-shared secret for the S-box. 3) Click on the Encryption tab. The Encryption tab is displayed. If you are using FP1, the screen appears as follows: SofaWare VPN Configuration Guide 31

32 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN If you are using FP2, the screen appears as follows: 4) If you are using FP2, select Defined below. 5) In the Encryption Algorithm list, select 3DES. 6) In the Data Integrity area, select SHA1. 7) Click OK. The User Properties dialog box reappears with the Encryption tab displayed. i. Click OK. The Users window reappears. j. Click Close. 5. Configure the rule base. 32 SofaWare VPN Configuration Guide

33 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Example 1 Note: Example 1 matches the Unrestricted configuration mode in the Safe@ gateway. In this case, all traffic should be directed to the secured network (and not to the external IP of the Safe@ gateway). All VPN traffic will be allowed into the safe@ secured network, and no VPN ONLY Allow / Server rules must be defined in the Safe@ gateway. Note: The object Internal represents the encryption domain of the NG firewall. The object Sbox_Network represents the subnet behind the Safe@ gateway. Note: If VPN access to the NG firewall itself is also needed, the NG object needs to appear in the rule base as well. Note: In this instance, the services that will be encrypted in both directions are ICMP, Telnet and FTP. Example 2 SofaWare VPN Configuration Guide 33

34 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN Note: Example 2 matches Restricted configuration in the Safe@ gateway. In this case all traffic must be directed to the external interface of the Safe@ gateway, and can be forward inbound using VPN ONLY allow / server rules. Directing the traffic to the secured network behind the Safe@ gateway is not allowed in this mode. Note: The object called Internal represents the encryption domain of the NG firewall. Note: If VPN access to the NG firewall itself is also needed, the NG object needs to appear in the rule base as well. Note: In this instance, the services that will be encrypted in both directions are ICMP, Telnet and FTP. 6. Set encryption properties for each of the rules by doing the following: a. In desired rule s row, right-click on the Encrypt icon, and click Set Properties in the popup menu that appears. The Encryption Properties dialog box appears. 34 SofaWare VPN Configuration Guide

35 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN b. Click Edit. The IKE Phase 2 Properties dialog box appears. c. In the Data Integrity list, select SHA1. SofaWare VPN Configuration Guide 35

36 Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN d. Click OK. The Encryption Properties dialog box appears. e. Click OK. 7. Compile the policy. 36 SofaWare VPN Configuration Guide

37 Chapter 4 Configuring VPN for Site-to-Site VPN This chapter explains how to configure Check Point VPN for the Safe@Office to VPN-1 (Site-to-Site VPN) solution described in Safe@Office to VPN-1 (Site-to-Site VPN), page 11. Note: The information in this chapter is correct for VPN-1 4.1, SP4, and higher. This chapter contains the following sections:! Configuring VPN for Site-to-Site VPN Note: You must configure the VPN-1 object to use a pre-shared secret before you configure VPN-1 NG 4.1 for Site-to-Site. SofaWare VPN Configuration Guide 37

38 Configuring VPN for Site-to-Site VPN Configuring VPN for Site-to-Site VPN To configure VPN for Site-to-Site VPN 1. Open the Check Point Policy Editor. 2. Create the Gateway object by doing the following: a. In the Manage menu, choose Network Objects. The Network Objects dialog box appears. b. Click New and then click Workstation. The Workstation Properties dialog box appears with the General tab displayed. 38 SofaWare VPN Configuration Guide

39 Configuring VPN for Site-to-Site VPN Do the following: 1) In the Name field, type the object s name. 2) In the IP Address field, type the S-box s hiding address. 3) In the Location area, select External. 4) In the Type area, select Gateway. 5) In the Modules Installed area, select VPN-1& FireWall-1 version 4.1. c. Click OK. 3. Configure the Safe@ Gateway internal network object by doing the following: a. In the Manage menu, choose Network Objects. The Network Objects dialog box appears. b. Click New and then click Network. The Network Properties dialog box appears with the General tab displayed. SofaWare VPN Configuration Guide 39

40 Configuring VPN for Site-to-Site VPN Do the following: 1) In the Name field, type the network object name. 2) In the IP Address field, type the network object s IP address. 3) In the Net Mask field, type the network object s subnet mask. The subnet mask represents the home network. 4) Click OK. c. Open the Safe@ Gateway object you defined earlier. The Workstation Properties dialog box appears with the General tab displayed. d. In the menu, click VPN. The VPN tab is displayed. 40 SofaWare VPN Configuration Guide

41 Configuring VPN for Site-to-Site VPN. e. In the Domain area, select Other, and then select network object from the Other list. (In the example above, the network object is Mynet.) f. Click Edit. The IKE Properties dialog box appears. SofaWare VPN Configuration Guide 41

42 Configuring VPN for Site-to-Site VPN g. In the Support authentication methods area, select Pre-shared Secret, and click Edit Secrets... The Shared Secret dialog box appears. Do the following: 1) In the Peer Name column, click on the VPN-1 s peer name. Note: If the VPN-1 object was not configured to use a pre-shared secret, the peer name will not be listed. 42 SofaWare VPN Configuration Guide

43 Configuring VPN for Site-to-Site VPN 2) In the Enter Secrets field, type the unique password that should be used by the S-box and VPN-1 when establishing VPN connections to each other. 3) Click Set. 4) Click OK. The IKE Properties dialog box reappears. h. Click OK. The Workstation Properties dialog box reappears with the VPN tab displayed. i. Click OK. 4. Configure the VPN-1 object by doing the following: a. In the Manage menu, choose Network Objects. The Network Objects dialog box appears. b. Select the VPN-1 object and click Edit. The Workstation Properties dialog box appears with the General tab displayed. c. Click on the VPN tab. The VPN tab is displayed. SofaWare VPN Configuration Guide 43

44 Configuring VPN for Site-to-Site VPN Note: Your Domain area may look different, depending on the VPN topology of your network. d. In the Domain section, select the Exportable for SecuRemote check box. e. In the Encryption schemes defined area, click Edit. The IKE Properties dialog-box appears. 44 SofaWare VPN Configuration Guide

45 Configuring VPN for Site-to-Site VPN f. Verify that the following options are selected:! Pre-shared Secret! Optional - Support Aggressive Mode Note: Main Mode is also supported so Aggressive mode is optional.! Support keys exchange for subnets 4. If desired, create a Topology user by doing the following: Note: A Topology user is a User object that enables the S-box to download the VPN-1 NG FP1/FP2 topology. If you do not create a Topology user, you must specify the VPN-1 s network configuration in the S-box VPN wizard. a. In the Manage menu choose Users. The Users dialog box appears. SofaWare VPN Configuration Guide 45

46 Configuring VPN for Site-to-Site VPN b. Click New,and then click Default. The Users Properties dialog box appears with the General tab displayed. c. In the Name field, type the user name. In this example the name Topology is used. d. In the Expiration Date field, type the expiration date. e. Click on the Encryption tab. The Encryption tab is displayed. 46 SofaWare VPN Configuration Guide

47 Configuring VPN for Site-to-Site VPN f. In the Client Encryption Methods area, select the IKE check box and clear the FWZ check box. g. Click Edit. The IKE Properties dialog box appears with the Authentication tab displayed. h. Select Password, and type the password in the field. i. Click on the Encryption tab. The Encryption tab is displayed. SofaWare VPN Configuration Guide 47

48 Configuring VPN for Site-to-Site VPN Do the following: 1) In the Data Integrity area, select SHA1. 2) In the Encryption Algorithm list, select 3DES. 3) Click OK. The Users Properties dialog box reappears with the Encryption tab displayed. j. Click OK. 5. Edit the existing rule base. Example 1 Note: Example 1 matches the Unrestricted configuration mode in the Safe@ gateway. In this case, all traffic should be directed to the secured network (and not to 48 SofaWare VPN Configuration Guide

49 Configuring VPN for Site-to-Site VPN the external IP of the gateway). All VPN traffic will be allowed into the secured network, and no VPN ONLY Allow / Server rules must be defined in the Safe@ gateway. Note: The object Local_VPN_Domain represents the encryption domain of the behind the 4.1 firewall. The object Mynet represents the subnet behind the Safe@ gateway. Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs to appear in the rule base as well. Note: In this instance, the services that will be encrypted in both directions are ICMP, and FTP. Example 2 This example shows the rules that must be added to an existing rule base in order for FTP and ICMP to be encrypted to and from the S-box. Note: Example 2 matches Restricted configuration in the Safe@ gateway. In this case all traffic must be directed to the external interface of the Safe@ gateway, and can be forward inbound using VPN ONLY allow / server rules. Directing the traffic to the secured network behind the Safe@ gateway is not allowed in this mode. Note: The object Local_VPN_Domain is the subnet behind the FW firewall. SofaWare VPN Configuration Guide 49

50 Configuring VPN for Site-to-Site VPN Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs to appear in the rule base as well. Note: In this instance, the services that will be encrypted in both directions are ICMP, and FTP. 6. Set encryption properties for each of the rules by doing the following: a. In desired rule s row, right-click on the Encrypt icon, and click Set Properties in the popup menu that appears. The Encryption Properties dialog box appears. b. Click Edit. The IKE Properties dialog box appears. 50 SofaWare VPN Configuration Guide

51 Configuring VPN for Site-to-Site VPN c. In the Data Integrity list, select SHA1. d. Click OK. The Encryption Properties dialog box reappears. e. Click OK. 7. Compile the policy. SofaWare VPN Configuration Guide 51

52

53 Chapter 5 Configuring VPN-1 for Safe@ RAS VPN This chapter explains how to configure Check Point VPN-1 as a VPN RAS server, as described in the solution VPN RAS Client to VPN-1 VPN RAS Server, page 12. The VPN-1 versions supported are Check Point 4.1 SP4 and above, NG FP1, and NG FP2. If you are using NG FP3, please refer to Configuring VPN-1 NG FP3, page 73 After configuring VPN-1, you must configure the Safe@ appliance to act as a VPN RAS client. For instructions, refer to the SofaWare Safe@ Getting Started Guide. The SofaWare Safe@ Gateway uses IKE shared secrets to establish an IPSEC VPN connection from the Safe@ Gateway to the Check Point Enterprise VPN-1. This chapter contains the following sections:! Configuring VPN-1 NG for Safe@ RAS VPN, page 53.! Configuring VPN for Safe@ RAS VPN, page 64 Configuring VPN-1 NG for Safe@ RAS VPN Note: This procedure can be used for VPN-1 NG FP1 and FP2. To configure VPN-1 NG for Safe@ RAS VPN 1. Open the Check Point Policy Editor. 2. Edit the VPN-1 NG properties by doing the following: a. From the Manage menu, select Network Objects. The Network Objects dialog box appears. SofaWare VPN Configuration Guide 53

54 Configuring VPN-1 for RAS VPN b. Click on the VPN-1 workstation object that should receive the gateway VPN session request. The Workstation Properties dialog box appears with the General tab displayed. 54 SofaWare VPN Configuration Guide

55 Configuring VPN-1 for RAS VPN c. In the menu, click VPN. The VPN tab is displayed. d. In the Encryption schemes area, verify that the IKE check box is selected. e. Click Edit. The IKE Properties dialog box appears. SofaWare VPN Configuration Guide 55

56 Configuring VPN-1 for RAS VPN f. Verify that the following selections are made:! In the Support key exchange encryption with list: DES and/or 3DES! In the Support data integrity with area: MD5 and/or SHA1 Note: These are the minimal selections. If desired, you can select additional options. g. Click Advanced. The Advanced IKE properties dialog box appears. 56 SofaWare VPN Configuration Guide

57 Configuring VPN-1 for RAS VPN Do the following: 1) Select the Use UDP encapsulation check box. 2) From the Use UDP encapsulation list, select VPN1_IPSEC_encapsulation. 3) In the Rekeying Parameters area, set Renegotiate IKE security associations to 1440 minutes, and set Renegotiate IPSEC Security associations every to 3600 seconds. 4) In the Misc area, select Support IP compression for SecureClient, Support aggressive mode, and Support key exchange for subnets. 5) Click OK. The IKE Properties dialog box reappears. h. Click OK. The Workstation Properties dialog box reappears with the VPN tab displayed. i. Click OK. SofaWare VPN Configuration Guide 57

58 Configuring VPN-1 for RAS VPN 3. Create a new group object by doing the following: a. In the Manage menu, click Users. The Users dialog box appears. b. Click New and then Group. The Group Properties dialog box appears. 58 SofaWare VPN Configuration Guide

59 Configuring VPN-1 for RAS VPN c. In the Name field, type the group object s name. d. If users are already defined and you wish to add them to the new group, add users to your group by doing the following: 1) In the Not in Group list, select desired users. 2) Click Add>. The selected users are moved to the In Group list. e. Click OK. The Users dialog box reappears. The new group object appears in the Users list. f. Click Close. 4. If you wish to create a new Safe@ gateway user object, do the following: a. In the Manage menu, click Users. The Users window appears. b. Click New, User by Template, and then Default. The User Properties dialog box appears with the General tab displayed. SofaWare VPN Configuration Guide 59

60 Configuring VPN-1 for RAS VPN c. Type a login name for the new Safe@ gateway user. d. Click the Groups tab. The Groups tab is displayed. e. In the Available Groups list, select the group you created earlier and click Add>. The group is moved to the Belongs to Groups list. f. Click on the Encryption tab. The Encryption tab is displayed. 60 SofaWare VPN Configuration Guide

61 Configuring VPN-1 for RAS VPN g. In the Client Encryption Methods area, verify that the IKE check box is selected. h. Click Edit. The IKE Properties dialog box appears with the Authentication tab displayed. SofaWare VPN Configuration Guide 61

62 Configuring VPN-1 for RAS VPN Do the following: 1) Select Password. The Password and Confirm Password fields are enabled. 2) In the Password and Confirm Password fields, type the pre-shared secret for the gateway. 3) Click on the Encryption tab. The Encryption tab is displayed. 62 SofaWare VPN Configuration Guide

63 Configuring VPN-1 for RAS VPN 4) In the Transform area, select Encryption + Data Integrity (ESP). 5) In the Data Integrity area, select SHA1 or MD5. 6) In the Encryption Algorithm list, select DES or 3DES. 7) Click OK. The User Properties dialog box reappears with the Encryption tab displayed. i. Click OK. The Users window reappears. j. Click Close. 5. Add a rule to your rule base: Note: The rule above is only an example. The Destination and Service may vary according to your VPN settings and your network needs. 6. Compile the policy. Note: The object Internal represent the encryption domain of the NG firewall. SofaWare VPN Configuration Guide 63

64 Configuring VPN-1 for RAS VPN Configuring VPN for RAS VPN To configure VPN for RAS VPN 1. Open the Check Point Policy Editor. 2. Edit the VPN properties by doing the following: a. From the Manage menu, select Network Objects. The Network Objects dialog box appears. b. Click on the VPN object that should receive the gateway VPN session request, and click Edit. The Workstation Properties dialog box appears with the General tab displayed. 64 SofaWare VPN Configuration Guide

65 Configuring VPN-1 for RAS VPN c. Click on the VPN tab. The VPN tab is displayed. SofaWare VPN Configuration Guide 65

66 Configuring VPN-1 for RAS VPN d. In the Encryption schemes defined area, verify that the IKE check box is selected. e. Click Edit. Note: In the example above, the Local_VPN_Domain object represents the secured networks protected by VPN-1. Your VPN-1 may have other network objects defined. The IKE Properties dialog box appears. 66 SofaWare VPN Configuration Guide

67 Configuring VPN-1 for RAS VPN f. Verify that the following selections are made:! In the Key Negotiation Encryption Method(s) list: DES and/or 3DES Note: CAST is not supported by gateway, but can be selected if desired.! In the Hash Method area: MD5 and/or SHA1! Support Aggressive Mode! Support Subnets Note: These are the minimal selections. If desired, you can select additional options. g. Click OK. The Workstation Properties dialog box reappears with the VPN tab displayed. h. Click OK. 3. Create a new group object by doing the following: a. From the Manage menu, click Users. The Users dialog box appears. SofaWare VPN Configuration Guide 67

68 Configuring VPN-1 for RAS VPN b. Click New and then click Group. The Group Properties dialog box appears. c. In the Name field, type the group object s name. d. If users are already defined, and you wish to add them to the new group, do the following: 1) In the Not in Group list, select desired users. 2) Click Add>. The selected users are moved to the In Group list. 68 SofaWare VPN Configuration Guide

69 Configuring VPN-1 for RAS VPN e. Click OK. The Users dialog box reappears. The new group appears in the Users list. f. Click Close. 4. If you wish to create a new Safe@ gateway user object, do the following: a. From the Manage menu, click Users. The Users window appears. b. Click New and then click Default. The User Properties dialog box appears with the General tab displayed. Do the following: 1) In the Name field, type a name for the new Safe@ gateway user. 2) If desired, type a new expiration date for the Safe@ gateway user object in the Expiration Date field. c. Click the Groups tab. The Groups tab is displayed. SofaWare VPN Configuration Guide 69

70 Configuring VPN-1 for RAS VPN d. In the Available Groups list, select the group you created earlier and click Add >. The group is moved to the Belongs to Groups list. e. Click on the Encryption tab. The Encryption tab is displayed. f. In the Client Encryption Methods area, verify that the IKE check box is selected. 70 SofaWare VPN Configuration Guide

71 Configuring VPN-1 for RAS VPN g. Click Edit. The IKE Properties dialog box appears with the Authentication tab displayed. Do the following: 1) Select Password. The Password field is enabled. 2) In the Password field, type the pre-shared secret for the gateway. 3) Click on the Encryption tab. The Encryption tab is displayed. SofaWare VPN Configuration Guide 71

72 Configuring VPN-1 for RAS VPN 4) In the Transform area, select Encryption + Data Integrity (ESP). 5) In the Data Integrity area, select SHA1 or MD5. 6) In the Encryption Algorithm list, select DES or 3DES. 7) Click OK. The User Properties dialog box reappears with the Encryption tab displayed. h. Click OK. The Users window reappears. i. Click Close. 5. Add a rule to your rule base: Note: The rule above is only an example. The Destination and Service may vary according to your VPN settings and your network needs. 6. Compile the policy. Note: The object Internal represents the encryption domain of the FW firewall. 72 SofaWare VPN Configuration Guide

73 Chapter 6 Configuring VPN-1 NG FP3 This chapter explains how to create Site-to-Site and Client-to-Site VPN tunnels between Safe@ gateway and NG FP3 using communities. Note: SSC (SofaWare SmartCenter Connector) add-on must be installed on the NG FP3 firewall SofaWare VPN Configuration Guide 73

74 Configuring VPN-1 NG FP3 Configuring gateway to NG FP3 In Client to Site Mode Create and Configure object 1. Open the Check Point Policy Editor. 2. Create a Safe@ Gateway object by doing the following: a. In the Manage menu, click Network Objects. The Network Objects dialog box appears. b. Click New, Check Point, and then Safe@ Gateway... c. The Safe@ Gateway properties page appears 3. Configure the Safe@ Gateway Object by doing the following: 74 SofaWare VPN Configuration Guide

75 Configuring VPN-1 NG FP3 a. In the Name field, type the object s name. b. Next to the IP Address field select the Dynamic Address checkbox. c. In the Type field choose GW Type. d. In the SofaWare Profile field choose Profile. e. In the Password field enter a password, or press on the Generate Password button. f. Select the VPN Enabled check box. g. Save the object by clicking OK. Note: The Safe@ password is automatically used as its shared secret in the community. SofaWare VPN Configuration Guide 75

76 Configuring VPN-1 NG FP3 Configure the Community 1. Define the Community by doing the following: a. Select the VPN Manager tab: b. Double click on the RemoteAccess community. The RemoteAccess Community Properties window appears. 2. Add participants to the pre-defined RemoteAccess Community: a. In the General Tab, Enter Object name. b. In the Participating Gateways, choose the firewall gateways you wish to use. 76 SofaWare VPN Configuration Guide

77 Configuring VPN-1 NG FP3 c. In the Participating User Groups, select All SofaWare VPN GW s d. Click OK. Note: You can choose All Users, and it will include All SofaWare VPN GW s SofaWare VPN Configuration Guide 77

78 Configuring VPN-1 NG FP3 Configure Global Properties 1. From the menu select Policy and Global Properties 2. The Global Properties page appears. 3. Select Remote Access and then VPN Basic in the tree on the left side of the dialog-box. 4. Select the Hybrid Mode (VPN-1 & Firewall-1 authentication) checkbox. 5. Click OK Rule base Note: If using Gateways version 2.0.x, it is mandatory to select also Preshared Secret Note: The If Via access rule condition means "Accept if encrypted between community members". In the example below, all services are allowed via the RemoteAccess community. 78 SofaWare VPN Configuration Guide

79 Configuring VPN-1 NG FP3 6. Install the policy on the desired gateways and profiles. Configuring gateway to NG FP3 in Site To Site mode Create a network object Note: Working with Dynamic IP s and certificates is supported. For more information, please refer to or contact support@sofaware.com. 1. Open the Check Point Policy Editor. 2. Create a Safe@ Gateway object by doing the following: a. In the Manage menu, click Network Objects. SofaWare VPN Configuration Guide 79

80 Configuring VPN-1 NG FP3 b. Click New. c. Select Network... d. The Network Properties window opens e. In the Name field type the name of the object f. In the Network Address field type the network IP address 80 SofaWare VPN Configuration Guide

81 Configuring VPN-1 NG FP3 g. In the Net Mask field type the subnet mask h. Click OK Create and Configure object 1. Open the Check Point Policy Editor. 2. Create a Safe@ Gateway object by doing the following: a. In the Manage menu, click Network Objects. The Network Objects dialog box appears. b. Click New, Check Point, and then Safe@ Gateway. c. The Safe@ Gateway properties page appears. 3. Configure the Safe@ Gateway object by doing the following: SofaWare VPN Configuration Guide 81

82 Configuring VPN-1 NG FP3 a. In the Name field, type the object s name. b. In the IP Address field, type your IP address. c. In the Type field, choose GW Type d. In the SofaWare Profile field, choose Profile e. In the Password field, enter a password, or press the Generate Password button. f. Select the VPN Enabled check box. 4. Configure Topology by doing the following: a. Select the Topology tab 82 SofaWare VPN Configuration Guide

83 Configuring VPN-1 NG FP3 b. From the Manually defined drop-down menu select the network object that represents the network protected by the gateway c. Save the object by clicking OK. Configure the Community 1. Define the Community a. Select the VPN Manager tab. b. Right-click in the VPN Manager, then from the New Community menu choose Star. Note: Meshed communities are not supported in NG FP3 with gateways The Start community Properties page appears SofaWare VPN Configuration Guide 83

84 Configuring VPN-1 NG FP3 c. In the Name field type the name of the object. Note: In order to accept encrypted traffic, the user can check the "Accept all encrypted traffic" checkbox on the community object. This will add an automatic access rule for all encrypted traffic between community members. d. Select the Central Gateways tab. e. Add the gateway object you wish to be the Central Gateway. 84 SofaWare VPN Configuration Guide

85 Configuring VPN-1 NG FP3 f. Select the Satellite Gateways tab g. Click Add... and choose the gateway object. h. Services in the Clear definitions will not effect the tunnel between and FP3. The will encrypt all traffic. i. Click on VPN Properties tab. j. Define Phase 1 and Phase 2 properties. SofaWare VPN Configuration Guide 85

86 Configuring VPN-1 NG FP3 Note: All VPN Encryption and Data Integrity combinations are allowed. In the example above Phase 1 is configured to use 3DES + MD5, and phase 2 is configured to use 3DES + SHA1. Other combinations are allowed. Note: There is no need to define Advanced Properties. Note: There is no need to define the shared secret on the community. The Safe@ password is automatically used as its shared secret in the community. k. Click OK l. The new Start community is presented in the VPN Manager tab. 86 SofaWare VPN Configuration Guide

87 Configuring VPN-1 NG FP3 Rule Base Note: The "If Via" access rule condition means "Accept if encrypted between community members." Note: In the example below, only FTP and ICMP protocols will be Encrypted via the Star_1 Community. SofaWare VPN Configuration Guide 87