Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1 This document describes how to configure an IPSec tunnel between a WatchGuard Firebox Vclass appliance (Vcontroller version 3.2) and a Check Point FireWall-1 running the Next Generation (NG) FP2 software version. The following diagram illustrates the machines and addresses involved in the connection. The examples used in this document are taken from this set-up.
NOTE Any third-party appliances between the either the Firebox Vclass and the FireWall-1 appliances (the tunnel end-points) such as a router must be configured to allow IPSec traffic specifically, UDP port 500 and IP protocols 50 and 51. Further, a third-party appliance must not perform NAT on either tunnel end-point. You should contact your ISP to ensure that these requirements are met before configuring your IPSec tunnel. Configure the Firebox Vclass Appliance for an IPSec Tunnel This procedure describes how to configure the Firebox Vclass appliance to create an IPSec Virtual Private Network (VPN) tunnel to a FireWall-1. Creating an IKE policy In this section, you configure the Phase 1 settings on the Firebox Vclass appliance. This portion of the configuration is analogous to the Gateways window in the WatchGuard Policy Manager. 1 Connect to the Firebox Vclass appliance with the WatchGuard Vcontroller application. The Vcontroller Main Configuration Page appears. 2 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel 2 Click IKE Policy. The IKE Policy page appears. 3 From the buttons along the bottom of the page, click Insert. The Insert IKE Policy window appears. 3
4 Enter a name and description for the IKE Policy in the appropriate fields. In our example, we entered RemoteGate as the IKE Policy name and left the description field blank. 5 From Peer Address Group, click New. The New Address Group window appears. 4 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel 6 Enter a name and description for the Address Group in the appropriate fields. In our example, we entered Remote Gateway as the Address Group name and left the description field blank. 7 Click New. The New Address Group Member window appears. 8 From the Type drop list, select Host IP Address and then enter the external IP address of the FireWall-1. In our example, 206.253.208.100. 9 Click Done to close the New Address Group Member window. Click Done again to close the New Address Group window and return to the New IKE Policy window. 5
Creating an IKE action 1 From IKE Action, click New. The New IKE Action window appears. 2 Enter a name and description for the IKE Action in the appropriate fields. In our example, we entered Interop as the IKE Action name and left the description field blank. 3 From the Mode drop list, select Main. 4 Click New. The New IKE Transform window appears. 5 Enter the following information using the appropriate drop list or field. These values must match those defined on the FireWall-1. Authentication Type: Select Pre-Shared Key. DH Group: Select IKE_MODP_768. Encryption Algorithm: Select DES. Hash Algorithm: SHA 6 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel Lifetime 24 Hour Life Length 0 6 Click Done to close the New IKE Transform window. Click Done again to close the New IKE Action window and return to the Insert IKE Policy window. 7 From the Peer Authentication ID field, enable the Any option. 8 Verify that the X.500 Name option is disabled. 9 From the Pre-Shared Key section, enable the String option. 10 Enter and confirm the Pre-Shared key. This must match exactly with the Shared Secret entered on the FireWall-1. In our example, secret. 11 Click Done to return to the IKE Policy page. 7
Creating a security policy This section covers the encryption and authentication algorithms used in Phase 2 IPSec negotiation. These settings must match exactly the settings you made in the Phase 2 configuration on the FireWall-1. 1 From the right side, click Security Policy. The IKE Policy window refreshes and becomes the Security Policy window. 2 Select the first security policy and then click Insert. The Insert Security Policy window appears. 8 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel 3 Enter a name and description for the Security Policy in the appropriate fields. In our example, we entered VPN Tunnel as the Security Policy name and left the description field blank. 4 From Source, click New. The New Address Group window appears. 9
5 Enter a name and description for the Address Group in the appropriate fields. In our example, we entered WGRD Private Network as the Address Group name and left the description field blank. 6 Click New. The New Address Group Member window appears. 7 From the Type drop list, select IP Network Address and then enter the network IP address and subnet mask of the private network behind the Firebox Vclass appliance. In our example, the network address is 192.168.3.0 and the netmask is 255.255.255.0. 8 Click Done to close the New Address Group Member window. Click Done again to close the New Address Group window and return to the Insert Security Policy window. 9 From Destination, click New. The New Address Group window appears. 10 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel 10 Enter a name and description for the Address Group in the appropriate fields. In our example, we entered Remote Private Network as the Address Group name and left the description field blank. 11 Click New. The New Address Group Member window appears. 12 From the Type drop list, select IP Network Address and then enter the network IP address and subnet mask of the private network behind the FireWall-1 appliance. In our example, the network address is 10.10.10.0 and the netmask is 255.255.255.0. 11
13 Click Done to close the New Address Group Member window. Click Done again to close the New Address Group window and return to the Insert Security Policy window. 14 From IPSec, click New. The New IPSec Action window appears. 15 Enter a name and description for the IPSec Action in the appropriate fields. In our example, we entered Interop as the IPSec Action name and left the description field blank. 16 From the Mode drop list, select Tunnel. 17 Enable the Peer Tunnel Address Group option and select FireWall-1 from the drop list. 18 From the Key Management drop list, select Automatic (IKE). 19 Verify that the Perfect Forward Secrecy option is disabled. 20 From Unselected Proposals, select ESP-3DES-SHA and click Add. The ESP-3DES-SHA proposal appears in the Selected Proposals field. 21 Click Done to close the New IPSec Action window and return to the Insert Security Policy window. 12 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the Firebox Vclass Appliance for an IPSec Tunnel 22 Verify that the Firewall option Pass is enabled. 23 Verify that the Service drop list is set to Any. 24 Verify that the Incoming Interface drop list is set to (0)Private. 25 Enable the Gateway to Gateway VPN checkbox. 26 Click Done again to close the Insert Security Policy windows and return to the Insert IKE Policy window. 27 Click OK and commit the changes. 13
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass This procedure describes how to configure the FireWall-1 to create an IPSec Virtual Private Network (VPN) tunnel to a Firebox Vclass. Creating a new security policy 1 Connect to the FireWall-1 with the configuration management tool and open the Check Point Policy Editor in the FireWall-1 GUI. 2 Select File => New. The New Policy Package window appears. 3 Enter the following information: Policy Package Name Enter the name of the configuration you are about to create. In our example, IPSec. Policy Type Enable Security and Address translation. 4 Click OK. Tabs appear for the policy you just created. 14 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass Creating and configuring network objects To allow IPSec traffic between network addresses you must create icons for the network addresses in question as well as the local and remote firewalls. Start by creating an icon for the private network behind the Firebox Vclass. 1 Select Manage => Network Objects. The Network Objects window appears. 2 Click New, then select Network. The Network Properties window appears. 3 Click the General tab and enter the following information: Name Enter a name for the network for which this Network Object is being created. In our example, the private network behind the Firebox Vclass is named, WGRD_net. Network Address Enter the IP address of the private network. In our example, 192.168.3.253. Netmask Enter the netmask of the private network. In our example, 255.255.255.0. 15
Comment Add comments or reminders about this configuration. (This field is optional.) Color Select a color from the drop list for this Network Object. In our example, red. Broadcast Address Enable the Included option. NOTE Do not make changes to the NAT tab, maintain the default settings. 4 Click OK. The Network Objects window reappears with the new icon. Create another icon for the private network behind the FireWall-1 appliance: 5 Click New, then select Network. The Network Properties window appears. 6 Click the General tab and enter the following information: Name Enter a name for the network for which this Network Object is being created. In our example, the private network behind the FireWall-1, is named, FW-1-net. Network Address Enter the IP address of the network. In our example, 10.10.10.0. Netmask Enter the netmask of the network. In our example, 255.255.255.0. Comment Add comments or reminders about this configuration. (This field is optional.) Color Select a color from the drop list for this Network Object. In our example, blue. Broadcast Address Enable Allowed. NOTE Do not make changes to the NAT tab, maintain the default settings. 16 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 7 Click OK. The Network Objects window reappears with the new icon, following our example, WGRD_net and FW-1_net. Configuring network objects the Check Points object 1 Select Check Points from the Show drop list. An icon representing the FireWall-1 appliance appears. 17
2 Select the icon representing the Firewall-1 and then click Edit. The Check Point Gateway window appears. 3 From the tree view, select General Properties and enter the following information: IP Address Enter the external IP address of the FireWall-1 appliance. In our example, 206.253.208.100. Comment Add any relevant comments or notes here. Color Choose a color to represent the FireWall-1. In our example, blue. 4 From the tree view, select Topology and click Add to define an interface. The Interface Properties window appears. 18 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 5 Enter the following information: Name Enter the name of the external interface of the FireWall-1 appliance. IP Address Enter the IP address of the external interface. In our example, 206.253.208.100. Net Mask Enter the netmask of the interface. In our example, 255.255.255.0. 6 Click on the Topology tab and enter the following information: Topology Enable the External option. Anti-Spoofing Choose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert). 7 Click OK to return to the Check Point Gateway window. 19
8 Again, from the tree view, select Topology and click Add to define a second interface. 9 Enter the following information: Name Enter the name of the trusted interface of the FireWall-1. IP Address Enter the IP address of the trusted interface. Net Mask Enter the netmask of the interface. 10 Click on the Topology tab and enter the following information: Topology Enable the Internal option. IP Anti-Spoofing Choose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert). IP Addresses behind this interface Enable the Specific option and then select FW-1_net from the drop list. Anti-Spoofing Choose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert). 11 Click OK to return to the Check Point Gateway window. 12 Enable the Manually Defined option and select FW-1_net from the drop list. This associates the network defined by the FW-1_net icon with VPN rules on this FireWall-1 appliance. 20 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 13 From the tree view, select VPN. 14 From the Encryption Schemes field, verify that the IKE checkbox is enabled and then click Edit. The IKE Properties window appears. 21
15 Enter the following information: Support Key Exchange Encryption With Select the encryption type the FireWall-1 will use in phase 1 negotiations. This must match the phase 1 encryption method selected on the Firebox Vclass. In our example, DES. Support Data Integrity With Select the data integrity algorithm the FireWall-1 will use in phase 1 negotiations. This must match the phase 1 algorithm selected on the Firebox Vclass. In our example, SHA1. Support Authentication Methods Enable the Pre-Shared Secret option. 16 Click on the Advanced button. The Advanced IKE Properties window appears. 17 Enter the following information: Support Diffie-Hellman Groups (IKE Phase 1) Here you can choose which DH group the FireWall-1 appliance will support in phase 1. We set this to DH group 1 (768 bit) in this example. This must match the phase 1 DH group setting on the Firebox Vclass. 22 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass Support Key Exchange for Subnets This feature allows Phase 2 encryption key exchanges to take place between subnets and not just individual hosts. In our example, this feature is enabled. 18 Click OK to close the Advanced IKE Properties window, click OK to close the IKE Properties window and return to the Check Point Gateway window, and then click OK to return to the Network Objects window. Configuring network objects the Interoperable Devices object 1 Click New and select Interoperable Device. The Interoperable Device window appears. 23
2 From the tree view, select General Properties and enter the following information: Name Choose a name for the device represented by this service icon. In this example we chose the name WGRD to represent the Firebox Vclass appliance. IP Address Enter the external IP address of the Firebox Vclass. In our example, 208.152.24.104. Comment Enter any notes, comments or reminders you might have. Color Choose a color. In our example, red. 3 From the tree view, select Topology and click Add. The Interface Properties window appears. 4 Enter the following information to define the external interface of the Firebox Vclass appliance: Name Enter the name of the external interface of the Firebox Vclass. In our example, eth0. IP Address Enter the external IP address of the Firebox Vclass. In our example, 208.152.24.104. Net Mask Enter the netmask of the external interface. In our example, 255.255.255.0 5 Click OK to close the Interface Properties window. 6 Click Add again and enter the following information to define the trusted interface of the Firebox Vclass appliance: Name Enter the name of the trusted interface. In our example, eth1. IP Address Enter the IP address of the trusted interface. In our example, 192.168.3.253. Net Mask Enter the netmask of the trusted interface. In our example, 255.255.255.0 7 Click OK to close the Interface Properties window. 8 Enable the Manually Defined option and select WGRD_net from the drop list. 24 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 9 From the tree view, select VPN. 10 From the Encryption Schemes field, enable the IKE checkbox and then click Edit. The IKE Properties window appears. 25
11 Enter the following information: Support Key Exchange Encryption With Enter the encryption type the Firebox Vclass will use in phase 1 negotiations. This must match the phase 1 encryption method selected on the Firebox Vclass. In our example, DES. Support Data Integrity With Enter the data integrity algorithm the Firebox Vclass will use in phase 1 negotiations. This must match the phase 1 algorithm selected on the Firebox Vclass. In our example, SHA1. Support Authentication Methods Select Pre-Shared Secret. 12 Click Edit Secrets. The Shared Secret window appears. 13 The peer should be the name of the FireWall-1. Select the peer and click Edit. The Enter secret field appears. 26 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 14 Enter the shared secret the FireWall-1 and Firebox Vclass will use in negotiations. In our example, 123456. Click Set. This must match the shared key entered on the Firebox Vclass. 15 Click OK to close the Share Secrets window and return to the IKE Properties Window. 16 Click Advanced. the Advanced IKE Properties window appears. 17 Enter the following information: Support Diffie-Hellman Groups (IKE Phase 1) Determine the DH group the Firebox Vclass will support in phase 1. In our example this is set to DH group 1 (768 bit). This must match the phase 1 DH group setting on the Firebox Vclass. Renegotiate IPSec (phase 2) Security associations every Determine the number of seconds after which phase 2 security associations will expire. Set this to 86400 seconds to match the phase 2 SA timeout on the Firebox Vclass. Renegotiate IPSec (phase 2) Security associations every Determine the number of kilobytes that can pass through the tunnel after which phase 2 security associations will expire. In our example, enable this feature and set it to 8192 Kbytes seconds to match the phase 2 SA timeouts on the Firebox Vclass. Support Key Exchange for Subnets This allows for Phase 2 encryption key exchanges to take place between subnets and not just individual hosts. In our example, this feature is enabled. 18 Click OK to close the Advanced IKE Properties window, click OK to close the IKE Properties window, click OK to close the Interoperable Device window and return to the Network Objects window. All of the icons you have created are displayed. 27
19 You are now done configuring the network objects. Click Close to return to the main Check Point Policy Editor window. Configuring the IPSec policy 1 Select Rules => Add Rule => Top. 2 From the Rule drop list, choose Add Rule and then choose Top. A new rule (rule #1) is added to your policy. 3 Right click on the SOURCE field of the new rule and select Add. The Network Objects window appears. 4 Select WGRD_net from the Network Objects window and click OK. The WGRD_net icon appears in the SOURCE field of the first policy rule. 28 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 5 Right click again on the SOURCE field of the new rule and select Add. The Network Objects window appears. 6 Select FW-1_net from the Network Objects window and click OK. The FW-1_net icon appears in the SOURCE field of the first policy rule. 7 Right click on the DESTINATION field of the new rule and select Add. The Network Objects window appears. 8 Select FW-1_net from the Network Objects window and click OK. The FW-1_net icon appears in the DESTINATION field of the first policy rule. 29
9 Right click again on the DESTINATION field of the new rule and select Add. The Network Objects window appears. 10 Select WGRD_net from the Network Objects window and click OK. The WGRD_net icon appears in the DESTINATION field of the first policy rule. 11 Right click on drop from the Action field and select encrypt. NOTE If you do not see encrypt among the Action options, you must enable traditional mode encryption. From the main Check Point Policy Editor window, go to Policy => Global Properties. From the tree view, select VPN-1 Pro and select traditional mode encryption. 12 Double click on the Action field. The Encryption Properties window appears. 13 Enable the IKE checkbox and then click Edit. The IKE Phase 2 Properties window appears. 30 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 14 Enter the following information: Encryption Algorithm This must match the phase 2 encryption algorithm on the Firebox Vclass. In our example, 3DES. Data Integrity This must match the phase 2 data integrity settings on the Firebox Vclass. In our example SHA. Compression Method Set this to None. Allowed Peer Gateway Select the WGRD gateway from the drop list. 15 Click OK to close the IKE Phase 2 Properties window. Click OK again to close the Encryption Properties window and return to the main Check Point Policy Editor window. 16 Right click on the TRACK field and select log. This enables logging for the IPSec negotiations. 17 Right click on the INSTALL ON field, select Add and then Targets. The Targets window appears. 18 Select the appropriate Check Point appliance and then click OK. Adding a default drop rule If you do not have a default drop rule, add one for debugging purposes. 1 Select Rules => Add Rule => Bottom. 31
2 From the TRACK field, select log. 3 From the INSTALL ON field, select the FireWall-1 appliance. This will allow you to log all packets dropped by the FireWall-1 appliance. Disabling NAT Add a rule to make sure the FireWall-1 appliance does not NAT the inbound IPSec traffic. 1 From the Check Point Policy Editor main menu, click on the Address Translation tab. 2 Select Rules => Add Rule => Top. A blank rule appears at the top of the Address Translation tab. 3 From under the ORIGINAL PACKET section, right click on the SOURCE field and select Add. The Network Objects window appears. 4 Select FW-1_net and then click OK. The FW-1_net service icon appears in the SOURCE field under the ORIGINAL PACKET section of the Address Translation tab. 32 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 5 From under the ORIGINAL PACKET section, right click on the DESTINATION field and select Add. The Network Objects window appears. 6 Select WGRD_net and then click OK. The WGRD_net service icon appears in the DESTINATION field under the ORIGINAL PACKET section of the Address Translation tab. 7 Right click on the INSTALL ON field, select Add => Targets. The Targets window appears. 8 Select the FireWall-1 appliance and then click OK. The FireWall-1 appliance appears in the INSTALL ON field. 33
9 Select Policy => Global Properties. The Global Properties window appears. 10 Verify that the Accept VPN-1 & FireWall-1 control connections checkbox is enabled. This prevents you from accidentally locking yourself out of the FireWall-1. 11 Click OK. 12 Select Policy => Install. The Address Translation-Routing window appears. This window acts as a warning to let you know you have added NAT rules to the configuration. 34 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1
Configure the FireWall-1 for an IPSec Tunnel to a Firebox Vclass 13 Click OK to continue. The Policy Editor Warning window appears. This window alerts you to the fact that in addition to the rules you defined, there are also default rules in Global Properties that will be enforced with the installation of this configuration. 14 Click OK to continue. The Install Policy window appears. 15 Select the appropriate FireWall-1 appliance and then click OK. In our example, palm. 16 Click OK to continue. The Install Policy window display log messages as it checks and installs the policy. 17 When the VPN-1/FireWall-1 policy installation Succeeded for: <name of the FireWall-1 appliance> message appears, click Close. 35
You are now done configuring and installing the IPSec policy on your FireWall-1 appliance. Copyright and Patent Information Copyright 1998-2002 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, and Designing Peace of Mind are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries. 36 IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1