Configuring Checkpoint VPN-1 for use with the PGP VPN Client. PGP Version 6.5.1 Checkpoint VPN-1 Version 4



Similar documents
How To Update From The Network Associates Repository On A Virus Scan Enterprise 7.0 (Windows) On A Pc Or Macbook Or Macintosh (Windows 7) On An Ubuntu 7.5 (Windows 8) On Your Computer Or Mac Mac

PRODUCT GUIDE. McAfee QuickClean VERSION 3.0

VirusScan Wireless. Product Guide. Version 2.0

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Getting Started Guide

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

McAfee epolicy Orchestrator 4.5 Cluster Installation Guide

How To Industrial Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

McAfee Gateway 7.x Encryption and IronPort Integration Guide

Configuring a VPN between a Sidewinder G2 and a NetScreen

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Chapter 4 Virtual Private Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Katana Client to Linksys VPN Gateway

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

GNAT Box VPN and VPN Client

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Smart Control Center. User Guide. 350 East Plumeria Drive San Jose, CA USA. November v1.0

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Check Point FW-1/VPN-1 NG/FP3

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Release Notes McAfee Risk Advisor Software For use with epolicy Orchestrator and Software

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Global VPN Client Getting Started Guide

Global VPN Client Getting Started Guide

McAfee Host Data Loss Prevention 9.1 Cluster Installation Guide

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

How To Set Up Checkpoint Vpn For A Home Office Worker

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Chapter 8 Virtual Private Networking

======================================================================= Table of Contents

How do I set up a branch office VPN tunnel with the Management Server?

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

VPNC Interoperability Profile

OfficeConnect Internet Firewall VPN Upgrade User Guide

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Application Note. Configuring McAfee Firewall Enterprise for McAfee Web Protection Service

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

RF550VPN and RF560VPN

McAfee Optimized Virtual Environments for Servers. Installation Guide

Implementing McAfee Device Control Security

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Total Protection Service

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

FILE TRANSFER PROTOCOL (FTP) SITE

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Desktop Release Notes. Desktop Release Notes 5.2.1

Installation Guide for Windows May 2016

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

IPsec VPN Application Guide REV:

Release Notes for McAfee VirusScan Enterprise for Storage 1.0

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Device LinkUP + Desktop LP Guide RDP

VPN Configuration Guide LANCOM

WatchGuard Mobile User VPN Guide

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Product Guide Revision A. McAfee Secure Web Mail Client Software

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

VPNC Interoperability Profile

CheckPoint Software Technologies LTD. How to Install and Configure SecureClient and SecureServer

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Archive Attender Version 3.5

How to setup a VPN on Windows XP in Safari.

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

formerly Help Desk Authority Upgrade Guide

Veeam Task Manager for Hyper-V

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Getting Started Guide

VERSION NINE. Be A Better Auditor. You Have The Knowledge. We Have The Tools. INSTALLATION GUIDE

VPN Tracker for Mac OS X

SATO Network Interface Card Configuration Instructions

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Understanding the Cisco VPN Client

1.6 HOW-TO GUIDELINES

Chapter 10 Troubleshooting

Product Guide Revision A. McAfee Secure Web Mail Client Software

Release Notes for McAfee epolicy Orchestrator 4.5

Allworx OfficeSafe Operations Guide Release 6.0

Using IPSec in Windows 2000 and XP, Part 2

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Andover Continuum. Network Security Configuration Guide

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

User's Manual. Intego Remote Management Console User's Manual Page 1

Transcription:

Configuring Checkpoint VPN-1 for use with the PGP VPN Client PGP Version 6.5.1 Checkpoint VPN-1 Version 4

COPYRIGHT Copyright 1999 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS * ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, Compass 7, CNX, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee Associates, McAfee, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetRoom, NetScan, Net Shield, NetShield, Net Tools, NetOctopus, NetStalker, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, T-POD, TeleSniffer, TIS, TMach, TMeg, Trusted Mach, Trusted Mail, Total Network Visibility, Total Virus Defense, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. LICENSE AGREEMENT NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Table of Contents Chapter1. Introduction...5 OrganizationofthisDocument...5 BasicRequirements...5 SoftwareRequirements...5 HardwareRequirements...6 Chapter2. InstallationandConfiguration...7 InstallingPGP...7 Installing Checkpoint.....7 Settingupabasicnetwork...8 Create Checkpoint's Network Objects....9 ConfiguringtheNetworkObjects IPSecsettings...9 IntegratedFirewall Peterson...10 InternalWorkstation Versa...11 ExternalWorkstation Chico...12 Checkpointrules theverybasics...15 PGPnetConfigurationonChico...17 Configuring Checkpoint VPN-1 for the PGP VPN Client iii

Table of Contents iv Configuring Checkpoint VPN-1 for the PGP VPN Client

1Introduction 1 The PGP VPN Client is a full-featured desktop encryption and authentication solution incorporating integrated email, file, disk and network security. The virtual private network component of this product is known as PGPnet. This guide describes how to configure PGP VPN Client version 6.5.1 or later to work with Checkpoint VPN-1 software. This document does not attempt to describe how to configure Checkpoint in general. This document describes the process of establishing connections via shared secrets (passwords). Later versions of this document will discuss the use of certificates in establishing secure connections. Organization of this Document Chapter 1, Introduction (this chapter) describes product requirements and provides an overview of the configuration process. Chapter 2, Installation and Configuration describes how to configure Checkpoint VPN-1 for use with PGPnet. Basic Requirements Before you begin, we recommend that you become familiar with installing and using the PGP VPN Client. Software Requirements You must have the following software: PGP VPN Client, Version 6.5.1 The strong-crypto version of Checkpoint's VPN-1 software (TripleDES) (Your installer CD s label should state Strong DES Edition. ) The appropriate license code to use when installing ( vpnstrong ) Checkpoint sservicepack2.ensuretheoneyouuseisthe StrongDES or TripleDES version. Configuring Checkpoint VPN-1 for the PGP VPN Client 5

Introduction Hardware Requirements NOTE: This document assumes the use of a Windows NT machine running the Checkpoint firewall software. Be aware that the Checkpoint software is available on other platforms; the settings discussed in this document are Windows NT-specific. You must have the following hardware: A Windows NT 4.0 machine containing two network cards. Each card must have a static IP address. At least one Ethernet hub. At least one machine to put in the protected area behind the firewall. At least one machine to host PGPnet on the external side of the firewall. This machine must meet the requirements for PGPnet operation. 6 Configuring Checkpoint VPN-1 for the PGP VPN Client

2Installation and Configuration 2 Installing PGP The instructions for installing the PGP VPN Client are available in the documentation that accompanies the PGP product. Do not install PGP on the same machine on which you plan to install Checkpoint. Installing Checkpoint Before you install, make sure you have your Checkpoint license codes available. The license information provided by Checkpoint consists of both the features that you have purchased (such as vpnstrong ) and an alphanumeric license code. The license code is based on the features you have purchased and the external static IP address of the firewall, so bear in mind that you will need to obtain a new code from Checkpoint if your IP address changes or if you need to add more features to the firewall. NOTE: If you do receive a new license code, it does not have to replace the old one, but can be added to it. 1. On the CD, go to the Windows directory and run Setup.exe to install Checkpoint. 2. Reboot. 3. Run Checkpoint s Service Pack 2. 4. Set up an Administrator account for yourself in the FireWall-1 Configuration utility. At this point you are ready to log in to Checkpoint and set up your firewall. See the documentation that accompanies the Checkpoint VPN-1 firewall for instructions on how to log in and set up the firewall itself. Manual Name 2 7

Setting up a basic network NOTE: The following examples and screen captures are based on a test-lab setting. The examples show one of the most basic of IPSec configurations: one firewall, one external client, and one protected machine behind the firewall. The machines described in the examples have the following names: the firewall is named Peterson, the external client is named Chico, andthe protected machine is named Versa. You must supply two network cards for the machine that is housing the firewall, and each card must have a static IP address. One of the network cards is the interface to the external, or untrusted, network and the other card is the interface to the internal, or trusted, network. The test network described in this document is described below. Check with your network administrator to obtain IP addresses for your own use; the ones supplied below are examples: Name Role Interface/Location IP Address Peterson Peterson Checkpoint Firewall Checkpoint Firewall External (Untrusted) 123.45.67.89 Internal (Trusted) 192.168.100.100 Chico Workstation Untrusted Network 123.45.67.88 Versa Workstation Trusted Network 192.168.100.101 Table 2-1. The Network Objects 8 Configuring Checkpoint VPN-1 for the PGP VPN Client

Create Checkpoint's Network Objects Installation and Configuration Before you set up any FireWall-1 rules, you should set up the Network Objects (machines identified to the firewall) that will be participating in the IPSec communications. 1. Launch the Security Policy program, which should be located in Start Program Files FireWall-1 2. Log in using the Administrator account you created previously. 3. Choose Network Objects from the Manage menu. 4. Click New to create a new Integrated Firewall, and then repeat the process to add two new Workstation entries. In this case, we created the objects described in Table 2-1. Once you have created these objects, the Network Objects list will appear as shown in Figure 2-1. Figure 2-1. The Network Objects dialog box Configuring the Network Objects IPSec settings The following sections describe in detail how to configure the IPSec features of the Network Objects you created. The Network Objects consist of: The Integrated Firewall Peterson The Internal Workstation Versa The External Workstation Chico Configuring Checkpoint VPN-1 for the PGP VPN Client 9

Integrated Firewall Peterson For this example, we created a new Integrated Firewall and named it Peterson. In the Network Objects dialog box, select Peterson and click Edit. General settings Figure 2-2 displays the items that must be set on the General tabofthe Workstation Properties dialog: IP address. The IP address shown is the address of the network card for the external, or untrusted, network. Location. In the example, Location is set to Internal, meaning that the firewall is gateway between the internal and external networks. Type. Here, Type must be set to Gateway. FireWall-1 installed is checked with Version set to 4.0. Encryption Settings Figure 2-2. General settings for Peterson Once you have made settings on the General tab for Peterson, navigate to the Encryption tab as shown in Figure 2-3. Encryption Method. Enable either CAST, 3DES, or both. NOTE: Do not enable DES. PGPnet does not support 56-bit DES.Its key size is too small and it does not meet PGP s nor the IETF's standard for strong cryptography. 10 Configuring Checkpoint VPN-1 for the PGP VPN Client

Hash Method. Enable either MD5, SHA1, or both. Authentication Method. Pre-shared secret is set in Figure 2-3, butnote that you can't actually set this until the other Network Objects are created. This process is covered later in the document, in the section Encryption Settings on page 13. NOTE: Do not enable Supports Aggressive Mode, as this is not compatible with PGPnet. Internal Workstation Versa Figure 2-3. Encryption settings for Peterson In the example, Versa is the workstation used in the trusted area of the network; that is, the machine that is protected behind the firewall. NOTE: In the example, the IPSec connection is a tunnel to the firewall and not beyond it; so Versa does not require any encryption options. The IP address should be set to one that is in the same network as the internal interface of the firewall. Location is set to Internal. Type is set to Host. Configuring Checkpoint VPN-1 for the PGP VPN Client 11

External Workstation Chico Figure 2-4. General Settings for Versa Chico is a workstation that sits outside the firewall in the untrusted area. In most cases, the untrusted area is located on the Internet, outside your trusted network. Chico is the machine running PGPnet. NOTE: Shared secret authentication requires that you specify the IP address and identity of the external workstation, as shown in Figure 2-5. General Settings IP address. Enter Chico s IP address. In this example, Chico is on the same network as the external interface of thefirewall,butitneednotbethatway.theonlyrequirementisthatthe two machines be able to successfully route IP traffic back and forth. Set Location to External. Set Type to Host. 12 Configuring Checkpoint VPN-1 for the PGP VPN Client

Encryption Settings Figure 2-5. General settings for Chico Because Chico is the machine running PGPnet, you must set encryption options on Chico itself. Checkpoint, however, still needs to know what sort of IPSec traffic will be coming from that workstation. (See Figure 2-6.) Enable ISAKMP/OAKLEY. Figure 2-6. Encryption settings for Chico NOTE: Do not enable either Manual IPSec or SKIP. Click Edit. The ISAKMP Properties window appears, as shown in Figure 2-7. Configuring Checkpoint VPN-1 for the PGP VPN Client 13

Figure 2-7. ISAKMP Properties for Chico Enable either CAST, 3DES,orboth. NOTE: Do not enable DES. Enable either MD5, SHA1, orboth. NOTE: Do not enable Supports Aggressive Mode, as this is not compatible with PGPnet. EnablePre-Shared Secret and click Edit Secrets.ThiscausestheShared Secret dialog to appear, as shown in Figure 2-8. (Recall that we could not set this before with Peterson because you must have configured at least two Network Objects to set a shared secret.) Figure 2-8. Shared Secret setup Select the object/machine with which you wish to communicate. 14 Configuring Checkpoint VPN-1 for the PGP VPN Client

Click Edit and set a Shared Secret a password or passphrase. This same Shared Secret must be set in the PGPnet settings on Chico itself. This tells Checkpoint that Chico is going to attempt an IPSec connection with Peterson using the Shared Secret that you specify. Checkpoint rules the very basics In a real-world environment, a Checkpoint FireWall-1 is usually configured with a large set of rules. These rules are used to implement the organization's security policy. Here we are concerned only with the mechanics of establishing IPSec communication. Create a new rule: select Edit Add Rule Top. The FireWall-1 Security Policy dialog appears. In the new rule, right-click on Any in the Source column and choose Add. Then pick your external workstation from the Network Objects dialog (in this case, Chico). Do the same for Destination, but instead pick your internal or trusted workstation (in this case, Versa). Now set your Action to Encrypt.Todothis,right-clickonDrop in the Action column and choose Encrypt. NOTE: Do not select Client Encrypt (thisisafeatureyouwouldusewith SecuRemote). Figure 2-9. Settings for the Checkpoint Security Policy Configuring Checkpoint VPN-1 for the PGP VPN Client 15

Action Encrypt The preceding steps establish an Encrypt rule, but you still have to specify the Encryption Properties for that rule. To gettheencryption Properties dialog, right-click on the Encrypt entry in the Action column of the rule you just created. Select ISAKMP/OAKLEY as shown in Figure 2-10, and then click Edit. Figure 2-10. Encryption Properties The ISAKMP Properties dialog will appear as shown in Figure 2-11. Select either Transform choice. Figure 2-11. ISAKMP Properties ESP will perform both encryption and authentication. AH performs only authentication. If you choose AH,makesurethatyour advanced PGPnet settings have an IPSec proposal that matches this dialog. 16 Configuring Checkpoint VPN-1 for the PGP VPN Client

For Encryption Algorithm select CAST or 3DES. NOTE: Do not select DES, DES-40CP, orcast-40. For Data Integrity select either MD5 or SHA1. You mayenable Use Perfect Forward Secrecy or simply leave it unchecked. Install your new Security Policy. (See the Checkpoint documentation for instructions.) You have now completed all of the steps required for Checkpoint. PGPnet Configuration on Chico The machine in the external network the one running PGPnet needs no custom IPSec configuration settings. NOTE: If you decide to change PGPnet s default settings, do not set the following PGPnet Advanced options, as they are incompatible with Checkpoint: - 1536-bit Perfect Forward Secrecy (use 1024). - Any IPPCP settings (neither LZS nor Deflate are supported in Checkpoint). You must create Host entriesinpgpnetasshowninfigure 2-12. Formore details on configuring PGPnet and working with the Hosts panel, see the PGP documentation. Create a Gateway entry in the Host list. It should have the IP address of the external interface of the Checkpoint firewall (in this case, Peterson). IMPORTANT: The Gateway entry must have the same shared secret as that entered in the Checkpoint setup. Create a sub-entry (for Versa, in this case) underneath the Gateway. Select the Gateway entry (Peterson) andclickconnect. The green ball should appear, indicating a successful connection. Configuring Checkpoint VPN-1 for the PGP VPN Client 17

Figure 2-12. The PGPnet Hosts list 18 Configuring Checkpoint VPN-1 for the PGP VPN Client