configuring vpn between checkpoint vpn
Post on 07-Apr-2018
267 Views
Preview:
TRANSCRIPT
-
8/6/2019 Configuring VPN Between Checkpoint VPN
1/29
-
8/6/2019 Configuring VPN Between Checkpoint VPN
2/29
Table of Contents
Network ConfigurationFigure 1 Network Schematics
IP Addressing Scheme
Introduction
Configuring Checkpoint VPN-1/FireWall-1 Gateway
Figure 2 - SmartDashBoard
Figure 3 Drop Rule
Creating a Network Object
Figure 4 Network Properties
Configuring a user for remote access
Figure 5 User Properties WindowFigure 6 User Properties Tab (Authentication)
Figure 7 IKE Phase 2 Properties (Authentication)
Figure 8 IKE Phase 2 Properties (Encryption)
Figure 9 User Properties (Certificates)
Figure 10 Creating Group
Configuring the Firewall Object
Figure 11 Check Point Gateway Property
Figure 12 Check Point Gateway Property (Topology)
Adding a Certificate
Figure 13 - Check Point Gateway Property (VPN)Figure 14 - Check Point Gateway Property (IKE Properties)
Figure 16 - Check Point Gateway Property (Remote Access)
Figure 17 - Check Point Gateway Property (Authentication)
Configuring Remote Access Community
Figure 18 Remote Access Community Properties (Adding Participating Gateway)
Figure 19 - Remote Access Community Properties (Adding Participating Users/Groups)
Configuring Desktop Security Policy
Figure 20 Desktop Security Rules
Configuring SecuRemote client
Figure 21 Creating New Site (SecuRemote)
Figure 22 - Creating New Site (SecuRemote)
Figure 23 SecuRemote Authentication
Figure 24 Verifying Certificate (SecuRemote)
Testing VPN connection
Figure 25 Verifying secure access to Zadibal
Questions and Feedback
-
8/6/2019 Configuring VPN Between Checkpoint VPN
3/29
Network Configuration
Figure 1 depicts a configuration in which a SecuRemote PC (ClientA) communicates sensitive andprivate information to networks and individual sever (zadibal) that is protected by Check Point VPN-1/FireWall-1 Gateway (Kashmir).
Figure 1 Network Schematics
This tutorial consists of following configuration:
y Check Point VPN-1/FireWall-1 Gateway (Kashmir) that has following modules installed:
y Management Module
y Policy Server
y VPN/FireWallModule
y A remote SecureClient PC (ClientA)
y A remote user Bob
y Server protected by VPN-1/FireWall-1 (zadibal)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
4/29
IPAddressing Scheme
y Check Point VPN-1/FireWall-1 Gateway (Kashmir)
y External Interface IP: 172.16.1.2/24
y Internal Interface IP: 10.10.1.2/24
y Default Gateway (Router) of the Check Point VPN-1/FireWall-1 (Kashmir): 172.16.1.1
y Server protected by VPN-1/FireWall-1 (zadibal): 10.10.1.2/24
y SecuRemote client PC (ClientA): 172.16.8.2/24
Introduction
This tutorial assumes that you have basic knowledge of Check Point Firewall and have already
installed Check Point VPN-1/FireWall-1 FP3. We will also assume that this is a fresh install of
Firewall and has no rules or object configured. At end of this tutorial you should be able to
configure the Check Point VPN-1 Firewall-1 to allow remote VPN client to access the protected
resources behind the firewall.
-
8/6/2019 Configuring VPN Between Checkpoint VPN
5/29
Configuring Checkpoint VPN-1/FireWall-1
Gateway
Log on to the SmartDashBoard FP3 and once you are authenticated successfully,
SmartDashBoard should look like as shown below in Figure 2 without any rules and objects
except the default Check Point Gateway Object
Figure 2 - SmartDashBoard
-
8/6/2019 Configuring VPN Between Checkpoint VPN
6/29
From the Menu in SmartDashBoard add a default Drop rule, which should look like as show inFigure 3
Figure 3 Drop Rule
Creating a Network Object
From the Objects Tree in SmartDashBoard right click on Networks Object and create NewNetwork. Type in the descriptive name of your local network, which is protected by your
firewall and enter in the IP range of internal network. In our case it will be10.10.1.0/255.255.255.0. The new Networks property window should look like following
(Figure 4).
-
8/6/2019 Configuring VPN Between Checkpoint VPN
7/29
Figure 4 NetworkProperties
-
8/6/2019 Configuring VPN Between Checkpoint VPN
8/29
Configuring a user for remote access
From the Objects Tree in the SmartDashBoard right click on Users, which should bring up User
Properties window. Enter in the name of the user underGeneral Tab. In our case we name the user
bob. Figure 5
Figure 5 User Properties Window
-
8/6/2019 Configuring VPN Between Checkpoint VPN
9/29
Click on Authentication Tab and from the drop down menu select VPN-1 & FiresWall-1 Password. Click
on Enter Password button and enter in your password. We will use abc123 without quotes for the
purposes of this tutorial. See Figure 6
Figure 6 User Properties Tab (Authentication)
DO NOT use such passwords in the real world unless you want to network to be compromised.
From the user properties windows now lets configure encryption properties. Click on Encryption tab,
check the IKE box and click Edit, which should bring IKE Phase 2 properties window. This window will
have two tabs, Authentication and Encryption. Under Authentication Tab check Password (Pre-Shared
Secret) window and enter in the password for IKE Phase 2. To keep this tutorial simple, we will use same
password abc123 without quotes. Also, leave the Public Key box checked as shown below in Figure 7
-
8/6/2019 Configuring VPN Between Checkpoint VPN
10/29
Figure 7 IKEPhase 2 Properties (Authentication)
Please read IPSEC and ISAKMP RFCs for details on how IKE works. Phase 1 is usually used for
exchanging keys over insecure mechanism using DH and Phase 2 is generally used to exchange secret
passwords. It might not be a bad idea to use different password for phase 2 in the real world scenario.
Under Encryption Tab, select Defined below and choose 3DES and MD5 and click Ok. See Figure 8
-
8/6/2019 Configuring VPN Between Checkpoint VPN
11/29
Figure 8 IKEPhase 2 Properties (Encryption)
Now click Certificates tab in User Properties window and Certificate state should read, as following
There is no certificate for this object.
Click on Generate and Save button to create a certificate for this object. After the certificate is
successfully created, the Certificates tab should look like as shown in Figure 9
-
8/6/2019 Configuring VPN Between Checkpoint VPN
12/29
Figure 9 User Properties (Certificates)
Since we have not created groups yet, we will exit out of user Properties window and right click
on Groups from the Objects Tree in SmartDashBoard to create a new group called Sales and
user bob to that group. See figure 10
Now, if you edit user bob; underGroups tab in User Properties window, he should be in the group
Sales
-
8/6/2019 Configuring VPN Between Checkpoint VPN
13/29
Figure 10 Creating Group
Configuring the Firewall Object
We will now configure Remote Access Community, which will also create an automatic VPN
rule allowing remote user bob to access the local network protected by Check Point Firewall.
Lets first configure the Firewall-1 object (Kashmir). Right click or double click on Kashmir
from the Object Tree in SmartDashBoard. This will bring up the Check Point Gateway properties
window. Click on General Properties and ensure VPN-1 Pro and SecureClient Policy Server are
checked. See Figure 11
-
8/6/2019 Configuring VPN Between Checkpoint VPN
14/29
Figure 11 CheckPoint Gateway Property
Click on Topology and define the interfaces (Figure 12). Select external (leads to External
Interface) for IP 172.16.1.2. For internal interface select Internal (Leads to the local Network)
and select Specific and chooseLocalNetworkObject, which we created above. Click OK.
-
8/6/2019 Configuring VPN Between Checkpoint VPN
15/29
Figure 12 CheckPoint Gateway Property (Topology)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
16/29
Adding a Certificate
Click on VPN Tab and click on Add, which will bring up a dialogue prompting you to
automatically install the certificate. Click OK.
A dialogue saying that certificate was successfully generated will follow certificate generation
dialogue box. See Figure 13
Figure 13 - CheckPoint Gateway Property (VPN)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
17/29
Once this operation is successful, you will be presented with Traditional mode IKEProperties
window. CheckPre-Shared secret and Exportable for SecuRemote/SecureClient check boxes
as shown in Figure 14. Click OK. If this is not the first time you are configuring this proerpty or
you have already created the certificate, you may click on Traditional Mode Configuration
button to configure these properties.
Figure 14 - CheckPoint Gateway Property (IKEProperties)
You may choose to modify advanced property by clicking on Advanced button and select
multiple DH groups and allow Aggressive mode (two pair exchange instead of three pair and
usually considered insecure). We leave these properties unchecked for the purpose of thistutorial.
Select VPN Tab and add RemoteAccess community, which was pre-defined when we installed
the firewall. You should now see RemoteAccess under the modules participating in VPN
communities and default cert should also be installed. See Figure 15
-
8/6/2019 Configuring VPN Between Checkpoint VPN
18/29
We could have defined another community as well prior to this step and add the firewall object
to that community.
Figure 15 - CheckPoint Gateway Property (VPN)
Click on Remote Access in the main Check Point Gateway window and select Sales the group
we created earlier by choosing Offer office mode to the group radio buttonand select
LocalNetwork (one created above) by choosing Manual (Use IPPool). See Figure 16
-
8/6/2019 Configuring VPN Between Checkpoint VPN
19/29
Figure 16 - CheckPoint Gateway Property (Remote Access)
Click on Authentication in the main Check Point Gateway window and checkVPN-1 &
Firewall-1 Password check box and select Sales (group created above) underPolicy
ServerUsers. See Figure 17
-
8/6/2019 Configuring VPN Between Checkpoint VPN
20/29
Figure 17 - CheckPoint Gateway Property (Authentication)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
21/29
Configuring Remote Access Community
y Clicking on VPN Manager tab in the SmartDashBoardwill allow us to configure the
Remote Access Community. Double Click on Remote Access Community Object under
this tab, which will bring up the window shown below (Figure 11)
y In General Properties window type in any descriptive name and click OK.
y In Participating Gateways add VPN-1/FireWall-1 (Kashmir)
y In Participating User groups add Sales See Figure 18 and Figure 19
-
8/6/2019 Configuring VPN Between Checkpoint VPN
22/29
Figure 18 Remote Access Community Properties (Adding
Participating Gateway)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
23/29
Figure 19 - Remote Access Community Properties (Adding
Participating Users/Groups)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
24/29
Configuring Desktop Security Policy
Click on Desktop Security Standard tab in SmartDashBoard and add following two rules. These will
allow users (bob) in a group (sales) to access the local network protected by Check Point VPN-
1/FireWall-1 (kashmir) gateway. Your rules should like as shown in Figure 20
Figure 20 Desktop Security Rules
-
8/6/2019 Configuring VPN Between Checkpoint VPN
25/29
Configuring SecuRemote client
We assume SecureRemote is already installed. Go to programs menu and click on SecuRemote.
In the SecuRemote menu, click on Sites--> Create New. See Figure 21
Figure 21 Creating New Site (SecuRemote)
Type in any Nickname for your Gateway and enter in the IP address of the Firewall's external interface.
Figure 22.
Click OK
Figure 22 - Creating New Site (SecuRemote)
-
8/6/2019 Configuring VPN Between Checkpoint VPN
26/29
You will be prompted with VPN-1 SecuRemote Authentication Window. Here you can either use User
name and password we created above on the Gateway or use the certificate. In this tutorial we will use
the password.
Enter in the user name "bob" and password "abc123" and click OK. See Figure 23
Figure 23 SecuRemote Authentication
Once you enter the username and password, you will be prompted to verify the certificate. See
Figure 24
-
8/6/2019 Configuring VPN Between Checkpoint VPN
27/29
Figure 24 Verifying Certificate (SecuRemote)
Click OK, you should get user authentication success message.
-
8/6/2019 Configuring VPN Between Checkpoint VPN
28/29
Testing VPN connection
You should be able to access all resources behind the firewall based on the policies for SecuRemote on
the VPN-1/Firewall-1 Gateway.
Since we configured all parameters, I should be able to access the Zadibal (server behind kashmir)
which is 10.10.3.2 from my remote PC 172.16.8.2 (ClientA). Firewall will take care of all NATing and
encryption for you. This is the beauty of Check Point VPN-1/FireWall-1 NG FP3 VPN.
Figure 25 Verifying secure access to Zadibal
Congratulations! You have successfully completed the VPN configuration between
SecuRemote client and VPN-1/Firewall-1 NG FP3
-
8/6/2019 Configuring VPN Between Checkpoint VPN
29/29
Questions and Feedback
This is not a perfect document and was developed in a very limited time, so please email all questions,
issues, and errors you find to tasawar@securenode.com
Please DO NOT try this tutorial in the live environment; this is just a tutorial for users/Sys Admins new to
Check Point Firewall and for the purpose of learning the basics of VPN-1/FireWall-1 NG FP3.
top related