You are on page 1of 28

Version 2.

HOW-TO GUIDELINES
Setting up a Clustered VPN between StoneGate and Check Point NG

TECHN11SG2.1 - 3/4/03

Setting up a Clustered VPN between StoneGate and Check Point NG

Introduction
This document outlines the steps necessary to set up a clustered site-to-site VPN between StoneGate v2.0.6 and Check Point Next Generation (NG) Feature Pack 3 (FP3). Ensure that StoneBeat FullCluster, Check Point NG and StoneGate have already been installed.

Network Environment
The example network setting depicted in Figure 1.1 illustrates the network environment you are going to configure.
FIGURE 1.1

Network Environment

There are two different firewalls: StoneGate firewall cluster v2.0.6 that connects the following networks: the external IP address (212.20.1.254) the internal network (encryption domain internal-sg-lan.) (172.16.1.0/ 24)
TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

the Control and Heartbeat LAN (192.168.10.0/24).

Check Point NG FP3 (build 53225) running on SUN Solaris 2.8 (64-bit) with recommended patches clustered with StoneBeat FullCluster 3.0 SP 2-1 (build 3041). It connects the following networks: the external IP address (212.20.4.254) the internal network (encryption domain intra.) (10.0.1.0/24) the Control and Heartbeat LAN (172.16.56.0/24).

Getting Started
In order to configure the VPN parameters in Check Point NG with FullCluster, you need to have completed the following steps as they are essential:
1. 2.

3.

Delete the routes through the alias interfaces (cluster IP address). In case you are using a Cisco router, you must statically add router ARP entry in the cluster nodes and corresponding cluster multicast MAC addresses on the Cisco router. Define the correct load balancing filter settings ($SBFCHOME/etc/filter.conf) for the VPN. (In this example, we will use the following IP addresses for the tunnel 212.20.4.254, 212.20.1.254 and 172.16.1.0 netmask 255.255.255.0).

In order to configure the VPN parameters in StoneGate firewall cluster v2.0.6, make sure that you have completed the following steps before configuring the StoneGate VPN:
1.

2.

In case you are using a Cisco router, you must statically add router ARP entry in the cluster nodes and corresponding cluster multicast MAC addresses on the Cisco router. Create all the required network elements. In Check Point NG the gateway cluster object must be used for the VPN.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

Configuring the VPN VPN Parameters


First, you will configure the VPN settings in Check Point NG. Then, you will configure the VPN settings in StoneGate. The following IPSec parameters will be used to create the VPN tunnel between StoneGate and Check Point NG: IKE Phase 1:
Authentication method: Pre-shared secret Diffie-Hellman Group 2 IKE Negotiation mode: Main 3DES + SHA1

IKE Phase 2:
ESP 3DES + SHA1

VPN settings in Check Point NG


To configure the VPN settings in Check Point NG follow the instructions:
1. 2.

Open the Check Point NG - Smart Dashboard. Open the Global Properties window from the menu: Policy Global Properties.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.1 Choosing the VPN Configuration Method

3.

4.

The Global Properties window will appear on the screen. Select VPN-1 Pro from the tree on the left side of the window. Mark the checkbox labelled Simplified mode to all new Security Policies as in Illustration 1.1 on page 5. Click OK. Right-click on the Check Point gateway cluster object from the tree on the left side of the screen by clicking on the plus (+). Select Properties.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.2 Gateway Cluster Properties window

5.

6.

7.

8.

The Gateway Cluster Properties window will appear on screen. Select Topology from the tree on the left side of the window. Check the radio button Manually defined. Then, select the defined VPN domain to be your internal LAN (in our example, we will select intra). Select VPN in the tree on the left side of the Gateway Cluster Properties window. Then, click on Traditional mode configuration. Click OK.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.3 Traditional Mode IKE Properties

9.

The Traditional mode IKE Properties window will appear on screen: scroll down the list under the Support key exchange encryption with panel and select 3DES, DES by clicking on the checkboxes on the left side select MD-5 and SHA-1 under the Support data integrity with panel mark the Pre-Shared Secret click on Advanced

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.4 Advanced IKE Properties

the traditional mode advanced IKE properties window will appear on the screen. Select the Group 2 (1024 bit) checkbox under Support Diffie-Hellman groups for IKE (phase 1) Security associations and click OK. Click OK to apply the traditional mode IKE properties for the gateway cluster object.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.5 Interoperable Device - StoneGate window

Right-click on Interoperable Devices from the tree on the left side of the screen and select New Interoperable Device. 11. In the General Properties section, name the object and write its IP address (In our example, we will name it StoneGate and use the IP Address 212.20.1.254.)
10.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.6 Interoperable Device - StoneGate

Click on Topology from the tree on the left side: Click the radio button under the VPN Domain panel to indicate Manually defined. Then, select your remote encryption domain (in our example, we will select sginternal-lan). 13. Now, you will configure the IKE phase-1 settings for StoneGate. Click on VPN from the tree on the left side. Then, click on Translation mode configuration. The traditional mode IKE properties window will appear on screen.
12.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

10

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.7 Traditional Mode IKE Properties window

Select 3DES, DES under Support key exchange encryption with; MD5 and SHA-1 checkboxes under Support data integrity with; then, check Pre-Shared Secret under Support authentication methods and click on Edit Secrets button.
ILLUSTRATION 1.8 Shared Secret dialog box

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

11

Setting up a Clustered VPN between StoneGate and Check Point NG

The Shared Secret dialog box will appear on the screen. Click on the cluster for which you want to define the shared secret (in our example, clusteri). Then, click on Edit and write the shared secret. Finally, click OK. Click on Advanced. The traditional mode advanced IKE properties window will appear on the screen. Select the Group 2 (1024 bit) checkbox under Support DiffieHellman groups for IKE (phase 1) Security associations and click OK. Illustration 1.4 on page 8 shows a completed example. 14. Open the VPN manager and select Meshed topology (MyIntranet).
ILLUSTRATION 1.9 Meshed Community Properties - My Intranet

The Meshed Community Properties window will appear on the screen. Click on Participating Gateways from the tree on the left side of the window. 16. Then, click on Add and add the participating security gateways. (In our example, we will add clusteri and StoneGate.) 17. Edit the VPN properties by clicking on VPN Properties from the tree on the left side of the window.
15.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

12

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.10 VPN Properties

Use the scroll list to select the following properties: Perform key exchange encryption with: 3DES Perform data integrity with: SHA1 Perform IPsec data encryption with: 3DES Perform data integrity with: SHA1 19. Next, click on Advanced Properties from the tree on the left side of the window.
18.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

13

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.11 Advanced VPN Properties

The Advanced Properties options will appear on the right side of the window. Select Group 2 (1024 bit) as Diffie-Hellman group for IKE phase-1. 21. Click on Shared Secret from the tree.
20. ILLUSTRATION 1.12 Shared Secret Configuration

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

14

Setting up a Clustered VPN between StoneGate and Check Point NG

22.

Select Use only Shared Secret for all External members. Then, define a shared secret for StoneGate by clicking on Edit. (In our example, the shared secret is abc123 as in Illustration 1.12 on page 14.)
ILLUSTRATION 1.13

23.

After you have configured the VPN between the two gateways, you can create access rules to test how VPN traffic is handled by Check Point NG. Open the SmartDashboard to design the rules as in Illustration 1.13.

VPN settings in StoneGate


To configure the VPN settings in StoneGate follow the instructions:
1.

In the StoneGate Control Panel, open the VPN Manager by clicking on its icon.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

15

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.14 Internal Security Gateway

2.

3.

Create a new Internal Security Gateway element by selecting its icon on the toolbar. In the General tab, name the gateway (e.g. Finland) and select your local firewall from the options provide. The default SGW Settings in the other tab neednt be changed. The VPN Client NAT Pool will be left blank. See Illustration 1.14.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

16

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.15 End-Points Tab

4.

5. 6.

Switch to the End-points Tab and then name the end points. Select your firewalls external IP address, and click Add to insert the name and IP address of the end-point in the text box. (In our example, 212.20.1.254.) Click OK. You need to define the other end of the VPN next. Therefore, you must create also your partners security gateway as an element. In the VPN Manager, click the External Security Gateway icon to open the External Security Gateway Properties dialog box.
TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

17

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.16 External Security Gateway Properties

7.

In the General tab, name the external gateway (e.g. NG). Select Check Point NG as the Gateway Type.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

18

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.17 External End-Points Tab

Switch to the End-points tab, click the radio button Static IP. 9. Give the end-point a name (NG FP3) and select its external IP address (212.20.4.254). 10. Click the Add button to insert the name and IP address of the end-point in the text box. 11. Click OK.
8. TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

19

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.18 Capabilities

12.

Define the capabilities as in Illustration 1.18.

Configuring the Encryption Domains You need to assign sites to both defined security gateways.
1.

In the VPN Manager, select the Gateways and Sites tab. Ensure that you have the Repository View on the left panel.
TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

20

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.19 New VPN site behind the security gateway

2.

Drag and drop your internal network from the left onto your internal security gateway on the right panel.

Now, you will repeat the previous step for the external security gateway:
1.

2.

Drag and drop your partners internal network from the left onto the external security gateway on the right panel. When finished, your Security Gateway View should resemble Illustration 1.19.

Creating a VPN Element After defining the security gateways functioning as end-points of the VPN, you can create the actual VPN element.
1. 2.

In the VPN Manager, click the VPN icon. In the displayed dialog box, specify the name of the VPN (NG to SG). Click OK.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

21

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.20 VPN view

3. 4.

5.

Switch to the VPNs tab to see the newly created VPN element. In the VPNs window, drag and drop both gateway elements from the left panel onto the VPN element you created on the right panel. See Illustration 1.20. Set the properties of the VPN by selecting the VPN you just created. Right-click on it and select Properties from the contextual menu. The VPN Editor window will open.
ILLUSTRATION 1.21 VPN Editor

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

22

Setting up a Clustered VPN between StoneGate and Check Point NG

6.

In the VPN Editor window, click on the IKE proposal button located in the Logical Tunnels panel on the left.
ILLUSTRATION 1.22 IKE Phase I

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

23

Setting up a Clustered VPN between StoneGate and Check Point NG

7.

8.

The IKE Phase 1 window will open. Select the IKE Phase 1 tab. Select 3DES, SHA-1, Pre-shared key and set the Diffie-Hellman Group for IKE to the value 2. Then, select Main as the IKE Negotiation Mode. Switch to the Pre-Shared Key tab.
ILLUSTRATION 1.23 Pre-Shared Key tab

Type in the same pre-shared key used previously with NG VPN configuration. (In our example, abc123). The Certificate Authorities tab neednt be changed. 10. Click OK to return to the VPN Properties dialog box. 11. Click on Encryption Policy from the VPN Editor.
9.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

24

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.24 Connection Encryption Policy window

Select Override VPN Policy Settings For this Connection. Check the radio buttons Net under Security Association Granularity and Use IKE under IPsec Mode. See Illustration 1.24. 13. Click on IPsec Proposals to define the IKE phase-2 settings.
12.

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

25

Setting up a Clustered VPN between StoneGate and Check Point NG

ILLUSTRATION 1.25 IPsec Proposals

Select ESP (SHA-1 + 3DES) 60min / 2000000KB under the Ipsec Proposals panel. Click OK to return to the Connection Encryption Policy window. 15. Click OK. 16. Now your tunnel mode is set to Normal.
14.

Create a VPN Rule Base After you have configured the VPN between the two gateways, you can create access rules to test how VPN traffic is handled by StoneGate. Open the Security Policy Manager to design the rules.
1. 2.

Create a new policy by clicking the New icon on the tool bar. In the opened dialog box, set the type as Normal, name the rule base as SG-NG VPN, and select Template as default.
TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

26

Setting up a Clustered VPN between StoneGate and Check Point NG

3.

4.

5.

6.

7.

Once your new rule base opens, click on the green line saying Access rule: insert point, and click Add Rule. For the new rule, fill in the cells as follows: Source: drag and drop the StoneGate internal network here. Destination: drag and drop the Check Point NG internal network here. Service: ANY. Action: select Enforce VPN NG to SG VPN. Options: set the Log Level as Essential. Create a new rule under the one you just created by right-clicking on its row and selecting Add Rule After. Fill in the cells as follows: Source: drag and drop the Check Point internal network here. Destination: drag and drop The StoneGate internal network here. Service: ANY. Action: select Enforce VPN NG to SG VPN. Options: set the Log Level as Essential. Save and install the policy by clicking the Save and Install icon.
ILLUSTRATION 1.26 VPN rules

TECN11SG2.1 - 3/4/03

HOW-TO GUIDELINES

27

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology - as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 20002003 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. The Stonesoft Secure Application Partnership Program is a validation service offered by Stonesoft to allow end users to make an informed decision when choosing hardware for their StoneGate High Availability Firewall and VPN solutions. Under Stonesofts Secure Application Partnership Program, certification is granted based on tests performed under specific operating conditions in a controlled environment. The details of these tests are available from Stonesoft upon request. Stonesoft does not guarantee the accuracy, adequacy or completeness of its certification testing of third party hardware products and shall not be liable if the testing results and/or determinations are incaccurate, inadequate or incomplete. End users are solely responsible for determining on their own whether a given third party hardware configuration is suitable for their needs. BY CERTIFYING THIRD PARTY HARDWARE PRODUCTS, STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO TESTING RESULTS, INFORMATION CONTAINED IN THESE MATERIALS, OR ANY INFORMATION OR DATA PROVIDED IN RELATION TO THE SECURE APPLICATION PARTNERSHIP PROGRAM. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES. INCLUDING, BUT NO LIMITED TO. LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: HWTO11SG20-3/4/03

International Headquarters Stonesoft Corp. Itlahdenkatu 22a FIN-00210 Helsinki, Finland +358-9-4767 11 tel. +358-9-4767 1234 fax. info.emea@stonesoft.com Business ID: 0837548-0 VAT number: FI08375480

Americas Headquarters Stonesoft Inc. 115 Perimeter Center Place South Terraces, Suite 1000 Atlanta, GA 30346 770 668-1125 tel. 770 668-1131 fax. info.americas@stonesoft.com

Asia Pacific Headquarters Stonesoft Corp. 90 Cecil Street #11-01 069531 Singapore +65 63251390 tel. +65 63251399 fax. info.asiapacific@stonesoft.com

w w w. s t o n e so f t .c o m

You might also like