Configuring VPN Between Checkpoint VPN

8/6/2019 Configuring VPN Between Checkpoint VPN

1/29


2/29

Table of Contents

Network ConfigurationFigure 1 Network Schematics

IP Addressing Scheme

Introduction

Configuring Checkpoint VPN-1/FireWall-1 Gateway

Figure 2 - SmartDashBoard

Figure 3 Drop Rule

Creating a Network Object

Figure 4 Network Properties

Configuring a user for remote access

Figure 5 User Properties WindowFigure 6 User Properties Tab (Authentication)

Figure 7 IKE Phase 2 Properties (Authentication)

Figure 8 IKE Phase 2 Properties (Encryption)

Figure 9 User Properties (Certificates)

Figure 10 Creating Group

Configuring the Firewall Object

Figure 11 Check Point Gateway Property

Figure 12 Check Point Gateway Property (Topology)

Adding a Certificate

Figure 13 - Check Point Gateway Property (VPN)Figure 14 - Check Point Gateway Property (IKE Properties)

Figure 16 - Check Point Gateway Property (Remote Access)

Figure 17 - Check Point Gateway Property (Authentication)

Configuring Remote Access Community

Figure 18 Remote Access Community Properties (Adding Participating Gateway)

Figure 19 - Remote Access Community Properties (Adding Participating Users/Groups)

Configuring Desktop Security Policy

Figure 20 Desktop Security Rules

Configuring SecuRemote client

Figure 21 Creating New Site (SecuRemote)

Figure 22 - Creating New Site (SecuRemote)

Figure 23 SecuRemote Authentication

Figure 24 Verifying Certificate (SecuRemote)

Testing VPN connection

Figure 25 Verifying secure access to Zadibal

Questions and Feedback


3/29

Network Configuration

Figure 1 depicts a configuration in which a SecuRemote PC (ClientA) communicates sensitive andprivate information to networks and individual sever (zadibal) that is protected by Check Point VPN-1/FireWall-1 Gateway (Kashmir).

Figure 1 Network Schematics

This tutorial consists of following configuration:

y Check Point VPN-1/FireWall-1 Gateway (Kashmir) that has following modules installed:

y Management Module

y Policy Server

y VPN/FireWallModule

y A remote SecureClient PC (ClientA)

y A remote user Bob

y Server protected by VPN-1/FireWall-1 (zadibal)


4/29

IPAddressing Scheme

y Check Point VPN-1/FireWall-1 Gateway (Kashmir)

y External Interface IP: 172.16.1.2/24

y Internal Interface IP: 10.10.1.2/24

y Default Gateway (Router) of the Check Point VPN-1/FireWall-1 (Kashmir): 172.16.1.1

y Server protected by VPN-1/FireWall-1 (zadibal): 10.10.1.2/24

y SecuRemote client PC (ClientA): 172.16.8.2/24

Introduction

This tutorial assumes that you have basic knowledge of Check Point Firewall and have already

installed Check Point VPN-1/FireWall-1 FP3. We will also assume that this is a fresh install of

Firewall and has no rules or object configured. At end of this tutorial you should be able to

configure the Check Point VPN-1 Firewall-1 to allow remote VPN client to access the protected

resources behind the firewall.


5/29

Configuring Checkpoint VPN-1/FireWall-1

Gateway

Log on to the SmartDashBoard FP3 and once you are authenticated successfully,

SmartDashBoard should look like as shown below in Figure 2 without any rules and objects

except the default Check Point Gateway Object

Figure 2 - SmartDashBoard


6/29

From the Menu in SmartDashBoard add a default Drop rule, which should look like as show inFigure 3

Figure 3 Drop Rule

Creating a Network Object

From the Objects Tree in SmartDashBoard right click on Networks Object and create NewNetwork. Type in the descriptive name of your local network, which is protected by your

firewall and enter in the IP range of internal network. In our case it will be10.10.1.0/255.255.255.0. The new Networks property window should look like following

(Figure 4).


7/29

Figure 4 NetworkProperties


8/29

Configuring a user for remote access

From the Objects Tree in the SmartDashBoard right click on Users, which should bring up User

Properties window. Enter in the name of the user underGeneral Tab. In our case we name the user

bob. Figure 5

Figure 5 User Properties Window


9/29

Click on Authentication Tab and from the drop down menu select VPN-1 & FiresWall-1 Password. Click

on Enter Password button and enter in your password. We will use abc123 without quotes for the

purposes of this tutorial. See Figure 6

Figure 6 User Properties Tab (Authentication)

DO NOT use such passwords in the real world unless you want to network to be compromised.

From the user properties windows now lets configure encryption properties. Click on Encryption tab,

check the IKE box and click Edit, which should bring IKE Phase 2 properties window. This window will

have two tabs, Authentication and Encryption. Under Authentication Tab check Password (Pre-Shared

Secret) window and enter in the password for IKE Phase 2. To keep this tutorial simple, we will use same

password abc123 without quotes. Also, leave the Public Key box checked as shown below in Figure 7


10/29

Figure 7 IKEPhase 2 Properties (Authentication)

Please read IPSEC and ISAKMP RFCs for details on how IKE works. Phase 1 is usually used for

exchanging keys over insecure mechanism using DH and Phase 2 is generally used to exchange secret

passwords. It might not be a bad idea to use different password for phase 2 in the real world scenario.

Under Encryption Tab, select Defined below and choose 3DES and MD5 and click Ok. See Figure 8


11/29

Figure 8 IKEPhase 2 Properties (Encryption)

Now click Certificates tab in User Properties window and Certificate state should read, as following

There is no certificate for this object.

Click on Generate and Save button to create a certificate for this object. After the certificate is

successfully created, the Certificates tab should look like as shown in Figure 9


12/29

Figure 9 User Properties (Certificates)

Since we have not created groups yet, we will exit out of user Properties window and right click

on Groups from the Objects Tree in SmartDashBoard to create a new group called Sales and

user bob to that group. See figure 10

Now, if you edit user bob; underGroups tab in User Properties window, he should be in the group

Sales


13/29

Figure 10 Creating Group

Configuring the Firewall Object

We will now configure Remote Access Community, which will also create an automatic VPN

rule allowing remote user bob to access the local network protected by Check Point Firewall.

Lets first configure the Firewall-1 object (Kashmir). Right click or double click on Kashmir

from the Object Tree in SmartDashBoard. This will bring up the Check Point Gateway properties

window. Click on General Properties and ensure VPN-1 Pro and SecureClient Policy Server are

checked. See Figure 11


14/29

Figure 11 CheckPoint Gateway Property

Click on Topology and define the interfaces (Figure 12). Select external (leads to External

Interface) for IP 172.16.1.2. For internal interface select Internal (Leads to the local Network)

and select Specific and chooseLocalNetworkObject, which we created above. Click OK.


15/29

Figure 12 CheckPoint Gateway Property (Topology)


16/29

Adding a Certificate

Click on VPN Tab and click on Add, which will bring up a dialogue prompting you to

automatically install the certificate. Click OK.

A dialogue saying that certificate was successfully generated will follow certificate generation

dialogue box. See Figure 13

Figure 13 - CheckPoint Gateway Property (VPN)


17/29

Once this operation is successful, you will be presented with Traditional mode IKEProperties

window. CheckPre-Shared secret and Exportable for SecuRemote/SecureClient check boxes

as shown in Figure 14. Click OK. If this is not the first time you are configuring this proerpty or

you have already created the certificate, you may click on Traditional Mode Configuration

button to configure these properties.

Figure 14 - CheckPoint Gateway Property (IKEProperties)

You may choose to modify advanced property by clicking on Advanced button and select

multiple DH groups and allow Aggressive mode (two pair exchange instead of three pair and

usually considered insecure). We leave these properties unchecked for the purpose of thistutorial.

Select VPN Tab and add RemoteAccess community, which was pre-defined when we installed

the firewall. You should now see RemoteAccess under the modules participating in VPN

communities and default cert should also be installed. See Figure 15


18/29

We could have defined another community as well prior to this step and add the firewall object

to that community.

Figure 15 - CheckPoint Gateway Property (VPN)

Click on Remote Access in the main Check Point Gateway window and select Sales the group

we created earlier by choosing Offer office mode to the group radio buttonand select

LocalNetwork (one created above) by choosing Manual (Use IPPool). See Figure 16


19/29

Figure 16 - CheckPoint Gateway Property (Remote Access)

Click on Authentication in the main Check Point Gateway window and checkVPN-1 &

Firewall-1 Password check box and select Sales (group created above) underPolicy

ServerUsers. See Figure 17


20/29

Figure 17 - CheckPoint Gateway Property (Authentication)


21/29

Configuring Remote Access Community

y Clicking on VPN Manager tab in the SmartDashBoardwill allow us to configure the

Remote Access Community. Double Click on Remote Access Community Object under

this tab, which will bring up the window shown below (Figure 11)

y In General Properties window type in any descriptive name and click OK.

y In Participating Gateways add VPN-1/FireWall-1 (Kashmir)

y In Participating User groups add Sales See Figure 18 and Figure 19


22/29

Figure 18 Remote Access Community Properties (Adding

Participating Gateway)


23/29

Figure 19 - Remote Access Community Properties (Adding

Participating Users/Groups)


24/29

Configuring Desktop Security Policy

Click on Desktop Security Standard tab in SmartDashBoard and add following two rules. These will

allow users (bob) in a group (sales) to access the local network protected by Check Point VPN-

1/FireWall-1 (kashmir) gateway. Your rules should like as shown in Figure 20

Figure 20 Desktop Security Rules


25/29

Configuring SecuRemote client

We assume SecureRemote is already installed. Go to programs menu and click on SecuRemote.

In the SecuRemote menu, click on Sites--> Create New. See Figure 21

Figure 21 Creating New Site (SecuRemote)

Type in any Nickname for your Gateway and enter in the IP address of the Firewall's external interface.

Figure 22.

Click OK

Figure 22 - Creating New Site (SecuRemote)


26/29

You will be prompted with VPN-1 SecuRemote Authentication Window. Here you can either use User

name and password we created above on the Gateway or use the certificate. In this tutorial we will use

the password.

Enter in the user name "bob" and password "abc123" and click OK. See Figure 23

Figure 23 SecuRemote Authentication

Once you enter the username and password, you will be prompted to verify the certificate. See

Figure 24


27/29

Figure 24 Verifying Certificate (SecuRemote)

Click OK, you should get user authentication success message.


28/29

Testing VPN connection

You should be able to access all resources behind the firewall based on the policies for SecuRemote on

the VPN-1/Firewall-1 Gateway.

Since we configured all parameters, I should be able to access the Zadibal (server behind kashmir)

which is 10.10.3.2 from my remote PC 172.16.8.2 (ClientA). Firewall will take care of all NATing and

encryption for you. This is the beauty of Check Point VPN-1/FireWall-1 NG FP3 VPN.

Figure 25 Verifying secure access to Zadibal

Congratulations! You have successfully completed the VPN configuration between

SecuRemote client and VPN-1/Firewall-1 NG FP3


29/29

Questions and Feedback

This is not a perfect document and was developed in a very limited time, so please email all questions,

issues, and errors you find to [email protected]

Please DO NOT try this tutorial in the live environment; this is just a tutorial for users/Sys Admins new to

Check Point Firewall and for the purpose of learning the basics of VPN-1/FireWall-1 NG FP3.

Configuring VPN Between Checkpoint VPN

Documents

Transcript of Configuring VPN Between Checkpoint VPN