GOST V1.5 for VPN-1 Installation Guide - cdn.r-as.rucdn.r-as.ru/chkp/Cert/GOSTv1.5/GOST V1.5 for...

©2010 Check Point Software Technologies Ltd. All rights reserved. Classification: [Unrestricted] — For everyone | P. 1

GOST Supplement V1.5 for VPN-1 NGX R65 HFA_50

Installation and Configuration Guide

In this Document

Introduction....................................................................................................................... 2

Licensing .......................................................................................................................... 2

Installation ........................................................................................................................ 2 Step #1: Install CryptoPro Libraries (module only) .....................................................................................2 Step #2: Copy Check Point Signature Files (module only) .........................................................................3 Step #3: Install VPN-1 Supplement (module and management) ................................................................3 Step #4: Install SmartDashboard ................................................................................................................4 Step #5: Configuration.................................................................................................................................5

Uninstallation .................................................................................................................... 8

Appendix 1: Configure PSK for IKE Authentication........................................................... 9

Appendix 2: How to configure RNG for CSP on SPLAT ................................................. 13

Appendix 3: How to find Site ID ...................................................................................... 14

Appendix 4: An example of Site Key generation............................................................. 14

Appendix 4: An example of Site Key generation............................................................. 15


Introduction This guide provides essential steps for installation, licensing and configuration of GOST supplement V1.5 for

VPN-1 NGX R65 HFA 50. Review this information before setting up GOST supplement V1.5.

Note – Before installing this supplement, make sure you have VPN-1 NGX R65 HFA 50 installed on your gateway and SmartCenter/Provider-1 servers. Installation information for NGX R65 HFA 50 may be downloaded from the Check Point Support Center (http://support.checkpoint.com).

Licensing For GOST supplement V1.5 two additional licenses are required:

1. Check Point GOST license. SKU: CPVP-VPG-GOST. Check Point GOST license is not a part of the

15-day evaluation license.

2. CryptoPro license.

To view CryptoPro license:

/opt/cprocsp/sbin/ia32/cpconfig -license -view To set CryptoPro license:

/opt/cprocsp/sbin/ia32/cpconfig -license -set <license>

Installation GOST V1.5 installation contains Check Point VPN-1 and Provider-1 Hot Fixes, new SmartDashboard version, Check Point signature files and CryptoPro libraries.

Before installing this supplement on gateway and SmartCenter/MDS (SPLAT or Linux only), make sure you have VPN-1 NGX R65 HFA 50 installed

Note – For successful installation, perform the following steps at the order they appear in this document.

Step #1: Install CryptoPro Libraries (module only) Install CryptoPro libraries (CSP + IKE&IPSEC) + auxiliary libraries for Linux/SPLAT on the VPN-1 gateway. It is possible to install all the libraries, both SMP and non-SMP, on a machine, the relevant ones will be used.


CryptoPro libraries may be downloaded from: http://www.cryptopro.ru/cryptopro/download/

Install the libraries by executing rpm -ivh *.rpm command on your gateway.

CryptoPro rpm files:

libstdc++-3.4.4-2.fc3.i386.rpm

cprocsp-compat-splat-1.0.0-1.noarch.rpm

lsb-cprocsp-3.6.4-3.i486.rpm

lsb-cprocsp-base-3.6.4-3.noarch.rpm

lsb-cprocsp-capilite-3.6.4-3.i486.rpm

lsb-cprocsp-drv-2.4.21-21cp-3.6.4-3.i486.rpm

lsb-cprocsp-drv-2.4.21-21cpsmp-3.6.4-3.i486.rpm

lsb-cprocsp-ipsec-esp-2.4.21-21cp-3.6.4-3.i486.rpm

lsb-cprocsp-ipsec-esp-2.4.21-21cpsmp-3.6.4-3.i486.rpm

lsb-cprocsp-ipsec-genpsk-3.6.4-3.i486.rpm

lsb-cprocsp-ipsec-ike-3.6.4-3.i486.rpm

lsb-cprocsp-rdr-3.6.4-4.i486.rpm

Remove libcurl from CryptoPro configuration file by executing the following command:

/opt/cprocsp/sbin/ia32/cpconfig –ini

'\config\apppath\libcurl.so' -delparam

Install CryptoPro license by running the below command after installation

/opt/cprocsp/sbin/ia32/set_driver_license.sh

Step #2: Copy Check Point Signature Files (module only)

Download Check Point signature files for CryptoPro libraries and copy them to the following directories

on the VPN-1 gateway:

cp libike_gost.so.sig $FWDIR/conf

cp esp_gost.o.nonsmp.sig $FWDIR/modules

cp esp_gost.o.smp.sig $FWDIR/modules

Step #3: Install VPN-1 Supplement (module and management)

Perform the following on the VPN-1 gateway and SmartCenter server/MDS (SPLAT or Linux only):

• Backup the following directories:

o $FWDIR/bin

o $FWDIR/lib

Note – The following actions should be performed on all gateways, Smart center servers, and MDS and MLM machines.


o $FWDIR/boot

o $FWDIR/conf

o $CPDIR/lib

• Download the file: VPN1_R65_HFA50_HF_GOST_V1.5.tgz (Build 620927019) into a temporary folder on the VPN-1 gateway and SmartCenter server/MDS.

• For Provider-1 environment, additional supplement is required. Download the file: PV1_R65_HFA50_HF_GOST_V1.5.tgz (Build 620927006) for each MDS/MLM machine.

• Execute cpstop command.

• Extract and run the executable file. For Provider-1, run first the VPN1 executable and then the PV1 executable.

• Install Check Point GOST license.

• After the installation is completed, reboot the machines.

Step #4: Install SmartDashboard

Download and install SmartConsole_620001002_1.exe on your SmartConsole host (Windows only).

Note – If boot fails after VPN-1 supplement installation it is probably since CryproPro RPMs are not installed. In order to apply installation of the RPMs, cancel vpn kernel loading by performing the following actions:

1. Boot into maintenance mode 2. vi /etc/init.d/fw1boot 3. Change “load_kmodule vpnmod "VPN-1" "$vpnloadmod"” to comment by

adding ‘#’ at the beginning of the line. 4. Save and reboot 5. Install CryproPro rpms 6. Un-comment the above line 7. Save and reboot

Note – This SmartConsole version does not support Connectra plug-in that is older than R66.


Step #5: Configuration Configure a pseudo random number generator (PRNG)

For this configuration please refer to CryptoPro documentation. CryptoPro documentation may be downloaded from: http://www.cryptopro.ru. Example for PRNG configuration may be found at Appendix 2.

Define community to use GOST In the Community Properties � VPN Properties, check “This community uses GOST…” check box. Encryption and data integrity algorithms as well as DH groups options would be grayed out


Define Site Key/Site Certificate for enforcement modules that will use GOST Site Key or Site certificates are used for internal encryption between cluster members and between libraries on one cluster member or a single gateway. For a single gateway, the site certificate would be the same certificate that is used for IKE authentication (certificate configuration may be found below). For a cluster configuration, only site key may be used. For single gateway the default is to prefer Site Certificate, but if not found, Site Key would be used. In order to use Site Key only, set the registry key gost_use_site_cert to 0.

To change back to the default, set the value to 1.

To set the registry key: ckp_regedit -a SOFTWARE/CheckPoint/VPN1 gost_use_site_cert -n <key_value>

To configure the Site Key, in the Gateway properties � VPN � VPN Advanced, click on Pre-Shared Secret and enter this gateway Site Key.

1

2

3


Example for Site Key generation may be found in this document at Appendix 4.

Configure GOST Certificates

GOST CA should be configured like any other external CA.

• Add a GOST CA as a trusted CA • Create a request for GW certificate by storing keys on the module.

• Create the certificate on the CA by using the certificate request. • In the SmartDasnboard, insert the new certificate to the GW. • In cluster configuration, a certificate should be created for each cluster member.

Configure Global VPN Community (For Provider-1 environments only)

• Choose a GOST CA all the relevant CMAs will have to trust. Add this CA as trusted to all relevant CMAs. • Generate GOST certificates from this CA for the relevant network objects. • Enable global use for the network objects and add them to the Global VPN Community. • Mark Community to use GOST. • Assign global policy and install policy on CMAs

Note – Site Key is 28 characters long.

Note – In order to generate GOST certificates, external CA supporting

GOST is needed. For instance, Microsoft CA with CryptoPro CSP package

for Windows.


Uninstallation Gateway and SmartCenter To uninstall VPN-1 supplement, perform the following actions on the VPN-1 gateway and on the SmartCenter server:

• Run the uninstall script located under $FWDIR. • cp $FW_BOOT_DIR/fw1boot /etc/rc.d/init.d/fw1boot

If you encounter problems during the uninstall process, restore the directories that you backed up and then contact Check Point Support Center for assistance.

Provider-1 To uninstall VPN-1 supplement on MDS, perform the following actions:

• mdsenv

• mdsstop

• Run the PV-1 uninstall script located under $MDSDIR. • Run the VPN-1 uninstall script located under /opt/CPsuite-R65.

• cp $FW_BOOT_DIR/fw1boot /etc/rc.d/init.d/fw1boot

• Copy classes.c from $MDS_TEMPLATE/conf to the following directories:

MDS (after mdsenv):

o $MDSDIR/conf

o $MDSDIR/conf/defaultDatabase

o $MDSDIR/conf/mdsdb o $MDSDIR/conf/mdsdb/defaultDatabase

CMA (after mdsenv <cma_name> ):

o $FWDIR/conf

o $FWDIR/conf/defaultDatabase

• Update database according to the scheme

for MDS

o mdsenv

o cd $MDSDIR/conf/mdsdb

o rm mdsdb_new_scheme.C

o cpdb scheme_adjust --db_type mdsdb --db_path

$MDSDIR/conf/mdsdb --src_path $MDSDIR/conf/mdsdb

o cd $MDSDIR/conf

o rm new_scheme.C

o cpdb scheme_adjust --db_type global

for each CMA:

o mdsenv <cma-name>

o cd $FWDIR/conf

o rm new_scheme.C

o cpdb scheme_adjust --db_type cma


Appendix 1: Configure PSK for IKE Authentication

This appendix is relevant only if you choose not to use certificates for authentication. Use GUIDBEdit, go to the community property: “use_gost_ike_cert” and set its value to “false”.

For each GOST module, in the Gateway properties � VPN �Traditional mode configuration, check “Pre-Shared Secret” checkbox. (Steps 1-3 in the picture below)

For each pair of GOST modules in the same community, in the Gateway properties � VPN�Traditional mode configuration � Edit Secrets, select peer, click on ‘Edit’ button, enter IKE PSK and click on ‘Set’ (steps 1-8 in the picture below). After setting IKE PSK to one of the modules in a pair, there is no need to set it for the other.

Note – IKE PSK consist of 56 characters.

Note – For externally managed gateways IKE PSK should be configured like all other gateways, do not use pre shared secret dialog in the community properties.

1

3 4

5 6

7

8


Example of IKE Pre-Shared Key generation

On a machine with CSP installed run:

bash /opt/cprocsp/bin/ia32/cp-genpsk.sh <pair_name> <net_id> <expiry>

<GW_1_Site_ID> <GW_2_Site_ID>

pair_name is a name of machines pair this Key is generated for; generally can be any string, not

necessarily relevant to the configuration.

net_id should be Net.

expiry is a number from 1 to 6 defining an expiration time in months.

GW_N_Site_ID – Site ID of GW, pair member; see Appendix 3 on where to find it

Concatenate Part 0 and Part 1 of the first gateway’s Key and then part 0 and Part 1 of the second gateway’s Key.

In the example on the next page the following Ike Pre-Shared Key is generated:

Part 0 Site 1 Part 1 Site 1 Part 0 Site 2 Part 1 Site 2

948AZ65V617GZ6 + 8M5V1TTUURACU6 + UDQE383VR2UNF7 + F6TXXUNLF29291 � 948AZ65V617GZ68M5V1TTUURACU6UDQE383VR2UNF7F6TXXUNLF29291

Note – It is very important to concatenate the part in the correct order. If we number the parts in the printed order as 1 2 3 4, the concatenation order is 1 3 2 4.

Note – Site Key should be re-generated in one of the following scenarios: 1. VPN was disabled and enabled. 2. The gateway’s certificate that is issues by Internal CA is renewed.


Example of IKE Pre-Shared Key generation

bash /opt/cprocsp/bin/ia32/cp-genpsk.sh GOST_lab_CP Net 6

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3 05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15

Convert to integer

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3 =

0x71b4a787

Convert to integer

05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15 =

0xe217fbe0

genpsk

UTC Mon Feb 25 16:49:15 2008

GOST_lab_CP. Number of stations 2.

Stations:

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3

05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15

Part 0. Valid for (months) 6.

GOST_lab_CP UTC Mon Feb 25 16:49:15 2008

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3 part 0

valid for (months) 6

948AZ65V617GZ6

948AZ65V617GZ6

948AZ65V617GZ6


05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15 part 0


UDQE383VR2UNF7

UDQE383VR2UNF7

UDQE383VR2UNF7

<continued on the next page>


genpsk

UTC Mon Feb 25 16:49:15 2008


Stations:

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3

05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15





8M5V1TTUURACU6

8M5V1TTUURACU6

8M5V1TTUURACU6


05:9C:C9:2C:85:6E:65:7F:30:1C:E4:14:95:20:D3:A5:90:E1:6E:15 part 1


F6TXXUNLF29291 F6TXXUNLF29291

F6TXXUNLF29291


Appendix 2: How to configure RNG for CSP on SPLAT

1. cp librdrrndm0.so /opt/cprocsp/lib/ia32/

2. Register the library in CSP:

/opt/cprocsp/sbin/ia32/cpconfig -ini '\config\apppath' -add string

librdrrndm0.so /opt/cprocsp/lib/ia32/librdrrndm0.so

3. Register a new PRNG in CSP for the highest level (0):

/opt/cprocsp/sbin/ia32/cpconfig -hardware rndm -add Rndm0 -name librnd

-level 1

To view PRNG list:

/opt/cprocsp/sbin/ia32/cpconfig -hardware rndm -view

Note – Please refer to CryptoPro documentation on RNG configuration. The information below is for example purposes only and cannot be used in production environment.


Appendix 3: How to find Site ID

Site ID is SHA-1 fingerprint of Internal CA(Site?) certificate. It can be found in Gateway properties� VPN � Certificates table � View.

Use the first variant of SHA-1 fingerprint, the one consisting of 40 hexadecimal digits and colons. For example:

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3

Note – Site ID would be changed in one of the following scenarios: 1. VPN was disabled and enabled. 2. The gateway’s certificate that is issues by Internal CA is renewed.


Appendix 4: An example of Site Key generation On a machine with CSP installed execute the following command: bash /opt/cprocsp/bin/ia32/cp-genpsk.sh <machine_name> <net_id>

<expiry> <Site_ID>

machine_name is a machine name this Key is generated for; generally can be any string, not

necessarily relevant to the configuration

net_id should be Net.

expiry is a number from 1 to 6 defining an expiration time in months.

Site_ID – see Appendix 3 on where to find it.

Site Key is 28 characters long. The key is printed, due to GOST certification requirements, in a two parts of 14 characters each one. Concatenate Part 0 and Part 1 to get a Site Key.

Example of Site Key generation:

bash /opt/cprocsp/bin/ia32/cp-genpsk.sh GOST_lab_CP Net 6

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3

Convert to integer

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3 =

0x71b4a787

genpsk

UTC Tue Jan 29 18:30:41 2008


Stations:

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3


GOST_lab_CP UTC Tue Jan 29 18:30:41 2008



893D5WNKNW1AP4

893D5WNKNW1AP4

893D5WNKNW1AP4

genpsk

UTC Tue Jan 29 18:30:41 2008


Stations:

EF:50:3F:90:0E:B1:1C:01:D4:B1:01:1B:38:37:59:62:81:DE:A6:D3


GOST_lab_CP UTC Tue Jan 29 18:30:41 2008



T2PYY6A49E50U5

T2PYY6A49E50U5

T2PYY6A49E50U5


Site Key:

“893D5WNKNW1AP4” + “T2PYY6A49E50U5” ��

893D5WNKNW1AP4T2PYY6A49E50U5

Note – Site Key should be re-generated in one of the following scenarios: 1. VPN was disabled and enabled. 2. The gateway’s certificate that is issues by Internal CA is renewed.

GOST V1.5 for VPN-1 Installation Guide - cdn.r-as.rucdn.r-as.ru/chkp/Cert/GOSTv1.5/GOST V1.5 for...

Documents

Transcript of GOST V1.5 for VPN-1 Installation Guide - cdn.r-as.rucdn.r-as.ru/chkp/Cert/GOSTv1.5/GOST V1.5 for...