VPN Tracker for Mac OS X - equinux...
Transcript of VPN Tracker for Mac OS X - equinux...
VPN Tracker for Mac OS X
How-to:
Interoperability with
CheckPoint VPN-1
Rev. 1.0
Copyright © 2003 equinux USA Inc. All rights reserved.
1. Introduction
2
1. Introduction
This document describes how VPN Tracker can be used to establish a connectionbetween a Macintosh running Mac OS X and a CheckPoint VPN-1 VPN Appliance. Theentire CheckPoint VPN-1 product range should be compatible with VPN Tracker.equinux has tested the CheckPoint VPN-1 with FP3 and FP4.
The CheckPoint VPN-1 VPN Appliance is configured as a router, connecting a companyLAN to the Internet.
The example demonstrates a connection scenario, with a dial-in Mac connecting to aCheckPoint VPN-1 VPN Appliance.
This paper is only a supplement to, not a replacement for, the instructions that havebeen included with your CheckPoint VPN-1. Please be sure to read and understandthose instructions before beginning.
All trademarks, product names, company names, logos, screenshots displayed, cited orotherwise indicated on the How-to are the property of their respective owners.
EQUINUX SHALL HAVE ABSOLUTELY NO LIABILITY FOR ANY DIRECT OR INDIRECT,SPECIAL OR OTHER CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE USE OF THEHOW-TO OR ANY CHANGE TO THE ROUTER GENERALLY, INCLUDING WITHOUTLIMITATION, ANY LOST PROFITS, BUSINESS, OR DATA, EVEN IF EQUINUX HAS BEENADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2. Prerequisites
3
2. Prerequisites
Firstly, you should use a recent software version.
For this document, VPN-1 FP3 and FP4 has been used.
The type of the VPN Tracker license needed (personal or professional edition) dependson the connection scenario you are using:
• If you connect a dial-in Mac without it’s own subnet to the CheckPoint VPN-1 youneed a Personal License.
• If you want to establish a LAN-to-LAN connection from your Mac to the CheckPointVPN-1, you need a VPN Tracker Professional License.
• If you connect a dial-in Mac without it’s own subnet to multiple Networks onCheckPoint side you also need the Professional License.
VPN Tracker is compatible with Mac OS X 10.2 or higher.
Be sure to use VPN Tracker 2.0.3 or higher.1 For this document VPN Tracker version2.0.3 has been used.
1 All VPN Tracker versions prior to 2.0.3 did not include a correct connection type for CheckPoint VPN-1.
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
4
3. Connecting to a CheckPoint VPN-1 using
pre-shared secrets
In this example, the Mac running VPN Tracker is directly connected to the internet viaa dialup or PPP connection.2 The CheckPoint VPN-1 is configured in NAT mode and hasthe static WAN IP address 169.1.2.3 with gateway 169.1.2.1 and the private LAN IPaddress 192.168.1.1. The stations in the LAN behind the CheckPoint VPN-1 use192.168.1.1 as their default gateway and should have a working Internet connection.The firewall rules are already defined and the VPN connection between the windowsclients and the CheckPoint VPN-1 works.
Figure 1: VPN Tracker - CheckPoint VPN-1 connection diagram (host to network)
2 Please note that the connection via a router, which uses Network Address Translation (NAT), only works
if the NAT router supports „IPsec passthrough“. Please contact your router’s manufacturer for details.
VPN Tracker Mac(dynamic IP)
cpmoduleWAN 169.1.2.3
LAN 192.168.1.1
LAN192.168.1.0/24
192.168.1.10
192.168.1.20
192.168.1.30
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
5
3.1 CheckP oint VPN-1 configuration
The pre-defined VPN Tracker connection type has been created using the defaultsettings on CheckPoint VPN-1. If you change any of the settings on the CheckPointVPN-1 VPN router, you will subsequently have to adjust the connection type in VPNTracker.
VPN - Basic Setup:
Please enable the “Pre-Shared Secret” Feature in the Global Properties, witch isdisabled by default.
Figure 2: Global Properties
Step 1
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
6
VPN – Advanced Setup:
Please check all the settings. The VPN Tracker connection type uses these settings.
Figure 3: Global Properties - Advanced
Step 2
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
7
User properties:
Please enter a Login Name in the form user@domain . The username must contain the"@" sign.
Figure 4: User Properties - General
Please check the other user settings. Please use no “authentication scheme” and don’tgenerate a certificate for the pre-shared key based connection.
Step 3
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
8
Figure 5: User Properties - Authentication
Figure 6: User Properties - Certificates
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
9
Enable the IKE Encryption Method and the Log.
Figure 7: User Properties - Encryption
Edit the IKE encryption method and enter your Password (Pre-shared secret). Pleasebe sure that „Public Key“ isn’t enabled.
Figure 8: IKE Phase 2 Properties
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
10
Add user in a RemoteAccess Group.
The screenshots are only a example of adding the previously created user in a groupcalled “RemoteAccessUsers”. You may already have existing Access Groups. We usedthe following.
Figure 9: Group Properties - RemoteAccessusers
Figure 10: Main Screen - cpmodule
Step 4
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
11
Tradition mode configuration.
Please be sure that the previously created group is in the VPN community. Click on the“Tradition mode configuration” button.
Figure 11: Check Point Gateway - cpmodule
Please enable “Pre-Shared Secret” and click on the “Advanced...” button.
Figure 12: Traditional mode IKE Properties
Step 4
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
12
Enable in the “Traditional mode advanced IKE properties” the “Support for aggressivemode”. This is very import for the pre-shared key based communication. If you wantto use certificates with VPN Tracker you’ll always use the main mode.
Figure 13: Traditional mode advanced IKE properties
> Multiple VPN Tracker Hosts
Just create another user with the same settings.
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
13
3.2 VPN T racker configuration
Add a new connection with the following options: Choose „CheckPoint (Pre-sharedkey) “ as the Connection Type, „Host to Network“ as Topology, then type in theremote endpoint (169.1.2.3) and the remote network (192.168.1.0/24).
Figure 14: VPN Tracker main dialog (with PSK)
Click select „Pre-shared key“ and click “Edit...”. Type in the same pre-shared secretthat you typed-in in the CheckPoint VPN-1 configuration (Figure 2). Use the “loginname” as local identifier. If you have typed in a correct username, the word "email"should be visible beside the input field.
Step 1
Step 2
3. Connecting to a CheckPoint VPN-1 using pre-shared secrets
14
Figure 15: Pre-shared key dialog
Save the connection and Click „Start IPsec“ in the VPN Tracker main window.
You’re done. After 10-20 seconds the red status indicator for the connection shouldchange to green, which means you’re securely connected to the CheckPoint VPN-1.After IPsec has been started, you may quit VPN Tracker. The IPsec service will keeprunning.
Now to test your connection simply ping a host in the CheckPoint VPN-1 network fromthe dialed-in Mac in the “Terminal” utility:
ping 192.168.1.10
> Debugging
If the status indicator does not change to green please have a look at the log file onboth sides. You can define the amount of information available in the log file in theVPN Tracker preferences.
Step 3
4. Connecting to a CheckPoint VPN-1 using RSA X.509 cerificates
15
4. Connecting to a CheckPoint VPN-1 using
RSA X.509 cerificates
4.1 CheckP oint VPN-1 configuration
The setup of enabling IPsec works the same way as described in section 4.
User Properties:
Please enter a “Login Name” in the form “certificateUser” or “certificateUser@domain”
Figure 16: User Properties - General
Step 1
Step 2
4. Connecting to a CheckPoint VPN-1 using RSA X.509 cerificates
16
Figure 17: User Properties - Groups
Generate and save the certificate. The PKCS#12 file contains the certificate, yourprivate key and the CA.
Figure 18: user Properties - Certificates
4. Connecting to a CheckPoint VPN-1 using RSA X.509 cerificates
17
Please be sure that you enable the “Public Key” Authentication” in the IKE Phase 2Properties.
Figure 19: IKE Phase 2 Properties
Tradition mode IKE properties:
Please enable the “Public key Signatures”. You can leave the “Pre-Shared Secrets”enabled.
Figure 20: Traditional mode IKE properties
Step 4
4. Connecting to a CheckPoint VPN-1 using RSA X.509 cerificates
18
4.2 VPN T racker configuration
Open the Certificate manager (File -> Show certificates) of VPN Tracker and import thePKCS#12 file you previously exported from your CheckPoint VPN-1.
Figure 21: VPN Tracker - Certificate Import
Add a new connection with the following options: Choose „CheckPoint (Certificates)“as the Connection Type, „Host to Network“ as Topology, then type in the remoteendpoint (169.1.2.3) and the remote network (192.168.1.0/24).
Figure 22: VPN Tracker main dialog (with certificates)
Step 1
Step 2
4. Connecting to a CheckPoint VPN-1 using RSA X.509 cerificates
19
Choose as “own certificate” the certificate you imported in step 1 and verify theremote certificate “with CAs”. Choose “own certificate” as local identifier and IPaddress as remote identifier. Do not “Verify the remote certificate”.
Figure 23: Certificate dialog
Step 3