configuring site-to-site vpn connection between a check...

Configuring a Site-to-Site IPSEC VPN with a Check Point Embedded NG Security Appliance and a Fortinet FortiGate Security Appliance

Note: This document assumes the reader is familiar with the basic network installation of a Check

Point Embedded NG appliance and a Fortinet FortiGate security appliance.

Overview

This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG

security appliance and a Fortinet FortiGate security appliance. In particular, it describes the configuration of the

following sample network:

Figure 1: Site-to-Site VPN with Check Point Embedded NG and Fortinet FortiGate Security Appliances

This sample network uses the parameters shown in the table below; however, you can change any of these parameters

as desired, so long as they are the same on both appliances.

2

Table 1: Site-to-Site VPN Configuration Parameters

Parameter Value

Encryption 3DES

Integrity SHA1

Authentication Pre-shared Key (Shared Secret)

Diffie-Hellman (DH) Group 2

Perfect Forward Secrecy (PFS) Disabled

Phase-1 key lifetime 24 hours (86400 seconds)

Phase-2 key lifetime 1 hour (3600 seconds)

Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.

Configuring the FortiGate Security Appliance To configure the FortiGate security appliance for Site-to-Site VPN

1. Configure the encryption domain.

The encryption domain represents the networks to and from which you want to encrypt. These are the networks

behind the VPN gateways.

Do the following:

a. Create an object for the Embedded NG VPN gateway’s internal network.

See “Creating an Object for the Embedded NG VPN Gateway’s Internal Network,” page 3.

b. Create an object for the FortiGate VPN gateway’s internal network.

See “Creating an Object for the FortiGate VPN Gateway’s Internal Network,” page 4.

2. Configure the IPSEC parameters, by doing the following:

a. Configure a Phase-1 profile.

See “Configuring a Phase-1 Profile,” page 5.

b. Configure a Phase-2 profile.

See “Configuring a Phase-2 Profile,” page 6.

3

3. Configure VPN rules, by doing the following:

a. Configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway

network.

See “Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN

Gateway Network,” page 8.

b. Configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway

network.

See “Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN

Gateway Network,” page 9.

Configuring the Encryption Domain

Creating an Object for the Embedded NG VPN Gateway’s Internal Network

To create an object for the Embedded NG VPN gateway’s internal network

1. In the main menu, click Firewall.

The Firewall submenu opens.

2. In the Firewall submenu, click Address.

The Address page appears.

3. Click Create New.

The New Address page appears.

4

4. In the Address Name field, type a name for the Embedded NG VPN gateway internal network object.

For example: “CP_Internal”.

5. In the IP Range/Subnet field, type the IP address and subnet mask of the Embedded NG VPN gateway’s internal

network.

For example: 192.168.100.0/24.

6. Click OK.

Creating an Object for the FortiGate VPN Gateway’s Internal Network

To create an object for the FortiGate VPN gateway’s internal network



2. In the Firewall submenu, click Address.

The Address page appears.


The New Address page appears.

4. In the Address Name field, type a name for the FortiGate VPN gateway internal network object.

For example: “FG_Internal”.

5. In the IP Range/Subnet field, type the IP address and subnet mask of the FortiGate VPN gateway’s internal

network.

For example: 192.168.1.0/255.255.255.0.

5

6. Click OK.

Configuring IPSEC Parameters

Configuring a Phase-1 Profile

To configure a Phase-1 profile

1. In the main menu, click VPN.

The VPN submenu opens.

2. In the VPN submenu, click IPSEC.

The Phase 1 page appears.


The New VPN Gateway page appears.

4. Click Advanced.

Additional fields appear.

5. Fill in the fields as described in the table below.

Do not change the default settings of fields that are not listed in the table.

6. Click OK.

6

Table 2: Phase-1 Profile Fields

In this field… Do this… In the sample network…

Gateway Name Type a name for the gateway. Site2Site

Remote Gateway Type the remote gateway’s static IP address.

IP address Type the Embedded NG VPN gateway’s IP address. 212.150.8.85

Authentication

Method

Select the authentication method to use. Preshared Key

Pre-shared Key Type the pre-shared key.

Use the same pre-shared

key as configured on the

Embedded NG VPN

gateway.

For example: Secret123

Encryption Select the type of encryption to use to secure the VPN

connection.

3DES

Authentication Select the authentication algorithm to use. SHA1

DH Group Select the Diffie-Hellman group to use. 2

Keylife Type the Phase-1 key lifetime in seconds. 86400

This parameter must

match the Phase-1 keylife

on the Embedded NG

appliance VPN gateway.

Configuring a Phase-2 Profile

To configure a Phase-2 profile

1. In the main menu, click VPN.

The VPN submenu opens.

2. In the VPN submenu, click IPSEC.


3. Click on the Phase 2 tab.



The New VPN Tunnel page appears.

7

5. Click Advanced.

Additional fields appear.



7. Click OK.

Table 3: IPSEC Phase-2 Profile Fields


Tunnel Name Enter a name for the tunnel. Check Point

Remote Gateway Select the Phase-1 profile you created for this tunnel. Site2Site

1-Encryption Select the type of encryption to use to secure the VPN

connection.

3DES

Authentication Select the authentication algorithm to use. SHA1

Enable perfect

forward secrecy

(PFS)

Specify whether to use PFS. Clear this option.

Keylife Use the fields provided to specify the Phase-2 keylife in

seconds.

3600

This parameter must

match the Phase-2 keylife

on the Embedded NG

appliance VPN gateway.

8

Configuring VPN Rules

Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN Gateway Network

To configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway network



2. In the Firewall submenu, click Policy.

The Policy page appears.


The New Policy page appears.



5. Click OK.

9

Table 4: Encrypt Rule from the FortiGate Network to the Embedded NG Network Fields


Interface/Zone In the Source drop-down list, select Internal.

In the Destination drop-down list, select External.

Address Name In the Source drop-down list, select the internal FortiGate

VPN gateway address object from which you want traffic to

be encrypted.

In the Destination drop-down list, select the internal

Embedded NG VPN gateway address object to which you

want traffic to be encrypted.

FG_Internal

CP_External

Action Select ENCRYPT.

VPN Tunnel Select the Phase-2 profile you created. CheckPoint

Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN Gateway Network

To configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway network



2. In the Firewall submenu, click Policy.

The Policy page appears.


10

The New Policy page appears.



5. Click OK.

Table 5: Encrypt Rule from the Embedded NG Network to the FortiGate Network Fields


Interface/Zone In the Source drop-down list, select Internal.

In the Destination drop-down list, select External.

Address Name In the Source drop-down list, select the Embedded NG VPN

gateway address object from which you want traffic to be

encrypted.

In the Destination drop-down list, select the internal

FortiGate VPN gateway address object to which you want

traffic to be encrypted.

CP_Internal

FG_External

Action Select ENCRYPT.

VPN Tunnel Select the Phase-2 profile you created. CheckPoint

11

Configuring the Embedded NG Security Appliance To configure the Embedded NG security appliance for Site-to-Site VPN

1. Add the FortiGate security appliance as a Site-to-Site gateway.

See “Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway,” page 11.

2. Configure IPSEC parameters to match those you configured on the FortiGate appliance.

Do the following:

a. Modify IKE Phase-1 encryption parameters.

See “Modifying IKE Phase-1 Encryption Parameters,” page 16.

b. Modify IKE Phase-2 encryption parameters.

See “Modifying IKE Phase-2 Encryption Parameters ,” page 17.

c. Modify the IKE Phase-1 key lifetime.

See “Modifying the IKE Phase-1 Key Lifetime ,” page 17.

d. Modify the IKE Phase-2 key lifetime.

See “Modifying the IKE Phase-2 Key Lifetime ,” page 18.

Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway

To add the FortiGate appliance as a Site-to-Site VPN gateway

1. Click VPN in the main menu, and click the VPN Sites tab.

The VPN Sites page appears.

2. Click New Site.

12

The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Select Site-to-Site VPN.

4. Click Next.

The VPN Gateway Address dialog box appears.

5. In the VPN Gateway field, type the IP address of the FortiGate VPN gateway.

6. Select Bypass NAT.

This setting enables the FortiGate VPN gateway to bypass NAT when connecting to the Embedded NG VPN

gateway internal network.

7. Select Bypass the firewall.

This setting enables the FortiGate VPN gateway to bypass the firewall and access the Embedded NG VPN

gateway’s internal network without restriction over the VPN tunnel only.

13

8. Click Next.

The VPN Network Configuration dialog box appears.

9. Select Specify Configuration.

10. Click Next.

A second VPN Network Configuration dialog box appears.

11. In the Destination network fields, type up to three destination network addresses at the FortiGate VPN gateway.

12. In the Subnet mask fields, select the subnet masks for the destination network addresses.

14

13. Click Next.

The Authentication Method dialog box appears.

14. Select Shared Secret.

15. Click Next.

The Authentication dialog box appears.

16. In the Use Shared Secret field, type the shared secret to use for secure communications with the FortiGate VPN

gateway.

This should be the pre-shared key you configured on the FortiGate VPN gateway in “Configuring a Phase-1

Profile,” page 5.

15

17. Click Next.

The Connect dialog box appears.

18. If you configured the FortiGate appliance as described in “Configuring the FortiGate Security Appliance,” page 2,

select the Try to Connect to the VPN Gateway check box to try to connect to it.

This allows you to test the VPN connection.

Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will

be terminated.

19. Click Next.

If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the

Contacting VPN Site screen appears.

The Site Name dialog box appears.

20. Type a name for the VPN site.

You may choose any name. For example: “FortiGate”.

16

Note: Do not select Keep this site alive.

21. Click Next.

The VPN Site Created screen appears.

22. Click Finish.

The VPN Sites page reappears. The new site appears in the VPN Sites list.

Configuring IPSEC Parameters

Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliance’s command

line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax,

refer to the Check Point Embedded NG CLI Reference Guide.

Modifying IKE Phase-1 Encryption Parameters

To modify IKE Phase-1 encryption parameters

Use the following command syntax:

set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |

aes128/sha1 | aes256/md5 | aes256/sha1]

where number is the number of the FortiGate VPN gateway’s row in the VPN Sites table in the Embedded NG

Portal.

For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the

Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run

the command:

set vpn sites 2 phase1ikealgs 3des/sha1

17

Modifying IKE Phase-2 Encryption Parameters

To modify IKE Phase-2 encryption parameters


set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |

aes128/sha1 | aes256/md5 | aes256/sha1]

where number is the number of the FortiGate VPN gateway’s row in the VPN Sites table in the Embedded NG

Portal.


Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run

the command:

set vpn sites 2 phase2ikealgs 3des/sha1

Modifying the IKE Phase-1 Key Lifetime

To modify the IKE Phase-1 key lifetime


set vpn sites number phase1exptime seconds

where:

number is the number of the FortiGate VPN gateway’s row in the VPN Sites table in the Embedded NG Portal.

seconds is the length of the IKE Phase-1 key lifetime in seconds.


Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run

the command:

set vpn sites 2 phase1exptime 86400

18

Modifying the IKE Phase-2 Key Lifetime

To modify IKE Phase-2 key lifetime


set vpn sites number phase2exptime seconds

where:

number is the number of the FortiGate VPN gateway’s row in the VPN Sites table in the Embedded NG Portal.

seconds is the length of the IKE Phase-2 key lifetime in seconds.


Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the

command:

set vpn sites 2 phase2exptime 3600

configuring site-to-site vpn connection between a check...

Documents