ipsec tunnel between a firebox & a firewall-1 configure a firebox ii/iii appliance for an ipsec...

Configure an IPSec Tunnel between a Firebox II/III & a Check Point FireWall-1

This document describes how to configure an IPSec tunnel between a WatchGuard Firebox II/III running software version 6.0 and a Check Point FireWall-1 running the Next Generation (NG) FP2 software version.The following diagram illustrates the machines and addresses involved in the connection. The examples used in this document are taken from this set-up.

NOTEAny third-party appliances between the Firebox II/III and the FireWall-1 (the tunnel end-points), such as a router, must be configured to allow IPSec traffic—specifically, UDP port 500 and IP protocols 50 and 51. Further, a third-party appliance must not perform NAT on either tunnel end-point. You should contact your ISP to ensure that these requirements are met before configuring your IPSec tunnel.

Configure a Firebox II/III Appliance for an IPSec Tunnel

This procedure describes how to configure the Firebox II/III to create an IPSec Virtual Private Network (VPN) tunnel to a FireWall-1.To configure the Firebox II/III for an IPSec tunnel, use the WatchGuard Policy Manager to configure the IPSec gateway, tunnel, routing information, and enable the associated policy.For more information about configuring a Firebox II/III for an IPSec VPN tunnel, consult the WatchGuard Firebox System User Guide version 6.0.

Setting Up the GatewayYou must first define the remote gateway of the FireWall-1.

From the Policy Manager:

1 Select Network => Branch Office VPN => IPSec. The IPSEC configuration window appears.

2 IPSec Tunnel between a Firebox II/III & a Check Point FireWall-1


2 Click Gateways. The Configure Gateways window appears.

3 Click Add.The IPSec Gateway window appears.

4 Enter the gateway information as described below:Name

The name used to identify this gateway. In our example FW-1.Key Negotiation Type

Select isakmp (dynamic).Remote Gateway IP

The external IP address of the FireWall-1 that the Firebox II/III will negotiate with when creating the IPSec tunnel. In our example, 206.253.208.100.

Shared KeySimilar to a password, this is used to authenticate both ends of the tunnel to each other; the shared key must be identical on both sites. In our example, secret.

5 When you finish entering the above information, click More.The Phase 1 Settings appear.

3

6 Enter the Phase 1 information as described below:Local ID Type

Select IP Address.Authentication

Select SHA1-HMAC (a 160-bit algorithm). This must match the authentication type on the FireWall-1 appliance.

EncryptionSelect DES-CBC (52-bit). This must match the encryption level on the FireWall-1 appliance.

Diffie-Helman Group (DH Group)Select group 1 or 2. In our example, group 1.

Enable Perfect Forward Secrecy (PFS)If PFS is enabled, the Firebox II/III will use the same DH Group selected for Phase 1 negotiation as in Phase 2. In our example, this setting is disabled.

NOTEIf the FireWall-1 initiates or re-keys the IPSec tunnel, only DH Group 1 will function. The FireWall-1 automatically uses DH Group 2 during Phase 1 negotiations and DH Group 1 during Phase 2. Further, the FireWall-1 will re-key regardless of the timeout settings on either appliance. Therefore, if you select to enable PFS, you must use the DH Group 1 setting.

Enable Aggressive ModeIf this mode is enabled, the default Main Mode is replaced with the shorter Aggressive Mode IKE exchange. This must match the setting on the on the FireWall-1 appliance. In our example, this setting is disabled.

7 When you finish entering the information for the Phase 1 settings, click OK.The Configure Gateways window appears displaying the new gateway and appropriate settings.



8 Follow the instructions below to continue with setting up the tunnel.

Setting up the Tunnel A tunnel encapsulates packets between two gateways. It specifies encryption type, authentication method, or both. A tunnel also specifies endpoints–these are the public, external addresses of the two appliances. The following describes how to configure a tunnel using a gateway with the isakmp (dynamic) key negotiation type, which is required for creating a tunnel between a Firebox II/III and a FireWall-1.

From the Configure Gateways window:

1 Click Tunnels.The Configure Tunnels window appears.

2 To create a new tunnel, click Add.The Select Gateway window appears.

5

3 Select the gateway that you created in “Setting Up the Gateway“ on page 2 and the click OK.The Configure Tunnel window appears.

4 At the Identity tab, enter a tunnel name.The Policy Manager uses the tunnel name as an identifier. In our example, FW-1_Tunnel.

5 Click the Phase 2 Settings tab.



6 Enter the following information:Type

Select ESP (Encapsulated Security Payload). This must match the Security Association Proposal type on the FireWall-1 appliance.

AuthenticationSelect SHA1-HMAC (a 160-bit algorithm). This must match the authentication type on the FireWall-1 appliance.

EncryptionSelect 3DES-CBC (168-bit). This must match the encryption level on the FireWall-1 appliance.

7 To have a new key generated periodically, enable the checkbox labelled Force Key Expiration.With this option, transparent to the user, the ISAKMP controller generates and negotiates a new key for the session. For no key expiration, enter 0 (zero) here. If you enable the Force key expiration box, set the number of kilobytes transferred or hours passed in the session before a new key is generated for continuation of the VPN session.

8 Click OK.The Configure Tunnels window reappears displaying the newly created tunnel.

9 After you add all tunnels for this gateway, click OK to return to the Configure Gateways window. Click OK to return to the IPSec Configuration window.

Creating an IPSec PolicyPolicies are sets of rules, much like static routes, for defining how IPSec traffic is routed through the tunnel. Policies are defined by their endpoints. These are not the same as tunnel or gateway endpoints–they are the specific hosts, networks, or both behind the two IPSec appliances (for our purposes, the Firebox II/III and the FireWall-1), which communicate through the tunnel.From the IPSec Configuration window:

1 Click Add.The Add Routing Policy window appears.

7

2 Enter the following information:Local

Host or Network. You can create a policy for a single host or an entire network behind the local appliance. Following our example, select Network and enter the network address of the private, internal network behind the Firebox II/III, 192.168.3.0/24.

RemoteHost or Network. You can create a policy for a single host or an entire network behind the remote appliance. Following our example, select Network and enter the network address of the private, internal network behind the FireWall-1, 10.10.10.0/24.

DispositionThis determines how the Firebox II/III will handle traffic travelling between the tunnel endpoints. Select secure.

TunnelYou can choose the tunnel you want to use between these networks. Following our example, select FW-1_Tunnel from the drop list.

3 Click OK.The IPSec Configuration window appears listing the newly created policy. Policies are initially listed in the order in which they were created.

4 Click OK again to close the IPSec Configuration window.



Creating ServicesThe last step defines what services are going to be allowed through this tunnel. Users behind the FireWall-1 are outside the trusted Firebox II/III network; you must therefore configure the Firebox II/III specifically to allow traffic through the VPN connection. A quick method is to create a host alias that corresponds to the remote VPN hosts, networks, or both. Either use this alias or individually enter the IP addresses when configuring the properties for the service or services you wish to allow. For more information on creating an alias, consult the WatchGuard Firebox II/III System User Guide version 6.0.

You can modify your Firebox II/III security policy to allow the VPN traffic on a service-by-service basis. However, the easiest method is to create an Any service which allows all traffic over any port.

From the Policy Manager:

1 Select Edit => Add Service.The Service window appears.

2 Expand Packet Filters and select the Any service.

9

3 Click Add.The Add Service window appears.

4 Enter a name for the service at the appropriate field.In our example, we maintain the default name, Any.

5 Click OK.The service’s Properties window appears.



6 At the Incoming tab, select Enabled and Allowed from the drop list.

7 Under From, click Add.The Add Address window appears.

8 Click Add Other.The Add Member window appears.

11

9 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the FireWall-1.Following our example, 10.10.10.0/24.

10 Click OK.The Add Address window reappears.

11 Click OK.The service’s Properties window reappears. It should display the IP Address you entered in the From portion of the window.

12 Under To, click Add.The Add Address window appears.


14 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox II/III.Following our example, 192.168.3.0/24.


16 Click OK.The service’s Properties window reappears. It should display the IP Address you entered in the To portion of the window as well as the IP address of the From portion you entered earlier.

17 Click the Outgoing tab. Select Enabled and Allowed from the drop list.



18 Under From, click Add.The Add Address window appears.


20 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox II/III.Following our example, 192.168.3.0/24.


22 Click OK.The service’s Properties window reappears. It should display the IP Address you entered in the From portion of the window.

23 Under To, click Add.The Add Address window appears.


25 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the FireWall-1.Following our example, 10.10.10.0/24.


27 Click OK.The service’s Properties window reappears. It should display the IP Address you entered in the To portion of the window as well as the IP address of the From portion you entered earlier.

28 Click OK to close the service’s Properties window. Click Close to close the Add Service window.

13

Saving the Configuration to the Firebox II/IIIFinally, save the changes made to the configuration file to the Firebox II/III.

1 Select File => Save => To Firebox.

2 Use the Firebox drop list to select the appropriate appliance.

3 Enter the configuration (read/write) pass phrase. Click OK.The configuration file is saved first to the local hard drive of the management station and then to the primary area of the Firebox II/III flash disk.

4 You are prompted to reboot the appliance–the new configuration will not be enabled until the appliance is rebooted. Click OK.

Configure the FireWall-1 for an IPSec Tunnel to a Firebox II/III

This procedure describes how to configure the FireWall-1 to create an IPSec Virtual Private Network (VPN) tunnel to a Firebox II/III.

Creating a New Security Policy1 Connect to the FireWall-1 with the configuration management tool and open the

Check Point Policy Editor in the FireWall-1 GUI.

2 Select File => New.The New Policy Package window appears.

3 Enter the following information:Policy Package Name

Enter the name of the configuration you are about to create. In our example, IPSec.Policy Type

Enable Security and Address translation.

4 Click OK.Tabs appear for the policy you just created.



Creating and configuring Network ObjectsTo allow IPSec traffic between network addresses you must create icons for the network addresses in question as well as the local and remote firewalls.

Start by creating an icon for the private network behind the Firebox II/III:

1 Select Manage => Network Objects.The Network Objects window appears.

2 Click New, then select Network.The Network Properties window appears.

15

3 Click the General tab and enter the following information:Name

Enter a name for the network for which this Network Object is being created. In our example, the private network behind the Firebox II/III is named, WGRD_net.

Network AddressEnter the IP address of the private network. In our example, 192.168.3.253.

NetmaskEnter the netmask of the private network. In our example, 255.255.255.0.

CommentAdd comments or reminders about this configuration. (This field is optional.)

ColorSelect a color from the drop list for this Network Object. In our example, red.

Broadcast AddressEnable the Included option.

NOTEDo not make changes to the NAT tab, maintain the default settings.

4 Click OK.The Network Objects window reappears with the new icon.

Create another icon for the private network behind the FireWall-1 appliance:

5 Click New, then select Network.The Network Properties window appears.

6 Click the General tab and enter the following information:Name

Enter a name for the network for which this Network Object is being created. In our example, the private network behind the FireWall-1, is named, FW-1-net.

Network AddressEnter the IP address of the network. In our example, 10.10.10.0.



NetmaskEnter the netmask of the network. In our example, 255.255.255.0.

CommentAdd comments or reminders about this configuration. (This field is optional.)

ColorSelect a color from the drop list for this Network Object. In our example, blue.

Broadcast AddressEnable Allowed.

NOTEDo not make changes to the NAT tab, maintain the default settings.

7 Click OK.The Network Objects window reappears with the new icon, following our example, WGRD_net and FW-1_net.

17

Configuring Network Objects — the Check Points object

1 Select Check Points from the Show drop list.An icon representing the FireWall-1 appliance appears.

2 Select the icon representing the Firewall-1 and then click Edit.The Check Point Gateway window appears.

3 From the tree view, select General Properties and enter the following information:IP Address

Enter the external IP address of the FireWall-1 appliance. In our example, 206.253.208.100.

CommentAdd any relevant comments or notes here.

ColorChoose a color to represent the FireWall-1. In our example, blue.

4 From the tree view, select Topology and click Add to define an interface.The Interface Properties window appears.



5 Enter the following information:Name

Enter the name of the external interface of the FireWall-1 appliance.IP Address

Enter the IP address of the external interface. In our example, 206.253.208.100.Net Mask

Enter the netmask of the interface. In our example, 255.255.255.0.

6 Click on the Topology tab and enter the following information:Topology

Enable the External option.Anti-Spoofing

Choose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert).

7 Click OK to return to the Check Point Gateway window.

19

8 Again, from the tree view, select Topology and click Add to define a second interface.

9 Enter the following information:Name

Enter the name of the trusted interface of the FireWall-1.IP Address

Enter the IP address of the trusted interface.Net Mask

Enter the netmask of the interface.

10 Click on the Topology tab and enter the following information:Topology

Enable the Internal option.IP

Anti-SpoofingChoose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert).

IP Addresses behind this interfaceEnable the Specific option and then select FW-1_net from the drop list.

Anti-SpoofingChoose whether or not to enforce anti-spoofing rules on this interface. You can also choose how to logged spoofed packets on this interface (None, Log or Alert).

11 Click OK to return to the Check Point Gateway window.

12 Enable the Manually Defined option and select FW-1_net from the drop list.This associates the network defined by the FW-1_net icon with VPN rules on the FireWall-1 appliance.



13 From the tree view, select VPN.

14 From the Encryption Schemes field, verify that the IKE checkbox is enabled and then click Edit.The IKE Properties window appears.

21

15 Enter the following information:Support Key Exchange Encryption With

Select the encryption type the FireWall-1 will use in phase 1 negotiations. This must match the phase 1 encryption method selected on the Firebox II/III. In our example, DES.

Support Data Integrity WithSelect the data integrity algorithm the FireWall-1 will use in phase 1 negotiations. This must match the phase 1 algorithm selected on the Firebox II/III. In our example, SHA1.

Support Authentication MethodsEnable the Pre-Shared Secret option.

16 Click on the Advanced button. The Advanced IKE Properties window appears.

17 Enter the following information:Support Diffie-Helman Groups (IKE Phase 1)

Here you can choose which DH group the FireWall-1 appliance will support in phase 1. We set this to DH group 1 (768 bit) in this example. This must match the phase 1 DH group setting on the Firebox II/III.



Support Key Exchange for SubnetsThis feature allows Phase 2 encryption key exchanges to take place between subnets and not just individual hosts. In our example, this feature is enabled.

18 Click OK to close the Advanced IKE Properties window, click OK to close the IKE Properties window and return to the Check Point Gateway window, and then click OK to return to the Network Objects window.

Configuring Network Objects — the Interoperable Devices object

1 Click New and select Interoperable Device.The Interoperable Device window appears.

2 From the tree view, select General Properties and enter the following information:Name

Choose a name for the device represented by this service icon. In this example we chose the name WGRD to represent the Firebox II/III appliance.

23

IP AddressEnter the external IP address of the Firebox II/III. In our example, 208.152.24.104.

CommentEnter any notes, comments or reminders you might have.

ColorChoose a color. In our example, red.

3 From the tree view, select Topology and click Add.The Interface Properties window appears.

4 Enter the following information to define the external interface of the Firebox II/III appliance:Name

Enter the name of the external interface of the Firebox II/III. In our example, eth0.IP Address

Enter the external IP address of the Firebox II/III. In our example, 208.152.24.104.Net Mask

Enter the netmask of the external interface. In our example, 255.255.255.0

5 Click OK to close the Interface Properties window.

6 Click Add again and enter the following information to define the trusted interface of the Firebox II/III appliance:Name

Enter the name of the trusted interface. In our example, eth1.IP Address

Enter the IP address of the trusted interface. In our example, 192.168.3.253.Net Mask

Enter the netmask of the trusted interface. In our example, 255.255.255.0

7 Click OK to close the Interface Properties window.

8 Enable the Manually Defined option and select WGRD_net from the drop list.



9 From the tree view, select VPN.

10 From the Encryption Schemes field, enable the IKE checkbox and then click Edit.The IKE Properties window appears.

25

11 Enter the following information:Support Key Exchange Encryption With

Enter the encryption type the Firebox II/III will use in phase 1 negotiations. This must match the phase 1 encryption method selected on the Firebox II/III. In our example, DES.

Support Data Integrity WithEnter the data integrity algorithm the Firebox II/III will use in phase 1 negotiations. This must match the phase 1 algorithm selected on the Firebox II/III. In our example, SHA1.

Support Authentication MethodsSelect Pre-Shared Secret.

12 Click Edit Secrets.The Shared Secret window appears.

13 The peer should be the name of the FireWall-1. Select the peer and click Edit.The Enter secret field appears.



14 Enter the shared secret the FireWall-1 and Firebox II/III will use in negotiations. In our example, secret. Click Set. This must match the shared key entered on the Firebox II/III.

15 Click OK to close the Share Secrets window and return to the IKE Properties Window.

16 Click Advanced.the Advanced IKE Properties window appears.

17 Enter the following information:Support Diffie-Helman Groups (IKE Phase 1)

Determine the DH group the Firebox II/III will support in phase 1. In our example this is set to DH group 1 (768 bit). This must match the phase 1 DH group setting on the Firebox II/III.

Renegotiate IPSec (phase 2) Security associations everyDetermine the number of seconds after which phase 2 security associations will expire. Set this to 86400 seconds to match the phase 2 SA timeout on the Firebox II/III.

Renegotiate IPSec (phase 2) Security associations everyDetermine the number of kilobytes that can pass through the tunnel after which phase 2 security associations will expire. In our example, enable this feature and set it to 8192 Kbytes seconds to match the phase 2 SA timeouts on the Firebox II/III.

Support Key Exchange for SubnetsThis allows for Phase 2 encryption key exchanges to take place between subnets and not just individual hosts. In our example, this feature is enabled.

18 Click OK to close the Advanced IKE Properties window, click OK to close the IKE Properties window, click OK to close the Interoperable Device window and return to the Network Objects window.All of the icons you have created are displayed.

27

19 You are now done configuring the network objects. Click Close to return to the main Check Point Policy Editor window.

Configuring the IPSec Policy1 Select Rules => Add Rule => Top.

2 From the Rule drop list, select Add Rule and then select Top.A new rule (rule #1) is added to your policy.

3 Right click on the SOURCE field of the new rule and select Add.The Network Objects window appears.

4 Select WGRD_net from the Network Objects window and click OK.The WGRD_net icon appears in the SOURCE field of the first policy rule.



5 Right click again on the SOURCE field of the new rule and select Add.The Network Objects window appears.

6 Select FW-1_net from the Network Objects window and click OK.The FW-1_net icon appears in the SOURCE field of the first policy rule.

7 Right click on the DESTINATION field of the new rule and select Add.The Network Objects window appears.

8 Select FW-1_net from the Network Objects and click OK.The FW-1_net icon appears in the DESTINATION field of the first policy rule.

29

9 Right click again on the DESTINATION field of the new rule and select Add.The Network Objects window appears.

10 Select WGRD_net from the Network Objects window and click OK.The WGRD_net icon appears in the DESTINATION field of the first policy rule.

11 From the Action field, right click on drop and select encrypt.

NOTEIf you do not see “encrypt” among the Action options, you must enable traditional mode encryption. From the main Check Point Policy Editor window, go to Policy => Global Properties. From the tree view, select VPN-1 Pro and select traditional mode encryption.

12 Double click on the Action field.The Encryption Properties window appears.

13 Enable the IKE checkbox and then click Edit.The IKE Phase 2 Properties window appears.



14 Enter the following information:Encryption Algorithm

This must match the phase 2 encryption algorithm on the Firebox II/III. In our example, 3DES.

Data IntegrityThis must match the phase 2 data integrity settings on the Firebox II/III. In our example SHA.

Compression MethodSet this to None.

Allowed Peer GatewaySelect the WGRD gateway from the drop list.

15 Click OK to close the IKE Phase 2 Properties window. Click OK again to close the Encryption Properties window and return to the main Check Point Policy Editor window.

16 Right click on the TRACK field and select log.This enables logging for the IPSec negotiations.

17 Right click on the INSTALL ON field, select Add and then Targets.The Targets window appears.

18 Select the appropriate Check Point device and then click OK.

Adding a default drop ruleIf you do not have a default drop rule, add one for debugging purposes.

1 Select Rules => Add Rule => Bottom.

31

2 From the TRACK field, select log.

3 From the INSTALL ON field, select the FireWall-1 appliance.

This will allow you to log all packets dropped by the FireWall-1 appliance.

Disable NATAdd a rule to make sure the FireWall-1 appliance does not NAT the inbound IPSec traffic.

1 From the Check Point Policy Editor main menu, click on the Address Translation tab.

2 Select Rules => Add Rule => Top.A blank rule appears at the top of the Address Translation tab.

3 From under the ORIGINAL PACKET section, right click on the SOURCE field and select Add.The Network Objects window appears.

4 Select FW-1_net and then click OK.The FW-1_net service icon appears in the SOURCE field under the ORIGINAL PACKET section of the Address Translation tab.



5 From under the ORIGINAL PACKET section, right click on the DESTINATION field and select Add.The Network Objects window appears.

6 Select WGRD_net and then click OK.The WGRD_net service icon appears in the DESTINATION field under the ORIGINAL PACKET section of the Address Translation tab.

7 Right click on the INSTALL ON field, select Add => Targets.The Targets window appears.

8 Select the FireWall-1 appliance and then click OK.The FireWall-1 appliance appears in the INSTALL ON field.

33

9 Select Policy => Global Properties.The Global Properties window appears.

10 Verify that the Accept VPN-1 & FireWall-1 control connections checkbox is enabled.This prevents you from accidentally locking yourself out of the FireWall-1.

11 Click OK.

12 Select Policy => Install.The Address Translation-Routing window appears. This window acts as a warning to let you know you have added NAT rules to the configuration.



13 Click OK to continue.The Policy Editor Warning window appears. This window alerts you to the fact that in addition to the rules you defined, there are also default rules in Global Properties that will be enforced with the installation of this configuration.

14 Click OK to continue.The Install Policy window appears.

15 Select the appropriate FireWall-1 appliance and then click OK. In our example, palm.

16 Click OK to continue.The Install Policy window display log messages as it checks and installs the policy.

17 When the “VPN-1/FireWall-1 policy installation Succeeded for: <name of the FireWall-1 appliance>” message appears, click Close.

35

You are now done configuring and installing the IPSec policy on your FireWall-1 appliance.

Copyright and Patent Information

Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.

WatchGuard, Firebox, and “Designing Peace of Mind” are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.


ipsec tunnel between a firebox & a firewall-1 configure a firebox ii/iii appliance for an ipsec...

Documents