1 IBM Internet Security Systems IBM Proventia ® Network Multi-Function Security (MFS) Configuring VPN from Proventia Network MFS to Check Point Systems December 18, 2007 Overview Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3 systems. Intended use This document provides an example for configuring VPN from a Proventia Network MF S to a Check Point NG FeaturePack 3 system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the “Related documentation” section of this topic, below. Related documentation Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guide for more information about the following: ● IKE settings ● IPSEC and IPSEC policies ● security gateways ● access policies ● NAT rules For procedures for configuring the Check Point NG FP 3 system, refer to the documentation provided with your system.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
IBM Proventia® Network Multi-Function Security (MFS)
Configuring VPN from ProventiaNetwork MFS to Check Point SystemsDecember 18, 2007
Overview
Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFSrunning a Firmware 2.1 operating system or later, to Check Point NG FeaturePack 3systems.
Intended use This document provides an example for configuring VPN from a Proventia Network MFSto a Check Point NG FeaturePack 3 system. The example is not designed for operational
use without modification. A knowledgeable IPSEC network administrator or advanceduser should design new, custom polices for operational use.
Scope This document does not provide specific procedures, but rather examples of settings. Forspecific instructions on how to configure these settings, refer to the documentation listedin the “Related documentation” section of this topic, below.
Relateddocumentation
Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-FunctionSecurity (MFS) Policy Configuration Guide for more information about the following:
● IKE settings
● IPSEC and IPSEC policies
● security gateways
● access policies
● NAT rules
For procedures for configuring the Check Point NG FP 3 system, refer to thedocumentation provided with your system.
Introduction This topic includes a topography graphic and a checklist to help you gather theinformation you need to configure VPN for your Proventia Network MFS and CheckPoint NG FP 3 system.
Topography The following graphic illustrates the network topography of a Proventia Network MFSconfigured for VPN with a Check Point NG FP 3 system. The example used in thisdocument is based on the topography depicted.
Table 1: Topography for VPN tunnel from Proventia Network MFS to Check Point
Checklist The following checklist indicates the information that you need before configuring yourVPN tunnel.
InternetProventia ®
Network MFS
Check Point
`
`
`
10.1.0.0/16
Subnet B
`
`
`
192.168.1.0/24
Subnet A
192.168.1.1 10.1.0.1a.a.a.a b.b.b.b
9 Description
Proventia Network MFS External IP address _____________________________
Note: This is the IP address that you will use where a.a.a.a appears in the examples in this
document.
Proventia Network MFS Internal IP Address _____________________________
Subnet A IP address _____________________________
Symantec External IP address _____________________________
Note: This is the IP address that you will use where b.b.b.b appears in the examples in this
document.
Symantec Internal IP address _____________________________
Subnet B IP address _____________________________
Preshared key (minimum of 16 characters) _____________________________
Note: Use signed certificates to identify the Proventia Network MFS and Symantec VPN
Configuring the Proventia Network MFS Security Gateway
5
Contents of document subject to change.
Configuring the Proventia Network MFS Security Gateway
Introduction You must configure the security gateway that represents the Check Point system. Thesecurity gateway contains the IKE and IPSEC communication settings. To configure thesecurity gateway, create an Auto Key IPSEC Security Gateway with the settings shown
below.
Security gateway IKE Configurationgeneral settings
Define the security gateway name, and configure IKE settings on the IKE Configurationtab, as shown in the following table:
Item Setting
Name To_Check_Point
Enabled Selected
Comment IPSEC tunnel to Check Point system
Direction Both Directions
Exchange Type Main Mode
Encryption
Algorithm
3DES
AES Key Length N/A
Note: This list is available if you select the AES encryption algorithm, to
allow you to select the AES key length from the list.
Authentication
Algorithm
MD5
Authentication Mode Pre Shared Key
Pre-Shared Key A text string value of at least 16 alphanumeric characters
Example
1234567890abcdef
Note: Use the same text string for the Check Point NG FP3 system.
Life Time Secs 7200
Life Time KBytes 0
DH Group Group2
Local IP Address Static AddressNote: In the IP Address field, type the external interface IP address of the
Proventia Network MFS.
Example
a.a.a.a
Table 3: IKE Configuration settings for the Proventia Network MFS
Configuring VPN from Proventia Network MFS to Check Point Systems
6
Contents of document subject to change.
IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled bydefault. Make sure that this checkbox is cleared to disable the XAuth settings.
IPSEC Configurationgeneral settings
Define the IPSEC Configuration general settings on the IPSEC Configuration tab, asshown in the following table:
Adding a security proposal
In the Security Proposal area of the IPSEC Configuration tab, add a security proposalwith the settings shown in the following table:
Remote IP Address Static Address
Note: In the IP Address field, type the external interface IP address of the
Check Point NG FP3 system.
Example b.b.b.b
Local ID Static Address
Note: In the IP Address field, type the external interface IP address of the
Proventia Network MFS.
Example
a.a.a.a
Remote ID Static Address
Note: In the IP Address field, type the external interface IP address of the
Symantec system.
Example b.b.b.b
Item Setting
Table 3: IKE Configuration settings for the Proventia Network MFS (Continued)
Item Setting
Encapsulation Mode Tunnel
Perfect Forward
Secrecy
Group2
Advanced Settings Disabled
Table 4: IPSEC Configuration general settings for the Proventia Network MFS
Item Setting
Security Protocol ESP with Auth
Auth Algorithm SHA1
ESP Algorithm AES
ESP AES Key
Length
256
Life Time Secs 7200
Table 5: Security Proposal settings for the Proventia Network MFS
Configuring the Proventia Network MFS Security Gateway
7
Contents of document subject to change.
Advanced settings In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox iscleared by default. Make sure that this checkbox is cleared to disable the advancedsettings.
Life Time KBytes 10000
Item Setting
Table 5: Security Proposal settings for the Proventia Network MFS (Continued)
Configuring VPN from Proventia Network MFS to Check Point Systems
8
Contents of document subject to change.
Configuring the Proventia Network MFS IPSEC Policy
Introduction You must configure the IPSEC policy to define what is encrypted between the ProventiaNetwork MFS and the Check Point system. The IPSEC policy is configured withoutnetwork address translation (NAT).
Reference: See “Creating NAT Rules” on page 14.
IPSEC policy general settings
Define the IPSEC policy general settings as shown in the following table:
IPSEC policy remaining settings
Define the remaining IPSEC policy settings as shown in the following table:
Item Setting
Name To_Check_Point
Enabled Selected
Comment IPSEC tunnel to Check Point system
Security Process Encrypt
Protocol All
Table 6: IPSEC general policy settings for the Proventia Network MFS
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Check_Point
Source Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet A
Example
192.168.1.0/24
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet B
Example
10.1.0.0/16
Destination Port Any N/A
Table 7: IPSEC Configuration remaining settings for antivirus protection for VPN
Creating an IPSEC Policy for Antivirus Protection with VPN Connection
9
Contents of document subject to change.
Creating an IPSEC Policy for Antivirus Protection with VPNConnection
Introduction The antivirus software proxies traffic to the external interface of the Proventia Network
MFS for the following protocols:
● HTTP
● FTP
● SMTP
● POP3
To ensure that traffic analyzed by the antivirus software is sent and received from theremote VPN subnet B, you must create an additional IPSEC policy.
IPSEC policy
general settings
Define the IPSEC policy general settings as shown in the following table:
IPSEC policy remaining settings
Define the remaining IPSEC policy settings as shown in the following table:
Item Setting
Name AV_To_Check_Point
Enabled Selected
Comment IPSEC policy to protect AV traffic to Check Point
Security Process Encrypt
Protocol All
Table 8: IPSEC Configuration general settings for antivirus protection for VPN
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Check_Point
Source Address Single IP Address The external interface IP address
of the Proventia Network MFS
Example
a.a.a.a
Note: This setting encapsulates
traffic from the Proventia NetworkMFS external interface.
Source Port Any N/A
Destination Address Network Address/#Network Bits
(CIDR)
The network address and subnet
mask for subnet B
Example
10.1.0.0/16
Destination Port Any N/A
Table 9: IPSEC policy settings for the Proventia Network MFS
Configuring VPN from Proventia Network MFS to Check Point Systems
10
Contents of document subject to change.
Creating Related Access Policies for the Proventia Network MFS
Introduction You must create additional access policies on the Proventia Network MFS to do the
following:
● enable Internet Security Association and Key Management Protocol (ISAKMP) trafficto the Proventia Network MFS external interface
Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the ProventiaNetwork MFS” on page 11.
● enable traffic from subnet A to subnet B without NAT (Network Address Translation)
Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B”on page 12.
Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP,so you do not need NAT for the subnets. See “Creating NAT Rules” on page 14.
Order of accesspolicies
The appliance processes access policies in the order that they appear in the Access Policylist.
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
11
Contents of document subject to change.
Creating an Access Policy to Enable ISAKMP Traffic to theProventia Network MFS
Introduction Although you have created a VPN tunnel from the Check Point server to the Proventia
Network MFS VPN server, you must configure the firewall to accept or deny traffic fromthe VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS externalinterface.
To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy thatallows VPN traffic. You can identify this policy by the Comment field that includes thefollowing default text:
Enable this rule for VPN Connectivity
Note: This access policy is disabled by default. You must enable it to allow VPN traffic.
ISAKMP accesspolicy generalsettings
Define the access policy general settings as defined in the following table:
ISAKMP accesspolicy remainingsettings
Define the remaining access policy settings as shown in the following table:
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Comment Enable this rule for VPN Connectivity
Table 10: ISAKMP access policy general settings
On this subtab... Select this item... With this setting...
Protocol Protocol Name list UDP
Source Address Single IP Address The external interface IP address
for Unit B
Example
b.b.b.b
Source Port Any N/A
Destination Address Self N/A
Destination Port Specify Network Objects ISAKMP_UDP
Configuring VPN from Proventia Network MFS to Check Point Systems
14
Contents of document subject to change.
Creating NAT Rules
Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rulesto bypass NAT and insure that the appliance does not translate packets that travel
between subnets. The additional NAT rules are as follows:
● a Source NAT Rule
● a Destination NAT Rule
Source NAT Rulegeneral settings
Create a Source NAT Rule with general settings as defined in the following table:
Source NAT Ruleremaining settings
Define the remaining Source NAT Rule settings as shown in the following table:
Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules
table.
Destination NATRule generalsettings
Create a Destination NAT Rule with general settings as defined in the following table:
Item Setting
Name CheckPoint_BypassNAT_Src
Enabled Selected
Comment Source NAT Rule to bypass NAT
Table 16: Source NAT Rule general settings
On this subtab... Select this item... With this setting...
Configuring VPN from Proventia Network MFS to Check Point Systems
16
Contents of document subject to change.
Configuring Check Point Modes and Objects
Introduction Configuring Check Point modes and objects includes the following tasks:
● verifying the Check Point VPN-1 Pro mode
● creating network objects
Notes:
● This document covers only Traditional mode. For help with setting up a VPNconnection in Simplified mode, consult your Check Point documentation.
● If you change from Simplified mode to Traditional mode in the Global Propertieswindow, then you must create a new policy so that the Encrypt Action is available forfirewall rules.
Verify Check Point
VPN-1 Pro mode
To verify Check Point VPN-1 Pro mode:
1. Open the Management console and log in.
2. Select PolicyÆGlobal Properties.
3. Click VPN-1 Pro in the left window pane.
4. Verify that the VPN configuration method is Traditional mode.
Important: If the policy is not in Traditional mode, then select one of the Traditional
Mode options, click OK, and then select FileÆNew... to create a new policy.
Create network
objects
To create network objects:
1. In the Management console, click the Network Objects icon to display the NetworkObjects tree.
2. Expand the Network Objects tree.
3. Right–click Networks, and then select New Network.
4. Provide the following information on the General tab:
5. Click OK to save the network.
6. Does a network object already exist for the internal network protected by the CheckPoint NG FP 3 firewall?
Item Setting
Name Subnet_A
Network Address The network IP address for subnet A
IBM and the IBM logo are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE,Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, SystemScanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet SecuritySystems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make
them available in all countries in which IBM operates.