Prepared By: Simon Richardson Department Professional Services Version: 1.0 Dated: 30 th August 2011 Classification: Released Page Page 1 of 25 Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected]Selby Road W www.itogether.co.uk Leeds LS15 4LG Checkpoint NGX (R75) to Vyatta VC6.2 Virtual Firewall VPN (virtual private network) CONTENTS 1. Introduction 1 2. Aim 2 3. Roles & Responsibilities 3 4. Procedure 4 1 Introduction The idea of this document is to show you the screen shots and configuration necessary to establish an IPSEC tunnel between Checkpoint NGX R75 (no HFAs) to Vyatta VC 6.2 The author of the document had no previous experience of Vyatta and the third party (managing the Vyatta) had no previous experience of managing Checkpoint products. 2 Aim To help someone troubleshoot, or establish a vpn tunnel between Checkpoint and Vyatta products. 3 Roles & Responsibilities
25
Embed
vyatta to checkpoint vpn howto guide - Welcome to · PDF fileit will be necessary to create tunnels on the Vyatta to EVERY network directly connected to the Checkpoint firewall. For
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 1 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Checkpoint NGX (R75) to Vyatta VC6.2
Virtual Firewall VPN (virtual private network)
CONTENTS
1. Introduction 1
2. Aim 2
3. Roles & Responsibilities 3
4. Procedure 4
1 Introduction
The idea of this document is to show you the screen shots and
configuration necessary to establish an IPSEC tunnel between
Checkpoint NGX R75 (no HFAs) to Vyatta VC 6.2
The author of the document had no previous experience of Vyatta
and the third party (managing the Vyatta) had no previous
experience of managing Checkpoint products.
2 Aim
To help someone troubleshoot, or establish a vpn tunnel between
Checkpoint and Vyatta products.
3 Roles & Responsibilities
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 2 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Customer and third party to have very clear understanding of their
respective firewall products, and a very clear understanding of
establishing and troubleshooting VPNs.
4 Procedure
Here is the config for the checkpoint end of things
As this was established on production equipment, and for security
reasons, the screen shots are sometimes obfuscated. You will have
to transpose your own IP addressing into the procedure to ensure
the tunnel works.
Be careful if initially enabling/disabling PFS (Perfect Forward
Secrecy) otherwise (if PFS is disabled on the Checkpoint) then the
tunnel will establish one-way. The Vyatta end will be able to ping
the Checkpoint protected network, but not vice versa.
One thing we noticed, which needs careful consideration, is that in
the event that the Checkpoint firewall doesn’t have the VPN
domain manually defined in the Checkpoint object (Topology) then
it will be necessary to create tunnels on the Vyatta to EVERY
network directly connected to the Checkpoint firewall. For
example, imagine you have 5 network interfaces in your
Checkpoint firewall like this
10.0.5.0/24
172.16.60.0/24
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 3 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
192.168.1.0/24
172.17.1.0/24
Internet range x.x.x.x/30
You will need to create VPN’s to all of the ranges other than the
Internet range. This is because the Checkpoint firewall (if NOT set
to have a manually defined encryption domain) will offer all of its
networks and topology to the Vyatta. This will confuse the Vyatta
as normally you only define the ‘single’ network or networks you
want in your encryption domain. This seems to be only an issue
with Checkpoint to non-Checkpoint products. If you create a
Checkpoint to Checkpoint tunnel, the products are much more
‘forgiving’ when it comes to topology.
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 4 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Checkpoint firewall object, defined in this case as the
external/Internet facing IP address
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 5 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Inside LAN IP address subnet with class C mask
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 6 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 7 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 8 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 9 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 10 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 11 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 12 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 13 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 14 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 15 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 16 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG
The log file shows how initially the tunnel failed (because PFS was
enabled on the Vyatta end) then the pings and RDP test
connections initiated from the Checkpoint side worked fine.
Notice how the tunnel timeouts for Phase1/2 had been changed
from their Checkpoint default settings.
Notice how NAT had been disabled, and the tunnel used
simplified mode so that all traffic was allowed to pass for testing
At a later stage a rule could easily be setup for the ‘VPN
community’ to filter traffic by source and destination and service
type.
Prepared By: Simon Richardson Department Professional
Services Version: 1.0 Dated: 30th August 2011
Classification: Released Page Page 17 of 25
Carrwood Park T 0113 341 0123 Swillington Common Road E [email protected] Selby Road W www.itogether.co.uk Leeds LS15 4LG