chkp_vpn

8/6/2019 chkp_vpn

1/87

SofaWare VPN Configuration

Guide

Part No.: 700411

Oc t 2002

For Safe@ ga tewa y version 3

8/6/2019 chkp_vpn

2/87

2 SofaWare VPN Configuration Guide

COPYRIGHT & TRADEMARKS

Copyright 2002 SofaWare, All Rights Reserved. SofaWare, SofaWare S-box, Safe@Home and Safe@Office are trademarks, service marks,

or registered trademarks of SofaWare Technologies Ltd.

Check Point, the Check Point logo, FireWall-1, FireWall-1 SecureServer, FireWall-1 SmallOffice, FloodGate-1, INSPECT, IQ Engine, Meta

IP, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecureUpdate, SiteManager-1, SVN, UAM, User-to-Address

Mapping, UserAuthority, Visual Policy Editor, VPN-1, VPN-1 Accelerator Card, VPN-1 Gateway, VPN-1 SecureClient, VPN-1 SecuRemote,

VPN-1 SecureServer, VPN-1 SmallOffice, and ConnectControl are trademarks, service marks, or registered trademarks of Check Point

Software Technologies Ltd. or its affiliates.

All other product names mentioned herein are trademarks or registered trademarks of their respective owners.

The products described in this document are protected by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by other U.S.

Patents, foreign patents, or pending applications.

8/6/2019 chkp_vpn

3/87

SofaWare VPN Configuration Guide 3

Contents

Contents .................................................................................................................................................................. 3

Introduction............................................................................................................................................................ 5

SofaWare Safe@Home ....................................................................................................................................... 6

SofaWare Safe@Home Pro................................................................................................................................. 6

SofaWare Safe@Office....................................................................................................................................... 6

SofaWare Safe@Office Plus ............................................................................................................................... 6

About This Guide................................................................................................................................................ 6

Typological Conventions .................................................................................................................................... 7

Contacting Technical Support ............................................................................................................................. 7

VPN Connectivity Solution Models ...................................................................................................................... 9

Safe@Office to Safe@Office (Site-to-Site VPN) ............................................................................................. 10

Safe@Office to VPN-1 (Site-to-Site VPN)....................................................................................................... 11

VPN RAS Client to VPN-1 VPN RAS Server.................................................................................................. 12

VPN RAS Client to Safe@Office VPN RAS Server ........................................................................................ 13

Using Safe@Home Pro as a VPN RAS Client.................................................................................................. 14

Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN..............................................................................15

Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN.................................................................................... 16

Configuring VPN-1 4.1 for Site-to-Site VPN......................................................................................................37

Configuring VPN-1 4.1 for Site-to-Site VPN ................................................................................................... 38

8/6/2019 chkp_vpn

4/87

Contents

SofaWare VPN Configuration Guide4

Configuring VPN-1 for Safe@ RAS VPN .......................................................................................................... 53

Configuring VPN-1 NG for Safe@ RAS VPN ................................................................................................. 53

Configuring VPN-1 4.1 for Safe@ RAS VPN.................................................................................................. 64

Configuring VPN-1 NG FP3................................................................................................................................ 73

Configuring Safe@ gateway to NG FP3 In Client to Site Mode................................................................... 74

Configuring Safe@ gateway to NG FP3 in Site To Site mode...................................................................... 79

8/6/2019 chkp_vpn

5/87

8/6/2019 chkp_vpn

6/87

Introduction


SofaWare Safe@Home

Safe@Home protects your home network from hostile Internet activity. It is intended for home users and can be

used by up to five computers and users.

SofaWare Safe@Home Pro

In addition to all the benefits of SofaWare Safe@Home, SofaWare Safe@Home Pro provides Virtual Private

Networking (VPN) functionality. SofaWare Safe@Home Pro contains a remote access VPN client, which enables

employees working from home to securely connect to the corporate network.

SofaWare Safe@Home Pro is intended for home users who are part of an extended enterprise network. It can be

used by up to five computers and users.

SofaWare Safe@Office

SofaWare Safe@Office provides all the benefits of SofaWare Safe@Home Pro, along with expanded VPN

functionality. It acts not only as a remote access VPN client, but as a remote access VPN server which is installed

office-side to protect the companys VPN and make it available to telecommuting employees. SofaWare

Safe@Office can also be configured as a VPN gateway, which allows permanent Site-to-Site VPN connections

between two gateways, such as two company offices.

SofaWare Safe@Office is intended both for companies with extended enterprise networks and for their employees

working from home. It can be used by up to ten computers and users.

SofaWare Safe@Office Plus

SofaWare Safe@Office Plus extends SofaWare Safe@Office to support up to 25 computers and users.

About This Guide

This guide describes supported VPN solutions and provides instructions for implementing them.

You should be familiar with the following before using this guide:

! Basic FW-1/VPN-1 use. For information, refer to the Check Point VPN-1/FireWall-1 Administration Guide.

! S-box use for your software configuration. For information, refer to the SofaWare S-box Getting Started

Guide.
mailto:Safe@Homemailto:Safe@Homemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@HomePromailto:Safe@Officemailto:Safe@Officemailto:Safe@HomePromailto:Safe@HomePromailto:Safe@HomePromailto:Safe@Homemailto:Safe@Homemailto:Safe@Homemailto:Safe@Home

8/6/2019 chkp_vpn

7/87

Introduction


Typological Conventions

To make finding information in this manual easier, some types of information are marked with special symbols or

formatting.

Boldface type is used for command and button names.

Note: Notes are denoted by indented text and preceded by the Note icon.

Important: Important notes are denoted by indented text and preceded by theImportant icon.

Contacting Technical SupportTo contact technical support, send an email to: [email protected]
mailto:[email protected]

8/6/2019 chkp_vpn

8/87

8/6/2019 chkp_vpn

9/87


VPN Connectivity Solution Models

A virtual private network (VPN) consists of at least one VPN remote access (RAS) server or VPN gateway, and

several VPN RAS clients. A VPN RAS server makes the corporate network remotely available to authorized

users, such as employees working from home, who connect to the VPN RAS server using VPN RAS clients. A

VPN gateway can be connected to another VPN gateway in a permanent, bi-directional relationship (Site-to-Site

VPN). The two connected networks function as a single network.

A connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic

passing through them. Through these tunnels, employees can safely use their companys network resources when

working at home. For example, they can securely read email, use the companys intranet, or access the companys

database from home.

SofaWare Safe@Home Pro and SofaWare Safe@Office provide VPN functionality. SofaWare Safe@Home Pro

contains a VPN RAS client. SofaWare Safe@Office can act as a VPN RAS client, a VPN RAS server, or a Site-

to-Site VPN gateway.

Both SofaWare Safe@Office and Safe@Home Pro enable an exciting number of solutions to support your VPN

connectivity needs. This chapter describes the following four basic solutions:

! Safe@Office to Safe@Office (Site-to-Site VPN) , page 10

! Safe@Office to VPN-1 (Site-to-Site VPN), page 11

! VPN RAS Client to VPN-1 VPN RAS Server, page 12

! VPN RAS Client to Safe@Office VPN RAS Server, page 13

Chapter 2
mailto:Safe@Officemailto:Safe@HomePromailto:Safe@Officemailto:Safe@HomePro

8/6/2019 chkp_vpn

10/87



Safe@Office to Safe@Office (Site-to-Site VPN)

This solution enables you to establish Site-to-Site VPN connections between Safe@Office Site-to-Site VPN

gateways.

Note: In this solution model, both Safe@Office Site-to-Site VPN gateways must havea static IP address.

Figure 1 shows a sample implementation of the Safe@Office to Safe@Office solution with three Safe@Office

appliances (sbox1, sbox2, and sbox3). Each S-box acts as a Site-to-Site VPN gateway for a fully secure network.

The networks communicate via VPN connections.

Figure 1:Safe@Office to Safe@Office (Site-to-Site VPN)

For information on configuring Safe@Office for Site-to-Site VPN, refer to the SofaWare S-box Getting Started

Guide.
mailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Office

8/6/2019 chkp_vpn

11/87



Safe@Office to VPN-1 (Site-to-Site VPN)

This solution enables you to establish Site-to-Site VPN connections between a Safe@Office Site-to-Site VPN

gateway and a VPN-1 Site-to-Site VPN gateway.

Note: In this solution model, both the VPN-1 and Safe@Office Site-to-Site VPNgateways must have a static IP address. Dynamic IP in Site-to-Site VPN is supportedusing a certificate. For more information refer to www.sofaware.com or [email protected].

Figure 2 shows a sample implementation of the Safe@Office to VPN-1 solution, in which two Safe@Office

appliances (sbox1 and sbox2) are connected to a VPN-1 Site-to-Site VPN gateway.

Figure 2:Safe@Office to VPN-1 (Site-to-Site VPN)

For information on configuring VPN-1 NG for Site-to-Site VPN, see Configuring VPN-1 NG FP3 , page 73.

For information on configuring VPN-1 4.1 for Site-to-Site VPN, see Configuring VPN-1 4.1 for Site-to-Site

VPN, page 37.
mailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Office

8/6/2019 chkp_vpn

12/87



VPN RAS Client to VPN-1 VPN RAS Server

This solution enables Safe@, Check Point SecureClient, and Check Point SecuRemote VPN RAS clients to

connect to a VPN-1 VPN RAS server.

Note: In this solution model, the VPN-1 VPN RAS server must have a static IPaddress.

Figure 3 shows a sample implementation of the VPN RAS Client to VPN-1 VPN RAS Server solution, in which

two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act as

VPN RAS clients that download topology information from a VPN-1 VPN RAS gateway.

Figure 3: VPN RAS Client to VPN-1 VPN RAS Server

For information on configuring a VPN-1 NG or VPN-1 4.1 as a VPN RAS Server, see Configuring VPN-1 4.1

for Safe@ RAS VPN, page 64.

8/6/2019 chkp_vpn

13/87



VPN RAS Client to Safe@Office VPN RAS Server

This solution enables Safe@Home Pro, Safe@Office, Check Point SecureClient, and Check Point SecuRemote

VPN RAS clients to connect to a Safe@Office VPN RAS server.

Note: In this solution model, the Safe@Office VPN RAS server must have a static IPaddress.

Figure 4 shows a sample implementation of the VPN RAS Client to Safe@Office VPN RAS Server solution, in

which two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act

as VPN RAS clients that download topology information from the Safe@Office VPN RAS server (sbox3).

Figure 4: VPN RAS Client to Safe@Office VPN RAS Server

For information on configuring Safe@Home Pro, Safe@Office, Check Point SecuRemote, or Check Point

SecureClient as a VPN RAS client to a Safe@Office VPN RAS server, refer to the SofaWare S-box Getting

Started Guide.
mailto:Safe@Office%20VPN%20RAS%20Servermailto:Safe@Officemailto:Safe@Officemailto:Safe@Homemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Officemailto:Safe@Homemailto:Safe@Office%20VPN%20RAS%20Server

8/6/2019 chkp_vpn

14/87



Using Safe@Home Pro as a VPN RAS Client

Safe@Home Pro functions in VPN RAS client mode, in which connection is initiated only by the VPN RAS

client.

Safe@Home Pro uses only Manual mode VPN connection, in which the end-user surfs to http://my.vpn and

selects the VPN RAS server to which they want to establish a VPN connection.

Figure 5 shows Safe@Home Pro acting as a VPN RAS client to VPN-1 and Safe@Office VPN RAS servers.

Figure 5:Safe@Home Pro VPN RAS Client
mailto:Safe@Homemailto:Safe@Homemailto:Safe@Officemailto:Safe@Homehttp://my.vpn/

8/6/2019 chkp_vpn

15/87


Chapter 3

Configuring VPN-1 NG FP1 and FP2 forSite-to-Site VPN

This chapter explains how to configure Check Point VPN-1 NG FP1/FP2 for the Safe@Office to VPN-1 (Site-to-

Site VPN) solution described in Safe@Office to VPN-1 (Site-to-Site VPN), page 11.

Note: To configure NG FP3, refer to chapter 6 Configure VPN-1 NG FP3 page 75

This chapter contains the following sections:

! Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN , page 16

VPN-1 NG FP2 must be configured to work in Traditional Mode.

Note: The screens shown in this chapter appear in both VPN-1 NG FP1 and FP2.Where FP1 and FP2 screens differ, both are shown.

Note: You must configure the VPN-1 object to use a pre-shared secret before youconfigure VPN-1 NG FP1/FP2 for Site-to-Site.

Note: Working with Dynamic IPs and certificates is supported. For more information,please refer to www.sofaware.comor contact [email protected].
http://www.sofaware.com/http://www.sofaware.com/mailto:[email protected]:[email protected]:[email protected]://www.sofaware.com/

8/6/2019 chkp_vpn

16/87

Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN


Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN

To configure VPN-1 NG FP1/FP2 for Site-to-Site VPN

1. Open the Check Point Policy Editor.

2. Create an S-box object by doing the following:

a. In the Manage menu, clickNetwork Objects.

The Network Objects dialog box appears.

b. If you are using FP1, clickNew and then clickWorkstation.

The Workstation Properties dialog box appears with the General tab displayed.

Do the following:

8/6/2019 chkp_vpn

17/87



1) In the Name field, type the objects name.

2) In the IP Address field, type the S-boxs hiding address.

3) In the Type area, select Gateway.

4) Select Check Point products installed.

5) In the Version list, select 4.1.

6) In the Check Point Products list, select Firewall-1 and VPN-1.

7) In the Object Management area, select Managed by another Management Server [External].

c. If you are using FP2, clickNew, Check Point, and then Externally Managed Gateway.

The Externally Managed Check Point Gateway dialog box opens with General Properties tab

displayed.

Do the following:

8/6/2019 chkp_vpn

18/87




2) In the Version list, select 4.1.


4) In the Check Point Products list, select Firewall-1 and VPN-1 Pro.

d. ClickTopology.

The Topology tab is displayed. By default, no interfaces are defined.

e. Add both an internal and external S-box interface. Do the following for each interface:

1) ClickAdd.

The Interface Properties dialog box appears with the General tab displayed.

2) Type the interfaces name, IP address, and subnet mask in the appropriate fields.

3) Click on the Topology tab.

The Topology tab is displayed.

8/6/2019 chkp_vpn

19/87



4) If you are configuring the external interface, select External (leads out to the Internet) in the

Topology area. Do not change the other settings.

5) If you are configuring the internal interface, select Internal (leads to the local network) in the

Topology area, and select Network defined by the interface IP in the IP address Behind this

interface area. Do not change the other settings.

8/6/2019 chkp_vpn

20/87



6) Select All IP Address behind Gateway based on Topology

7) ClickOK.

f. In the menu, clickVPN.

The VPN tab is displayed.

8/6/2019 chkp_vpn

21/87



Note: In FP1, FWZ appears in the Encryption Schemes list. Do notselect FWZ.

g. ClickEdit.

The IKE Properties dialog box appears.

8/6/2019 chkp_vpn

22/87



h. In the Support authentication methods area, select Pre-shared Secret, and clickEdit Secrets....

The Shared Secret dialog box appears.

Do the following:

1) In the Peer Name column, click on the S-boxs peer name.

8/6/2019 chkp_vpn

23/87



Note: If the VPN-1 object was not configured to use a pre-shared secret, the peername will not be listed.

2) In the Enter Secrets field, type the unique password that should be used by the S-box and VPN-1

when establishing VPN connections to each other.

3) ClickSet.

4) ClickOK.

The IKE Properties dialog box reappears.

i. ClickAdvanced.

The Advanced IKE properties dialog box appears.

j. Optional - Select theSupport aggressive mode check box.

8/6/2019 chkp_vpn

24/87



Note: Main mode is supported in Site to Site configuration.

k. ClickOK.


l. ClickOK.

The Externally Managed VPN Host dialog box reappears with the VPN tab is displayed.

m. ClickOK.

3. Set VPN properties for the VPN-1 NG FP1/FP2 object by doing the following:


TheNetwork Objects

dialog box appears.

b. Select the VPN-1 NG object and clickEdit.

The Check Point Gateway dialog box opens with General Properties tab displayed.

8/6/2019 chkp_vpn

25/87



c. In the menu, clickVPN.


d. Select IKE and clickEdit.


e. ClickAdvanced.


f. Select the Support aggressive mode check box.

g. ClickOK.


h. ClickOK.

The VPN tab reappears with certificate information displayed.

8/6/2019 chkp_vpn

26/87



4. If desired, create a Topology user by doing the following:

Note: A Topology user is a User object that enables the S-box to download the VPN-1NG FP1/FP2 topology. If you do not create a Topology user, you must specify theVPN-1s network configuration in the S-box VPN wizard.

a. In the menu, clickTopology.

The Topology tab is displayed.

8/6/2019 chkp_vpn

27/87



b. Select Exportable for SecuRemote/SecureClient.

c. ClickOK.

d. In the Manage menu, choose Users and Administrators.

The Users window opens.

8/6/2019 chkp_vpn

28/87



e. ClickNew, Users by Template, and then Default.

The Users Properties dialog box appears with the General tab displayed.

8/6/2019 chkp_vpn

29/87



f. Type the login name. In this example the name Topology is used.

g. Click on the Encryption tab.

The Encryption tab is displayed.

8/6/2019 chkp_vpn

30/87



Note: In FP1, FWZ appears in the Client Encryption Methods list. Do notselectFWZ.

h. Select IKE and clickEdit.


8/6/2019 chkp_vpn

31/87



Do the following:

1) Select the Password (pre-shared Secret) checkbox.

The Password and Confirm Password fields are enabled.

2) In the Password and Confirm Password fields, type the pre-shared secret for the S-box.

3) Click on the Encryption tab.


If you are using FP1, the screen appears as follows:

8/6/2019 chkp_vpn

32/87



If you are using FP2, the screen appears as follows:

4) If you are using FP2, select Defined below.

5) In the Encryption Algorithm list, select 3DES.

6) In the Data Integrity area, select SHA1.

7) ClickOK.

The User Properties dialog box reappears with the Encryption tab displayed.

i. ClickOK.

The Users window reappears.

j. ClickClose.

5. Configure the rule base.

8/6/2019 chkp_vpn

33/87



Example 1

Note: Example 1 matches the Unrestricted configuration mode in the Safe@gateway. In this case, all traffic should be directed to the secured network (and not to

the external IP of the Safe@ gateway). All VPN traffic will be allowed into the safe@secured network, and no VPN ONLY Allow / Server rules must be defined in theSafe@ gateway.

Note: The object Internal represents the encryption domain of the NG firewall. Theobject Sbox_Network represents the subnet behind the Safe@ gateway.

Note: If VPN access to the NG firewall itself is also needed, the NG object needs to

appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP,Telnet and FTP.

Example 2

8/6/2019 chkp_vpn

34/87



Note: Example 2 matches Restricted configuration in the Safe@ gateway. In thiscase all traffic must be directed to the external interface of the Safe@ gateway, andcan be forward inbound using VPN ONLY allow / server rules. Directing the traffic tothe secured network behind the Safe@ gateway is not allowed in this mode.

Note: The object called Internal represents the encryption domain of the NG firewall.

Note: If VPN access to the NG firewall itself is also needed, the NG object needs to

appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP,Telnet and FTP.

6. Set encryption properties for each of the rules by doing the following:

a. In desired rules row, right-click on the Encrypt icon, and clickSet Properties in the popup menu

that appears.

The Encryption Properties dialog box appears.

8/6/2019 chkp_vpn

35/87



b. ClickEdit.

The IKE Phase 2 Properties dialog box appears.

c. In the Data Integrity list, select SHA1.

8/6/2019 chkp_vpn

36/87



d. ClickOK.


e. ClickOK.

7. Compile the policy.

8/6/2019 chkp_vpn

37/87


Chapter 4

Configuring VPN-1 4.1 for Site-to-SiteVPN

This chapter explains how to configure Check Point VPN-1 4.1 for the Safe@Office to VPN-1 (Site-to-Site VPN)

solution described in Safe@Office to VPN-1 (Site-to-Site VPN), page 11.

Note: The information in this chapter is correct for VPN-1 4.1, SP4, and higher.


! Configuring VPN-1 4.1 for Site-to-Site VPN

Note: You must configure the VPN-1 object to use a pre-shared secret before youconfigure VPN-1 NG 4.1 for Site-to-Site.

8/6/2019 chkp_vpn

38/87

Configuring VPN-1 4.1 for Site-to-Site VPN



To configure VPN-1 4.1 for Site-to-Site VPN


2. Create the Safe@ Gateway object by doing the following:

a. In the Manage menu, choose Network Objects.


b. ClickNew and then clickWorkstation.


8/6/2019 chkp_vpn

39/87



Do the following:



3) In the Location area, select External.

4) In the Type area, select Gateway.

5) In the Modules Installed area, select VPN-1& FireWall-1 version 4.1.

c. ClickOK.

3. Configure the Safe@ Gateway internal network object by doing the following:



b. ClickNew and then clickNetwork.

The Network Properties dialog box appears with the General tab displayed.

8/6/2019 chkp_vpn

40/87



Do the following:

1) In the Name field, type the network object name.

2) In the IP Address field, type the network objects IP address.

3) In the Net Mask field, type the network objects subnet mask. The subnet mask represents the home

network.

4) ClickOK.

c. Open the Safe@ Gateway object you defined earlier.


d. In the menu, clickVPN.


8/6/2019 chkp_vpn

41/87



.

e. In the Domain area, select Other, and then select network object from the Other list. (In the example

above, the network object is Mynet.)

f. ClickEdit.


8/6/2019 chkp_vpn

42/87



g. In the Support authentication methods area, select Pre-shared Secret, and clickEdit Secrets....

The Shared Secret dialog box appears.

Do the following:

1) In the Peer Name column, click on the VPN-1s peer name.

Note: If the VPN-1 object was not configured to use a pre-shared secret, the peername will not be listed.

8/6/2019 chkp_vpn

43/87



2) In the Enter Secrets field, type the unique password that should be used by the S-box and VPN-1

when establishing VPN connections to each other.

3) ClickSet.

4) ClickOK.


h. ClickOK.

The Workstation Properties dialog box reappears with the VPN tab displayed.

i. ClickOK.

4. Configure the VPN-1 object by doing the following:



b. Select the VPN-1 object and clickEdit.


c. Click on the VPN tab.


8/6/2019 chkp_vpn

44/87



Note: Your Domain area may look different, depending on the VPN topology of yournetwork.

d. In the Domain section, select the Exportable for SecuRemote check box.

e. In the Encryption schemes defined area, clickEdit.

The IKE Properties dialog-box appears.

8/6/2019 chkp_vpn

45/87



f. Verify that the following options are selected:

! Pre-shared Secret

! Optional - Support Aggressive Mode

Note: Main Mode is also supported so Aggressive mode is optional.

! Support keys exchange for subnets

4. If desired, create a Topology user by doing the following:

Note: A Topology user is a User object that enables the S-box to download the VPN-1

NG FP1/FP2 topology. If you do not create a Topology user, you must specify theVPN-1s network configuration in the S-box VPN wizard.

a. In the Manage menu choose Users.

The Users dialog box appears.

8/6/2019 chkp_vpn

46/87



b. ClickNew ,and then clickDefault.

The Users Properties dialog box appears with the General tab displayed.

c. In the Name field, type the user name. In this example the name Topology is used.

d. In the Expiration Date field, type the expiration date.

e. Click on the Encryption tab.


8/6/2019 chkp_vpn

47/87



f. In the Client Encryption Methods area, select the IKE check box and clear the FWZ check box.

g. ClickEdit.

The IKE Properties dialog box appears with the Authentication tab displayed.

h. Select Password, and type the password in the field.

i. Click on the Encryption tab.


8/6/2019 chkp_vpn

48/87



Do the following:

1) In the Data Integrity area, select SHA1.

2) In the Encryption Algorithm list, select 3DES.

3) ClickOK.

The Users Properties dialog box reappears with the Encryption tab displayed.

j. ClickOK.

5. Edit the existing rule base.

Example 1

Note: Example 1 matches the Unrestricted configuration mode in the Safe@gateway. In this case, all traffic should be directed to the secured network (and not to

8/6/2019 chkp_vpn

49/87



the external IP of the Safe@ gateway). All VPN traffic will be allowed into the safe@secured network, and no VPN ONLY Allow / Server rules must be defined in theSafe@ gateway.

Note: The object Local_VPN_Domain represents the encryption domain of thebehind the 4.1 firewall. The object Mynet represents the subnet behind the Safe@gateway.

Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs toappear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP,and FTP.

Example 2

This example shows the rules that must be added to an existing rule base in order for FTP and ICMP to be

encrypted to and from the S-box.

Note: Example 2 matches Restricted configuration in the Safe@ gateway. In thiscase all traffic must be directed to the external interface of the Safe@ gateway, andcan be forward inbound using VPN ONLY allow / server rules. Directing the traffic to

the secured network behind the Safe@ gateway is not allowed in this mode.

Note: The object Local_VPN_Domain is the subnet behind the FW-1 4.1 firewall.

8/6/2019 chkp_vpn

50/87



Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs toappear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP,and FTP.

6. Set encryption properties for each of the rules by doing the following:

a. In desired rules row, right-click on the Encrypt icon, and clickSet Properties in the popup menu

that appears.


b. ClickEdit.


8/6/2019 chkp_vpn

51/87



c. In the Data Integrity list, select SHA1.

d. ClickOK.

The Encryption Properties dialog box reappears.

e. ClickOK.


8/6/2019 chkp_vpn

52/87

8/6/2019 chkp_vpn

53/87


Chapter 5

Configuring VPN-1 for Safe@ RAS VPN

This chapter explains how to configure Check Point VPN-1 as a VPN RAS server, as described in the solution

VPN RAS Client to VPN-1 VPN RAS Server, page 12. The VPN-1 versions supported are Check Point 4.1 SP4

and above, NG FP1, and NG FP2. If you are using NG FP3, please refer to Configuring VPN-1 NG FP3 ,

page 73

After configuring VPN-1, you must configure the Safe@ appliance to act as a VPN RAS client. For instructions,

refer to the SofaWare Safe@ Getting Started Guide. The SofaWare Safe@ Gateway uses IKE shared secrets toestablish an IPSEC VPN connection from the Safe@ Gateway to the Check Point Enterprise VPN-1.


! Configuring VPN-1 NG for Safe@ RAS VPN , page 53.

! Configuring VPN-1 4.1 for Safe@ RAS VPN, page 64

Configuring VPN-1 NG for Safe@ RAS VPN

Note: This procedure can be used for VPN-1 NG FP1 and FP2.

To configure VPN-1 NG for Safe@ RAS VPN


2. Edit the VPN-1 NG properties by doing the following:

a. From the Manage menu, select Network Objects.


8/6/2019 chkp_vpn

54/87



b. Click on the VPN-1 workstation object that should receive the Safe@ gateway VPN session request.


8/6/2019 chkp_vpn

55/87



c. In the menu, clickVPN.


d. In the Encryption schemes area, verify that the IKE check box is selected.

e. ClickEdit.


8/6/2019 chkp_vpn

56/87



f. Verify that the following selections are made:

! In the Support key exchange encryption with list: DES and/or 3DES

! In the Support data integrity with area: MD5 and/or SHA1

Note: These are the minimal selections. If desired, you can select additional options.

g. ClickAdvanced.


8/6/2019 chkp_vpn

57/87



Do the following:

1) Select the Use UDP encapsulation check box.

2) From the Use UDP encapsulation list, select VPN1_IPSEC_encapsulation.

3) In the Rekeying Parameters area, set Renegotiate IKE security associations to 1440 minutes, and

set Renegotiate IPSEC Security associations every to 3600 seconds.

4) In the Misc area, select Support IP compression for SecureClient, Support aggressive mode, and

Support key exchange for subnets.

5) ClickOK.


h. ClickOK.


i. ClickOK.

8/6/2019 chkp_vpn

58/87



3. Create a new group object by doing the following:

a. In the Manage menu, clickUsers.


b. ClickNew and then Group.

The Group Properties dialog box appears.

8/6/2019 chkp_vpn

59/87



c. In the Name field, type the group objects name.

d. If users are already defined and you wish to add them to the new group, add users to your group by doing

the following:

1) In the Not in Group list, select desired users.

2) ClickAdd>.

The selected users are moved to the In Group list.

e. ClickOK.

The Users dialog box reappears. The new group object appears in the Users list.

f. ClickClose.

4. If you wish to create a new Safe@ gateway user object, do the following:

a. In the Manage menu, clickUsers.

The Users window appears.

b. ClickNew, User by Template, and then Default.

The User Properties dialog box appears with the General tab displayed.

8/6/2019 chkp_vpn

60/87



c. Type a login name for the new Safe@ gateway user.

d. Click the Groups tab.

The Groups tab is displayed.

e. In the Available Groups list, select the group you created earlier and clickAdd>.

The group is moved to the Belongs to Groups list.

f. Click on the Encryption tab.


8/6/2019 chkp_vpn

61/87



g. In the Client Encryption Methods area, verify that the IKE check box is selected.

h. ClickEdit.


8/6/2019 chkp_vpn

62/87



Do the following:

1) Select Password.

The Password and Confirm Password fields are enabled.

2) In the Password and Confirm Password fields, type the pre-shared secret for the Safe@ gateway.



8/6/2019 chkp_vpn

63/87



4) In the Transform area, select Encryption + Data Integrity (ESP).

5) In the Data Integrity area, select SHA1 or MD5.

6) In the Encryption Algorithm list, select DES or 3DES.

7) ClickOK.


i. ClickOK.


j. ClickClose.

5. Add a rule to your rule base:

Note: The rule above is only an example. The Destination and Service may varyaccording to your VPN settings and your network needs.

Note: The object Internal represent the encryption domain of the NG firewall.


8/6/2019 chkp_vpn

64/87



Configuring VPN-1 4.1 for Safe@ RAS VPN

To configure VPN-1 4.1 for Safe@ RAS VPN


2. Edit the VPN-1 4.1 properties by doing the following:

a. From the Manage menu, select Network Objects.


b. Click on the VPN-1 4.1 object that should receive the Safe@ gateway VPN session request, and click

Edit.


8/6/2019 chkp_vpn

65/87



c. Click on the VPN tab.


8/6/2019 chkp_vpn

66/87



d. In the Encryption schemes defined area, verify that the IKE check box is selected.

Note: In the example above, the Local_VPN_Domain object represents the securednetworks protected by VPN-1. Your VPN-1 may have other network objects defined.

e. ClickEdit.


8/6/2019 chkp_vpn

67/87



f. Verify that the following selections are made:

! In the Key Negotiation Encryption Method(s) list: DES and/or 3DES

Note: CAST is not supported by Safe@ gateway, but can be selected if desired.

! In the Hash Method area: MD5 and/or SHA1

! Support Aggressive Mode

! Support Subnets

Note: These are the minimal selections. If desired, you can select additional options.

g. ClickOK.


h. ClickOK.

3. Create a new group object by doing the following:

a. From the Manage menu, clickUsers.


8/6/2019 chkp_vpn

68/87



b. ClickNew and then clickGroup.

The Group Properties dialog box appears.

c. In the Name field, type the group objects name.

d. If users are already defined, and you wish to add them to the new group, do the following:

1) In the Not in Group list, select desired users.

2) ClickAdd>.

The selected users are moved to the In Group list.

8/6/2019 chkp_vpn

69/87



e. ClickOK.

The Users dialog box reappears. The new group appears in the Users list.

f. ClickClose.

4. If you wish to create a new Safe@ gateway user object, do the following:

a. From the Manage menu, clickUsers.

The Users window appears.

b. ClickNew and then clickDefault.

The User Properties dialog box appears with the General tab displayed.

Do the following:

1) In the Name field, type a name for the new Safe@ gateway user.

2) If desired, type a new expiration date for the Safe@ gateway user object in the Expiration Date

field.

c. Click the Groups tab.

The Groups tab is displayed.

8/6/2019 chkp_vpn

70/87



d. In the Available Groups list, select the group you created earlier and clickAdd >.

The group is moved to the Belongs to Groups list.

e. Click on the Encryption tab.


f. In the Client Encryption Methods area, verify that the IKE check box is selected.

8/6/2019 chkp_vpn

71/87



g. ClickEdit.


Do the following:

1) Select Password.

The Password field is enabled.

2) In the Password field, type the pre-shared secret for the Safe@ gateway.



8/6/2019 chkp_vpn

72/87



4) In the Transform area, select Encryption + Data Integrity (ESP).

5) In the Data Integrity area, select SHA1 or MD5.

6) In the Encryption Algorithm list, select DES or 3DES.

7) ClickOK.


h. ClickOK.


i. ClickClose.

5. Add a rule to your rule base:

Note: The rule above is only an example. The Destination and Service may varyaccording to your VPN settings and your network needs.

Note: The object Internal represents the encryption domain of the FW-1 4.1 firewall.


8/6/2019 chkp_vpn

73/87


Chapter 6

Configuring VPN-1 NG FP3

This chapter explains how to create Site-to-Site and Client-to-Site VPN tunnels between Safe@ gateway and NG

FP3 using communities.

Note: SSC (SofaWare SmartCenter Connector) add-on must be installed on the NGFP3 firewall

8/6/2019 chkp_vpn

74/87



Configuring Safe@ gateway to NG FP3 In Client to Site Mode

Create and Configure Safe@ object


2. Create a Safe@ Gateway object by doing the following:



b. ClickNew, Check Point, and then Safe@ Gateway...

c. The Safe@ Gateway properties page appears

3. Configure the Safe@ Gateway Object by doing the following:

8/6/2019 chkp_vpn

75/87



a. In the Name field, type the objects name.

b. Next to the IP Address field select the Dynamic Address checkbox.

c. In the Type field choose GW Type.

d. In the SofaWare Profile field choose Profile.

e. In the Password field enter a password, or press on the Generate Password button.

f. Select the VPN Enabled check box.

g. Save the object by clicking OK.

Note: The Safe@ password is automatically used as its shared secret in thecommunity.

8/6/2019 chkp_vpn

76/87



Configure the Community

1. Define the Community by doing the following:

a. Select the VPN Manager tab:

b. Double click on the RemoteAccess community.

The RemoteAccess Community Properties window appears.

2. Add participants to the pre-defined RemoteAccess Community:

a. In the General Tab, Enter Object name.

b. In the Participating Gateways, choose the firewall gateways you wish to use.

8/6/2019 chkp_vpn

77/87



c. In the Participating User Groups, select All SofaWare VPN GWs

d. Click OK.

Note: You can choose All Users, and it will include All SofaWare VPN GWs

8/6/2019 chkp_vpn

78/87



Configure Global Properties

1. From the menu select Policy and Global Properties

2. The Global Properties page appears.

3. Select Remote Access and then VPN Basic in the tree on the left side of the dialog-box.

4. Select the Hybrid Mode (VPN-1 & Firewall-1 authentication) checkbox.

Note: If using Safe@ Gateways version 2.0.x, it is mandatory to select also Pre-shared Secret

5. ClickOK

Rule base

Note: The If Via access rule condition means "Accept if encrypted between communitymembers".

In the example below, all services are allowed via the RemoteAccess community.

8/6/2019 chkp_vpn

79/87



6. Install the policy on the desired gateways and profiles.

Configuring Safe@ gateway to NG FP3 in Site To Site mode

Note: Working with Dynamic IPs and certificates is supported. For more information,please refer to www.sofaware.com or contact [email protected].

Create a network object




8/6/2019 chkp_vpn

80/87



b. ClickNew.

c. Select Network...

d. The Network Properties window opens

e. In the Name field type the name of the object

f. In the Network Address field type the network IP address

8/6/2019 chkp_vpn

81/87



g. In the Net Mask field type the subnet mask

h. ClickOK

Create and Configure Safe@ object



a. In the Manage menu, click NetworkObjects.


b. ClickNew, Check Point, and then Safe@ Gateway.

c. The Safe@ Gateway properties page appears.

3. Configure the Safe@ Gateway object by doing the following:

8/6/2019 chkp_vpn

82/87



a. In the Name field, type the objects name.

b. In the IP Address field, type your IP address.

c. In the Type field, choose GW Type

d. In the SofaWare Profile field, choose Profile

e. In the Password field, enter a password, or press the Generate Password button.

f. Select the VPN Enabled check box.

4. Configure Topology by doing the following:

a. Select the Topology tab

8/6/2019 chkp_vpn

83/87



b. From the Manually defined drop-down menu select the network object that represents the network

protected by the safe@ gateway

c. Save the object by clicking OK.

Configure the Community

1. Define the Community

a. Select the VPN Manager tab.

b. Right-click in the VPN Manager, then from the New Community menu choose Star.

Note: Meshed communities are not supported in NG FP3 with Safe@ gateways

The Start community Properties page appears

8/6/2019 chkp_vpn

84/87



c. In the Name field type the name of the object.

Note: In order to accept encrypted traffic, the user can check the "Accept all encryptedtraffic" checkbox on the community object. This will add an automatic access rule forall encrypted traffic between community members.

d. Select the Central Gateways tab.

e. Add the gateway object you wish to be the Central Gateway.

8/6/2019 chkp_vpn

85/87



f. Select the Satellite Gateways tab

g. ClickAdd... and choose the Safe@ gateway object.

h. Services in the Clear definitions will not effect the tunnel between Safe@ and FP3. The Safe@ will

encrypt all traffic.

i. Click on VPN Properties tab.

j. Define Phase 1 and Phase 2 properties.

8/6/2019 chkp_vpn

86/87



Note: All VPN Encryption and Data Integrity combinations are allowed. In the exampleabove Phase 1 is configured to use 3DES + MD5, and phase 2 is configured to use3DES + SHA1. Other combinations are allowed.

Note: There is no need to define Advanced Properties.

Note: There is no need to define the shared secret on the community. The Safe@password is automatically used as its shared secret in the community.

k. ClickOK

l. The new Start community is presented in the VPN Managertab.

8/6/2019 chkp_vpn

87/87


Rule Base

Note: The "If Via" access rule condition means "Accept if encrypted betweencommunity members."

Note: In the example below, only FTP and ICMP protocols will be Encrypted via theStar_1 Community.

Date post:	07-Apr-2018
Category:	Documents
Upload:	rahulscm
View:	220 times
Download:	0 times

chkp_vpn

Documents