FAQ0244: How do I setup an IKE site-to-site VPN with pre-shared secrets between VPN-1/FireWall-1 and Raptor

Written by R3dsh4d0w, contributed by Shaft of Netflood.net. With thankful acknowledgment allowed to publish.

 

Overview:
This document details how to create a Checkpoint Firewall-1 4.1 to an Axent Raptor 6.5 Firewall VPN. It is intended to provide step-by-step instructions to create the necessary objects and rules. The Checkpoint Firewall used in this example is a Checkpoint Firewall-1 4.1 SP3 firewall running on Windows NT 4.0 with SP6a. The Axent Raptor 6.5 firewall is also running on Windows NT 4.0, and has the Raptor ‘esp-dom’ service pack applied to address a null ESP issue with Axent’s implementation of IPSEC and the hot-fix “isakmpd” with corrects Raptor Mobile authentication problems with TACACS and SecurID. Note: If you are using this configuration for ANX tunnels substitute the ANX interface for the outside interface of the firewall.


Checkpoint Firewall Configuration:
1. Launch Checkpoint Policy Editor

 


Figure 1.1 – Policy Editor Login Screen

Figure 1.2 – Checkpoint Policy Editor

2. The first step is to create network objects for the internal subnets (encryption Domains) that will be connected via the VPN. A network object for the subnet that is behind the Checkpoint firewall must be created, if it doesn’t already exist. Also, a network object for the remote subnet behind the Raptor firewall must be created. To create a network object, click on Manage on the Menu Bar, and select Network Objects.


Figure 1.3 – Manage Menu Option

 


Figure 1.4 – Network Objects window


3. To create a Network Object, click on the New button, and select Network


Figure 1.5 – Network Object window for Remote Network (Raptor Side)

 


Figure 1.6 – Network Object window for Local Network (Checkpoint Side)


4. From the Network Objects windows, click on the New button, and select Workstation. It is necessary to create a firewall object for the Raptor Firewall, and if one doesn’t already exist, for the Checkpoint Firewall.

Figure 1.7 – Network Objects window

 


5. Create or Modify Checkpoint Firewall object.

  1. Enter the Name and external IP address

  2. The Location is internal

  3. Type is Gateway

  4. Check the box ‘VPN-1 & Firewall-1’, and select 4.1If this firewall has the Management Module loaded, Check the box ‘Management Station’

 

Figure 1.8 – Checkpoint Firewall General Tab

6. On the VPN Tab, Select the local network object (Encryption Domain) under Domain. Check the box IKE under Encryption Scheme. Click Edit to modify.


Figure 1.9 – Checkpoint Firewall VPN Tab

7. In the IKE Properties window, select the encryption algorithm and data integrity algorithm to use. Check the Box "Pre-Shared Secret". Check the Box "Support keys exchanged for Subnets".

 

Figure 1.10 – Checkpoint Firewall IKE Properties

8. Create or Modify the Raptor Firewall object. Enter the Name and external IP address. The Location is external. Type is Gateway


Figure 1.11 – Raptor Firewall General Tab

9. On the VPN Tab, Select the local network object (Encryption Domain) under Domain. Check the box IKE under Encryption Scheme. Click Edit to modify.


Figure 1.12 – Raptor Firewall VPN Tab

10. In the IKE Properties window, select the encryption algorithm and data integrity algorithm to use. Check the Box "Pre-Shared Secret". Click the "Edit Secrets" button, and enter the "Shared Secret" to use. Check the Box "Support keys exchanged for Subnets".

Figure 1.13 – Raptor Firewall IKE Properties

 

11. Create the Three rules to enable the VPN connection.

Raptor Firewall Checkpoint Firewall IKE Accept
Internal Network (Checkpoint Side) Internal Network (Raptor Side) Any Encrypt
Internal Network (Raptor Side) Internal Network (Checkpoint Side) Any Encrypt



Figure 1.14 – Checkpoint Policy Editor Rule Base

12. If is necessary to Modify the Encrypt Icon in the Rule Base, and select the appropriate Encryption and Data Integrity Algorithm.

13. If the firewall is performing Network Address Translation on the local addresses, it is necessary to create a NAT rule that negates the NAT-ing between the two Encryption Domains.

Internal Network (Checkpoint Side) Internal Network (Raptor Side) Any Service Use Original



Figure 1.15 – Checkpoint Policy Editor NAT Tab

 

Axent Raptor Configuration:
1. Network Entities: create Secure Gateway. Contact User and agree upon a Shared Secret. For Raptor 6.5, the Shared Secret must be between 20-28 characters.


Figure 2.1 – Checkpoint Firewall Network Entity

Figure 2.2 - Checkpoint Firewall Network Entity Security Gateway Tab

2. Network Entities: Create a Network Object for the Local Network behind the Checkpoint Firewall.


Figure 2.3 – Checkpoint Side Subnet Object


Figure 2.4 – Checkpoint Side Subnet Object Address Tab

3. Create a Network Group Object under Network Entity for the Checkpoint Firewall and Subnet.


Figure 2.5 – Network Group Object 4. Add the Checkpoint Firewall and Subnet Objects to the group


Figure 2.6 – Network Group Object Members Tab

5. Create a Rule allowing inside traffic on the Raptor Side to the inside Network on the Checkpoint Side.


Figure 2.7 – VPN Rule6. On the Services Tab, select the services that are allowed with this rule.


Figure 2.8 – VPN Rule Services Tab

7. Create a Rule allowing inside traffic on the Checkpoint Side to the inside Network on the Raptor Side.


Figure 2.9 – VPN Rule

8. On the Services Tab, select the services that are allowed with this rule


Figure 2.10 – VPN Rule Services Tab

9. Address Transforms: This was needed specifically because some of the Raptor internal servers had a default route to a different gateway. The User could contact the servers, but would never get a response. The connection eventually timed out. This Address Transform routes all traffic from the User to the Inside-Subnet and back to the User. Note: Depending on your configuration, address transforms may be different or not needed at all.


Figure 2.11 – Address Transforms


10. The Definition Tab for the Address Transform defines the type of address translation used for the VPN connection.
Set ‘Coming in Via’ to the Checkpoint TunnelSet ‘from Client’ to the Checkpoint SubnetSet ‘To Server’ to the inside (Raptor Side) SubnetSet ‘going Out Via’ to Select ‘Use Gateway Address’ for the Client Address Transform


Figure 2.12 – Address Transform Definition Tab

 

11. The Secure Tunnel Properties window is used to configure the actual VPN tunnel. The tunnel information must match exactly on both ends of the VPN. ‘Local Entity’ is the local subnet (Raptor Side) "Local Gateway" is the Raptor Security Gateway "Remote Entity" is the remote subnet (Checkpoint Side) "Remote Gateway" is the Checkpoint Firewall "VPN Policy" is the agreed upon IPSEC settings

Figure 2.13 – Secure Tunnel Properties


12. VPN Policy: Edit the existing policy or create a new policy. Data Integrity Preferences and Data Privacy Preferences must match exactly between the two firewalls.


Figure 2.14 – IKE Properties

 


Figure 2.15 – IKE Properties Preferences Tab

 


Figure 2.16 – IKE Properties Timeout Window

13. To limit the type of traffic that is allowed through the tunnel, a filter can be created and applied on the Options tab. Note that filters are not applied if the VPN is being passed to the proxies. In the case of Proxies, Rules are used instead. (See figure 2.14)


Figure 2.17 – IKE Properties Options Tab14. Ensure that ‘Tunnel Mode’ is selected, and Perfect Forward Secrecy is unchecked.

Figure 2.18 – IKE Properties Advanced Tab