FAQ0173: How can I implement SecuRemote for HA systems with additional hybrid authentication ?
1) Because for HA you get a distributed environment, you need to do some work at the management side and some on the FW modules side. You first start with the FW management station. You created workstation object for it where you defined that this is a management station only. Take the VPN tab and create in the FWZ properties the CA and DH keys. You need to do that although we are going to use IKE as the encryption scheme. This is needed for getting the topology information in a secure way, not for the IKE itself. The SecuRemote license is installed on the management and the management has to be accessible from the public side, so you certainly need to do some static NAT for this station with the FW1_topo port open for downloading the topology. This download can be authenticated or not, you define this in the FW properties desktop security.
2) Using HA you need to create a gateway cluster object. This object represents the cluster as ONE object, therefore you also install the security policy not to the FW modules itself, you will install it to the cluster. For enabling HA option select the following boxes in the FW properties. This does NOT need the Check Point HA license, because you can also need it for SBFC or any other 3rd party HA solution.
3) The cluster object can now be created as a new object. These menu items are not available before you do not enable it. Define the cluster IP address, which is the virtual IP for both FW modules.
4) Before you define more in the gateway cluster object, you need to create the two firewall modules. Define them both as member of the cluster. You will see some tabs will disappear, because this definition is now done at the cluster object, not the FW module anymore.
5) Going back to the gateway cluster object you see now the two members of the cluster in there. They can not be removed or added here, this has to be done at the FW module level ass just seen before. Select the authentication scheme you want to allow for the cluster.
Define the encryption properties for the cluster. Set the encryption domain (internal LAN you want to access) and the IKE scheme. Edit the IKE scheme and define that you want to use the hybrid mode only. Hybrid mode does not support aggressive mode, therefore you need to uncheck this option. You could also you any other authentication method concurrent, hybrid does not exclude them.
6) For using hybrid authentication you need to create a internal certificate for your gateway cluster. Stop the firewall management by fwstop. Create a certificate in the $FWDIR/bin directory by saying:
fw internalca create -dn "o=deathstar, c=ch"
Now you need to certify your gateway cluster with the command:
fw internalca certify -o fw_cluster "o=deathstar, c=ch"
This give you a successful message for the creation of the certificate. Start the firewall management again with fwstart. Going back to the gateway cluster object you now see the certificate in the according tab. You can check it and see the settings you made. The cluster is now finished.
7) Because of making secure that the SR connections are not routed asymmetric, we define on each FW module a pool of IP addresses, This settings have also to be added in the filter.conf file of SBFC with the designated-ip entries. You need to enable therefore the usage of IP pools in the FW properties.
The IP address pools are defined with address range objects. Take one pool per FW module. These IP pools should not be defined in the internal network, they can also be RFC1918s. The idea is that when a SR connection reaches the cluster it is allocated to one FW module and it stays on this module for a certain time (we will see below). The FW module now applies statically NAT to the internal destination so it can assure that the connection comes back to the right FW module. Because the source IP is replaced with one IP address of the NAT the packet finds definitely the way to the internal station, this is done with the destination IP. The reply traffic which now has the NATed IP as destination finds the way back because the gateway cluster is its default gateway. If this is not the case, you need to add some statically routes for this NAT pool IP addresses to the gateway cluster.
After creating the NAT pools allocate them to the according Fw module. For the 1st FW module we define nat-pool1 and for the 2nd the nat-pool2. You can also define here the leased time for the IP address of the NAT pool. You need as many IP addresses as you will have concurrent users.
8) Define a user for the authentication. Define a group for them.
Define the authentication scheme you want to use for this users. You need to make sure that this is also enabled on the gateway cluster object. In our example you are going to use a FireWall-1 password which is the easiest way to test it.
In the encryption tab of the user you can define the IKE settings, better spoken using hybrid authentication you do not have to define anything at all.. You could use here a password which would be applied for downloading the topology information. These passwords could therefore be different.
9) Define a rule base which allows you to enter the internal encryption domain by client encryption (rule 4). You also need to allow fetching the key from the internal management (rule 3), whereas the valid_management the NATed IP address of the internal management is. Check how to do this at FAQ0021 and FAQ0171.
10) Install the SecuRemote client (I used build 4157) and fetch the key at the valid_management IP address. Try to access the internal web server (which has to be in the encryption domain) with its invalid IP address like 10.0.2.1 This object has also be a part of the Internal-LAN, otherwise the security policy would not allow you to access it. You get popped for the username password, enter settings you made for the user "obiwan" with password "test".
Check the log viewer and you will see all packets listed. Authentication successful. IKE handshake. The NAT pool IP address the packet gets and the encrypted traffic between the SR client and the gateway cluster.