Add an article on Checkpoint VPN-1/Firewall-1 and FreeBSD IPSec.
PR: 28994 Submitted by: Jon Orbeton <jono@networkcommand.com> (original version)
This commit is contained in:
parent
ec20a60249
commit
e50907d0ce
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=15425
2 changed files with 425 additions and 0 deletions
14
en_US.ISO8859-1/articles/checkpoint/Makefile
Normal file
14
en_US.ISO8859-1/articles/checkpoint/Makefile
Normal file
|
@ -0,0 +1,14 @@
|
|||
# $FreeBSD$
|
||||
|
||||
DOC?= article
|
||||
|
||||
FORMATS?= html
|
||||
|
||||
INSTALL_COMPRESSED?=gz
|
||||
INSTALL_ONLY_COMPRESSED?=
|
||||
|
||||
SRCS= article.sgml
|
||||
|
||||
DOC_PREFIX?= ${.CURDIR}/../../..
|
||||
|
||||
.include "${DOC_PREFIX}/share/mk/doc.project.mk"
|
411
en_US.ISO8859-1/articles/checkpoint/article.sgml
Normal file
411
en_US.ISO8859-1/articles/checkpoint/article.sgml
Normal file
|
@ -0,0 +1,411 @@
|
|||
<!-- Copyright (c) 2001 The FreeBSD Documentation Project
|
||||
|
||||
Redistribution and use in source (SGML DocBook) and 'compiled' forms
|
||||
(SGML, HTML, PDF, PostScript, RTF and so forth) with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
|
||||
1. Redistributions of source code (SGML DocBook) must retain the above
|
||||
copyright notice, this list of conditions and the following
|
||||
disclaimer as the first lines of this file unmodified.
|
||||
|
||||
2. Redistributions in compiled form (transformed to other DTDs,
|
||||
converted to PDF, PostScript, RTF and other formats) must reproduce
|
||||
the above copyright notice, this list of conditions and the
|
||||
following disclaimer in the documentation and/or other materials
|
||||
provided with the distribution.
|
||||
|
||||
THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
|
||||
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
|
||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||||
ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
$FreeBSD$
|
||||
-->
|
||||
|
||||
<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
|
||||
<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
|
||||
%man;
|
||||
<!ENTITY legalnotice SYSTEM "../../share/sgml/legalnotice.sgml">
|
||||
]>
|
||||
|
||||
<article>
|
||||
<articleinfo>
|
||||
<title>Integration of Checkpoint VPN-1/Firewall-1 and FreeBSD IPSec</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Jon</firstname>
|
||||
<surname>Orbeton</surname>
|
||||
|
||||
<affiliation>
|
||||
<address><email>info@networkcommand.com</email></address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<firstname>Matt</firstname>
|
||||
<surname>Hite</surname>
|
||||
|
||||
<affiliation>
|
||||
<address><email>mhite@hotmail.com</email></address>
|
||||
</affiliation>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>$FreeBSD$</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001, 2002</year>
|
||||
<holder role="mailto:info@networkcommand.com">Jon Orbeton</holder>
|
||||
</copyright>
|
||||
|
||||
&legalnotice;
|
||||
|
||||
<abstract>
|
||||
<para>This document explains how to configure a
|
||||
<acronym>VPN</acronym> tunnel between FreeBSD and Checkpoint's
|
||||
VPN-1/Firewall-1. Other documents provide similar information,
|
||||
but do not contain instructions specific to VPN-1/Firewall-1
|
||||
and its integration with FreeBSD. These documents are
|
||||
listed at the conclusion of this paper for further reference.</para>
|
||||
</abstract>
|
||||
</articleinfo>
|
||||
|
||||
<sect1 id="prerequisites">
|
||||
<title>Prerequisites</title>
|
||||
|
||||
<para>The following is a diagram of the machines and networks
|
||||
referenced in this document.</para>
|
||||
|
||||
<programlisting>External Interface External Interface
|
||||
208.229.100.6 216.218.197.2
|
||||
| |
|
||||
+--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
|
||||
| |
|
||||
FW-1 Protected Nets Internal Nets
|
||||
199.208.192.0/24 192.168.10.0/24</programlisting>
|
||||
|
||||
<para>The FreeBSD gateway (<acronym>GW</acronym> serves as a firewall and
|
||||
<acronym>NAT</acronym> device for <quote>internal nets.</quote></para>
|
||||
|
||||
<para>The FreeBSD kernel must be compiled to support IPSec.
|
||||
Use the following kernel options:</para>
|
||||
|
||||
<programlisting>options IPSEC
|
||||
options IPSEC_ESP
|
||||
options IPSEC_DEBUG</programlisting>
|
||||
|
||||
<para>For instructions on building a custom kernel, refer to the
|
||||
<ulink url="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x3663.html">
|
||||
FreeBSD handbook</ulink>. Please note that <acronym>IP</acronym>
|
||||
protocol 50 (<acronym>ESP</acronym>) and <acronym>UDP</acronym>
|
||||
port <literal>500</literal> must be open between the Firewall-1
|
||||
host and the FreeBSD <acronym>GW</acronym>.</para>
|
||||
|
||||
<para>Also, <application>racoon</application> must be installed to
|
||||
support key exchange. <application>Racoon</application> is part
|
||||
of the FreeBSD ports collection in
|
||||
<filename role="package">security/racoon</filename>. The
|
||||
<application>racoon</application> configuration file will be
|
||||
covered later in this document.</para>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="object">
|
||||
<title>Firewall-1 Network Object Configuration</title>
|
||||
|
||||
<para>Begin by configuring the Firewall-1 Policy. Open the
|
||||
Policy Editor on the Firewall-1 Management server and create
|
||||
a new <quote>Workstation</quote> Network Object representing FreeBSD
|
||||
<acronym>GW</acronym>.</para>
|
||||
|
||||
<programlisting>General Tab:
|
||||
Set name and IP address
|
||||
|
||||
VPN Tab:
|
||||
Encryption Schemes Defined: IKE ---> Edit
|
||||
|
||||
IKE Properties:
|
||||
Key Negotiation Encryption Methods: 3DES
|
||||
|
||||
Authentication Method:
|
||||
Pre-Shared Secret ---> Edit</programlisting>
|
||||
|
||||
<para>Select the Firewall Object and set a pre-shared secret.
|
||||
(Do not use our example.)</para>
|
||||
|
||||
<programlisting>Support Aggressive Mode: Checked
|
||||
Supports Subnets: Checked</programlisting>
|
||||
|
||||
<para>After setting the pre-shared secret in the Firewall-1 Network
|
||||
Object definition, place this secret in
|
||||
<filename>/usr/local/etc/racoon/psk.txt</filename> on FreeBSD
|
||||
<acronym>GW</acronym>. The format for <filename>psk.txt</filename> is:</para>
|
||||
|
||||
<programlisting>208.229.100.6 rUac0wtoo?</programlisting>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 id="rulecfg">
|
||||
<title>Firewall-1 VPN Rule Configuration</title>
|
||||
|
||||
<para>Next, create a Firewall-1 rule enabling encryption between
|
||||
the FreeBSD <acronym>GW</acronym> and the Firewall-1 protected network.
|
||||
In this rule, the network services permitted through the
|
||||
<acronym>VPN</acronym> must be defined.</para>
|
||||
|
||||
<programlisting>Source | Destination | Service | Action | Track
|
||||
------------------------------------------------------------------------
|
||||
FreeBSD GW | FW-1 Protected Net | VPN services | Encrypt | Long
|
||||
FW-1 Protected Net| FreeBSD GW | | |</programlisting>
|
||||
|
||||
<para><quote>VPN services</quote> are any services (i.e.
|
||||
<command>telnet</command>, <acronym>SSH</acronym>,
|
||||
<acronym>NTP</acronym>, etc.) which remote hosts are permitted to
|
||||
access through the <acronym>VPN</acronym>. Use caution when
|
||||
permitting services; hosts connecting through a <acronym>VPN</acronym>
|
||||
still represent a potential security risk. Encrypting the traffic
|
||||
between the two networks offers little protection if a host on either
|
||||
side of the tunnel has been compromised.</para>
|
||||
|
||||
<para>Once the rule specifying data encryption between the FreeBSD
|
||||
<acronym>GW</acronym> and the Firewall-1 protected network has
|
||||
been configured, review the <quote>Action Encrypt</quote> settings.</para>
|
||||
|
||||
<programlisting>Encryption Schemes Defined: IKE ---> Edit
|
||||
Transform: Encryption + Data Integrity (ESP)
|
||||
Encryption Algorithm: 3DES
|
||||
Data Integrity: MD5
|
||||
Allowed Peer Gateway: Any or Firewall Object
|
||||
Use Perfect Forward Secrecy: Checked</programlisting>
|
||||
|
||||
<para>The use of Perfect Forward Secrecy (<acronym>PFS</acronym>) is
|
||||
optional. Enabling <acronym>PFS</acronym> will add another layer of
|
||||
encryption security, but does come at the cost of increased
|
||||
<acronym>CPU</acronym> overhead. If <acronym>PFS</acronym> is not
|
||||
used, uncheck the box above and comment out the <literal>pfs_group 1</literal>
|
||||
line from <filename>racoon.conf</filename> on FreeBSD
|
||||
<acronym>GW</acronym>. An example <filename>racoon.conf</filename>
|
||||
is provided later in this document.</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 id="policy">
|
||||
<title>FreeBSD <acronym>VPN</acronym> Policy Configuration</title>
|
||||
|
||||
<para>At this point, the <acronym>VPN</acronym> policy on FreeBSD
|
||||
<acronym>GW</acronym> must be defined. The
|
||||
<filename>/usr/sbin/setkey</filename> tool performs this function.</para>
|
||||
|
||||
<para>Below is an example shell script which will flush &man.setkey.8; and
|
||||
add your <acronym>VPN</acronym> policy rules.</para>
|
||||
|
||||
<programlisting>#
|
||||
# /etc/vpn1-ipsec.sh
|
||||
#
|
||||
# IP addresses
|
||||
#
|
||||
# External Interface External Interface
|
||||
# 208.229.100.6 216.218.197.2
|
||||
# | |
|
||||
# +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
|
||||
# | |
|
||||
# FW-1 Protected Nets Internal Nets
|
||||
# 199.208.192.0/24 192.168.10.0/24
|
||||
#
|
||||
# Flush the policy
|
||||
#
|
||||
setkey -FP
|
||||
setkey -F
|
||||
#
|
||||
# Configure the Policy
|
||||
#
|
||||
setkey -c << END
|
||||
spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec
|
||||
esp/tunnel/216.218.197.2-208.229.100.6/require;
|
||||
spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec
|
||||
esp/tunnel/208.229.100.6-216.218.197.2/require;
|
||||
END
|
||||
#</programlisting>
|
||||
|
||||
<para>Execute the &man.setkey.8; commands:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>sh /etc/vpn1-ipsec.sh</userinput></screen>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="racoon">
|
||||
<title>FreeBSD <application>Racoon</application> Configuration</title>
|
||||
|
||||
<para>To facilitate the negotiation of IPSec keys on the FreeBSD
|
||||
<acronym>GW</acronym>, <filename>/usr/ports/security/racoon</filename> must
|
||||
be installed and configured.</para>
|
||||
|
||||
<para>The following is a racoon configuration file suitable for use with
|
||||
the examples outlined in this document. Please make sure you fully
|
||||
understand this file before using in a production environment.</para>
|
||||
|
||||
<programlisting># racoon.conf for use with Checkpoint VPN-1/Firewall-1
|
||||
#
|
||||
# search this file for pre_shared_key with various ID key.
|
||||
#
|
||||
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
|
||||
log debug;
|
||||
#
|
||||
# "padding" defines some parameter of padding. You should not touch these.
|
||||
#
|
||||
padding
|
||||
{
|
||||
maximum_length 20; # maximum padding length.
|
||||
randomize off; # enable randomize length.
|
||||
strict_check off; # enable strict check.
|
||||
exclusive_tail off; # extract last one octet.
|
||||
}
|
||||
|
||||
listen
|
||||
{
|
||||
#isakmp ::1 [7000];
|
||||
#isakmp 0.0.0.0 [500];
|
||||
#admin [7002]; # administrative port by kmpstat.
|
||||
#strict_address; # required all addresses must be bound.
|
||||
}
|
||||
#
|
||||
# Specification of default various timers.
|
||||
#
|
||||
timer
|
||||
{
|
||||
#
|
||||
# These values can be changed per remote node.
|
||||
#
|
||||
counter 5; # maximum trying count to send.
|
||||
interval 20 sec; # maximum interval to resend.
|
||||
persend 1; # the number of packets per a send.
|
||||
#
|
||||
# timer for waiting to complete each phase.
|
||||
#
|
||||
phase1 30 sec;
|
||||
phase2 15 sec;
|
||||
}
|
||||
|
||||
remote anonymous
|
||||
{
|
||||
exchange_mode aggressive,main; # For Firewall-1 Aggressive mode
|
||||
|
||||
#my_identifier address;
|
||||
#my_identifier user_fqdn "";
|
||||
#my_identifier address "";
|
||||
#peers_identifier address "";
|
||||
#certificate_type x509 "" "";
|
||||
|
||||
nonce_size 16;
|
||||
lifetime time 10 min; # sec,min,hour
|
||||
lifetime byte 5 MB; # B,KB,GB
|
||||
initial_contact on;
|
||||
support_mip6 on;
|
||||
proposal_check obey; # obey, strict or claim
|
||||
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
hash_algorithm md5;
|
||||
authentication_method pre_shared_key;
|
||||
dh_group 2 ;
|
||||
}
|
||||
}
|
||||
|
||||
sainfo anonymous
|
||||
{
|
||||
pfs_group 1;
|
||||
lifetime time 10 min;
|
||||
lifetime byte 50000 KB;
|
||||
encryption_algorithm 3des;
|
||||
authentication_algorithm hmac_md5;
|
||||
compression_algorithm deflate ;
|
||||
}</programlisting>
|
||||
|
||||
<para>Ensure that <filename>/usr/local/etc/racoon/psk.txt</filename>
|
||||
contains the shared secret configured in the "Firewall-1 Network Object
|
||||
Configuration" section of this document and has mode <literal>600</literal>
|
||||
permissions.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>chmod 600 /usr/local/etc/racoon/psk.txt</userinput></screen>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 id="startingvpn">
|
||||
<title>Starting the <acronym>VPN</acronym></title>
|
||||
|
||||
<para>You are now ready to launch <application>racoon</application> and test
|
||||
the <acronym>VPN</acronym> tunnel. For debugging purposes, open the
|
||||
Firewall-1 Log Viewer and define a log filter to isolate entries pertaining
|
||||
to FreeBSD <acronym>GW</acronym>. You may also find it helpful to
|
||||
&man.tail.1; the <application>racoon</application> log:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>tail -f /var/log/racoon.log</userinput></screen>
|
||||
|
||||
<para>Start <application>racoon</application> using the following
|
||||
command:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf</userinput></screen>
|
||||
|
||||
<para>Once <application>racoon</application> has been launched, &man.telnet.1;
|
||||
to a host on the Firewall-1 protected network.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>telnet -s 192.168.10.3 199.208.192.66 22</userinput></screen>
|
||||
|
||||
<para>This command attempts to connect to the &man.ssh.1;
|
||||
port on 199.208.192.66, a machine in the Firewall-1 protected network. The
|
||||
<option>-s</option> switch indicates the source interface of the outbound
|
||||
connection. This is particularly important when running
|
||||
<acronym>NAT</acronym> and <acronym>IPFW</acronym> on FreeBSD
|
||||
<acronym>GW</acronym>. Using <literal>-s</literal> and specifying an
|
||||
explicit source address prevents <acronym>NAT</acronym> from mangling the
|
||||
packet prior to tunneling.</para>
|
||||
|
||||
<para>A successful <application>racoon</application> key exchange will
|
||||
output the following to <filename>racoon.log</filename>:</para>
|
||||
|
||||
<programlisting>pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
|
||||
pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
|
||||
get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2</programlisting>
|
||||
|
||||
<para>Once key exchange completes (which takes a few seconds), an &man.ssh.1;
|
||||
banner will appear. If all went well, two "Key Install" messages will be logged
|
||||
in the Firewall-1 Log Viewer.</para>
|
||||
|
||||
<programlisting>Action | Source | Dest. | Info.
|
||||
Key Install | 216.218.197.2 | 208.229.100.6 | IKE Log: Phase 1 (aggressive) completion.
|
||||
Key Install | 216.218.197.2 | 208.229.100.6 | scheme: IKE methods</programlisting>
|
||||
|
||||
<para>Under the information column, the full log detail will read:</para>
|
||||
|
||||
<programlisting>IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id:
|
||||
scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host:</programlisting>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="References">
|
||||
<title>References</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="http://www.freebsd.org/handbook/ipsec.html">
|
||||
The FreeBSD Handbook: IPSec</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="http://www.kame.net">KAME Project</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="http://www.x-itec.de/projects/tuts/ipsec-howto.txt">
|
||||
FreeBSD IPSec mini-HOWTO</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
</article>
|
Loading…
Reference in a new issue