diff --git a/en_US.ISO8859-1/articles/checkpoint/Makefile b/en_US.ISO8859-1/articles/checkpoint/Makefile new file mode 100644 index 0000000000..886e21cc9d --- /dev/null +++ b/en_US.ISO8859-1/articles/checkpoint/Makefile @@ -0,0 +1,14 @@ +# $FreeBSD$ + +DOC?= article + +FORMATS?= html + +INSTALL_COMPRESSED?=gz +INSTALL_ONLY_COMPRESSED?= + +SRCS= article.sgml + +DOC_PREFIX?= ${.CURDIR}/../../.. + +.include "${DOC_PREFIX}/share/mk/doc.project.mk" diff --git a/en_US.ISO8859-1/articles/checkpoint/article.sgml b/en_US.ISO8859-1/articles/checkpoint/article.sgml new file mode 100644 index 0000000000..efa1e2d4b3 --- /dev/null +++ b/en_US.ISO8859-1/articles/checkpoint/article.sgml @@ -0,0 +1,411 @@ + + + +%man; + +]> + +
+ + Integration of Checkpoint VPN-1/Firewall-1 and FreeBSD IPSec + + + + Jon + Orbeton + + +
info@networkcommand.com
+ + + + + Matt + Hite + + +
mhite@hotmail.com
+ + + + + $FreeBSD$ + + + 2001, 2002 + Jon Orbeton + + + &legalnotice; + + + This document explains how to configure a + VPN tunnel between FreeBSD and Checkpoint's + VPN-1/Firewall-1. Other documents provide similar information, + but do not contain instructions specific to VPN-1/Firewall-1 + and its integration with FreeBSD. These documents are + listed at the conclusion of this paper for further reference. + + + + + Prerequisites + + The following is a diagram of the machines and networks + referenced in this document. + +External Interface External Interface + 208.229.100.6 216.218.197.2 + | | + +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+ + | | +FW-1 Protected Nets Internal Nets +199.208.192.0/24 192.168.10.0/24 + + The FreeBSD gateway (GW serves as a firewall and + NAT device for internal nets. + + The FreeBSD kernel must be compiled to support IPSec. + Use the following kernel options: + +options IPSEC +options IPSEC_ESP +options IPSEC_DEBUG + + For instructions on building a custom kernel, refer to the + + FreeBSD handbook. Please note that IP + protocol 50 (ESP) and UDP + port 500 must be open between the Firewall-1 + host and the FreeBSD GW. + + Also, racoon must be installed to + support key exchange. Racoon is part + of the FreeBSD ports collection in + security/racoon. The + racoon configuration file will be + covered later in this document. + + + + Firewall-1 Network Object Configuration + + Begin by configuring the Firewall-1 Policy. Open the + Policy Editor on the Firewall-1 Management server and create + a new Workstation Network Object representing FreeBSD + GW. + +General Tab: + Set name and IP address + +VPN Tab: + Encryption Schemes Defined: IKE ---> Edit + +IKE Properties: + Key Negotiation Encryption Methods: 3DES + +Authentication Method: + Pre-Shared Secret ---> Edit + + Select the Firewall Object and set a pre-shared secret. + (Do not use our example.) + +Support Aggressive Mode: Checked +Supports Subnets: Checked + + After setting the pre-shared secret in the Firewall-1 Network + Object definition, place this secret in + /usr/local/etc/racoon/psk.txt on FreeBSD + GW. The format for psk.txt is: + +208.229.100.6 rUac0wtoo? + + + + + Firewall-1 VPN Rule Configuration + + Next, create a Firewall-1 rule enabling encryption between + the FreeBSD GW and the Firewall-1 protected network. + In this rule, the network services permitted through the + VPN must be defined. + +Source | Destination | Service | Action | Track +------------------------------------------------------------------------ +FreeBSD GW | FW-1 Protected Net | VPN services | Encrypt | Long +FW-1 Protected Net| FreeBSD GW | | | + + VPN services are any services (i.e. + telnet, SSH, + NTP, etc.) which remote hosts are permitted to + access through the VPN. Use caution when + permitting services; hosts connecting through a VPN + still represent a potential security risk. Encrypting the traffic + between the two networks offers little protection if a host on either + side of the tunnel has been compromised. + + Once the rule specifying data encryption between the FreeBSD + GW and the Firewall-1 protected network has + been configured, review the Action Encrypt settings. + +Encryption Schemes Defined: IKE ---> Edit +Transform: Encryption + Data Integrity (ESP) +Encryption Algorithm: 3DES +Data Integrity: MD5 +Allowed Peer Gateway: Any or Firewall Object +Use Perfect Forward Secrecy: Checked + + The use of Perfect Forward Secrecy (PFS) is + optional. Enabling PFS will add another layer of + encryption security, but does come at the cost of increased + CPU overhead. If PFS is not + used, uncheck the box above and comment out the pfs_group 1 + line from racoon.conf on FreeBSD + GW. An example racoon.conf + is provided later in this document. + + + + + FreeBSD <acronym>VPN</acronym> Policy Configuration + + At this point, the VPN policy on FreeBSD + GW must be defined. The + /usr/sbin/setkey tool performs this function. + + Below is an example shell script which will flush &man.setkey.8; and + add your VPN policy rules. + +# +# /etc/vpn1-ipsec.sh +# +# IP addresses +# +# External Interface External Interface +# 208.229.100.6 216.218.197.2 +# | | +# +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+ +# | | +# FW-1 Protected Nets Internal Nets +# 199.208.192.0/24 192.168.10.0/24 +# +# Flush the policy +# +setkey -FP +setkey -F +# +# Configure the Policy +# +setkey -c << END +spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec +esp/tunnel/216.218.197.2-208.229.100.6/require; +spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec +esp/tunnel/208.229.100.6-216.218.197.2/require; +END +# + + Execute the &man.setkey.8; commands: + + &prompt.root; sh /etc/vpn1-ipsec.sh + + + + FreeBSD <application>Racoon</application> Configuration + + To facilitate the negotiation of IPSec keys on the FreeBSD + GW, /usr/ports/security/racoon must + be installed and configured. + + The following is a racoon configuration file suitable for use with + the examples outlined in this document. Please make sure you fully + understand this file before using in a production environment. + +# racoon.conf for use with Checkpoint VPN-1/Firewall-1 +# +# search this file for pre_shared_key with various ID key. +# + path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; + log debug; +# +# "padding" defines some parameter of padding. You should not touch these. +# + padding + { + maximum_length 20; # maximum padding length. + randomize off; # enable randomize length. + strict_check off; # enable strict check. + exclusive_tail off; # extract last one octet. + } + + listen + { + #isakmp ::1 [7000]; + #isakmp 0.0.0.0 [500]; + #admin [7002]; # administrative port by kmpstat. + #strict_address; # required all addresses must be bound. + } +# +# Specification of default various timers. +# + timer + { +# +# These values can be changed per remote node. +# + counter 5; # maximum trying count to send. + interval 20 sec; # maximum interval to resend. + persend 1; # the number of packets per a send. +# +# timer for waiting to complete each phase. +# + phase1 30 sec; + phase2 15 sec; + } + + remote anonymous + { + exchange_mode aggressive,main; # For Firewall-1 Aggressive mode + + #my_identifier address; + #my_identifier user_fqdn ""; + #my_identifier address ""; + #peers_identifier address ""; + #certificate_type x509 "" ""; + + nonce_size 16; + lifetime time 10 min; # sec,min,hour + lifetime byte 5 MB; # B,KB,GB + initial_contact on; + support_mip6 on; + proposal_check obey; # obey, strict or claim + + proposal { + encryption_algorithm 3des; + hash_algorithm md5; + authentication_method pre_shared_key; + dh_group 2 ; + } + } + + sainfo anonymous + { + pfs_group 1; + lifetime time 10 min; + lifetime byte 50000 KB; + encryption_algorithm 3des; + authentication_algorithm hmac_md5; + compression_algorithm deflate ; + } + + Ensure that /usr/local/etc/racoon/psk.txt + contains the shared secret configured in the "Firewall-1 Network Object + Configuration" section of this document and has mode 600 + permissions. + + &prompt.root; chmod 600 /usr/local/etc/racoon/psk.txt + + + + + Starting the <acronym>VPN</acronym> + + You are now ready to launch racoon and test + the VPN tunnel. For debugging purposes, open the + Firewall-1 Log Viewer and define a log filter to isolate entries pertaining + to FreeBSD GW. You may also find it helpful to + &man.tail.1; the racoon log: + + &prompt.root; tail -f /var/log/racoon.log + + Start racoon using the following + command: + + &prompt.root; /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf + + Once racoon has been launched, &man.telnet.1; + to a host on the Firewall-1 protected network. + + &prompt.root; telnet -s 192.168.10.3 199.208.192.66 22 + + This command attempts to connect to the &man.ssh.1; + port on 199.208.192.66, a machine in the Firewall-1 protected network. The + switch indicates the source interface of the outbound + connection. This is particularly important when running + NAT and IPFW on FreeBSD + GW. Using -s and specifying an + explicit source address prevents NAT from mangling the + packet prior to tunneling. + + A successful racoon key exchange will + output the following to racoon.log: + +pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6 +pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6 +get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2 + + Once key exchange completes (which takes a few seconds), an &man.ssh.1; + banner will appear. If all went well, two "Key Install" messages will be logged + in the Firewall-1 Log Viewer. + +Action | Source | Dest. | Info. +Key Install | 216.218.197.2 | 208.229.100.6 | IKE Log: Phase 1 (aggressive) completion. +Key Install | 216.218.197.2 | 208.229.100.6 | scheme: IKE methods + + Under the information column, the full log detail will read: + +IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id: +scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host: + + + + References + + + + + The FreeBSD Handbook: IPSec + + + + KAME Project + + + + + FreeBSD IPSec mini-HOWTO + + + + +