Creating a VPN between a Cisco router and a Checkpoint Firewall using manual IPSEC

You'd think that this would be a dead easy configuration, no? They both support IPSEC, the procedures for setting it up are reasonably straightforward and well documented … but there's a catch or two.

Update: Ken Carvel supplied this information about setting up a VPN using IKE-based IPSEC. I have not tried it myself, but Ken says it functions. Give it a look.

In creating this configuration I found the following documents very educational, in fact invaluable:

Checkpoint Virtual Private Networks (supplied as PDF on the Checkpoint FW1/VPN1 CD) : chapter 6, "Implementing Manual IPSec Encryption"
"Configuring IPSec Network Security" (CCO Online)
"IPSec Network Security" (CCO Online)
"Intranet VPN Business Scenario" (CCO Online)
A message from Alex.Senkevitch2midata.com titled "Re: [FW1] IPSec between Cisco and FW-1"

In addition, the help of Cisco tech support engineer Wade Blackwell provided the last piece of the puzzle. Thanks, Wade!

Overview

Conventions and assumptions
Configure the Checkpoint side

Create manual IPSec key(s)
Create network objects
Add encryption rules
Add translation rules
Install the policy

Configure the Cisco side

Create access lists
Create crypto transform set
Create crypto map
Apply map to interface

Test
Sample cisco config

Conventions and assumptions

In this example, items in bold are names or numbers you should customize for your own use. The setup used is as follows:

HQ-LAN	Corporate LAN, class B network 172.8.0.0
HQ-gateway	Checkpoint Firewall-1/VPN-1, running on NT Server 4.0, SP4. LAN interface 172.8.0.1; external interface 151.204.37.2. Provides NAT to let HQ-LAN surf the internet.
HQ-cisco	Cisco 2500, interfaces FW1 to the internet by T1 line. Configuration left alone, interface addresses irrelevant.
remote-cisco	Cisco 1605, interfaces remote LAN to the internet by ISDN line. Interface dialer1 with IP address 151.204.47.1; Interface BRI0 unnumbered; Interface Ethernet0 with IP address 172.6.0.1. Provides NAT to let remote-LAN surf the internet.
remote-LAN	Branch office LAN, class B network 172.6.0.0

Configure the Checkpoint side

Create manual IPSec key(s)

In the Policy Editor, select Manage/Keys. Click on New and select SPI. The Manual IPSec window is displayed.
In SPI Value enter a unique identifier in hex, typically between 0x100 and 0xffff.
Check ESP and AH; set Encryption Algorithm to DES-IV32 (IV32 denotes 4 byte Initialization vector).
Check AH; set Authentication Algorithm to MD5.
Select Keys/By Seed, enter some random text in the Seed box, click Generate. Write down the Encryption Key (Hex value) and Authentication Key (Hex value).
Select Keys/Manually and reenter the keys just generated. Click OK.
Repeat the New/SPI process if you want separate inbound and outbound keys.

Create network objects

In the Policy Editor, select Manage/Network objects.

Create Network objects for your the LANs you want to connect: for example call them HQ-lan (172.8.0.0)and remote-lan (172.6.0.0).
Create a Workstation object for the cisco. Give it a name (e.g. remote-cisco) and an IP address (e.g. 151.204.47.1), comment, Location External, Type Gateway.
Click on the VPN tab. Under Domain, click Other and select remote-lan.
Under Encryption schemes, check Manual IPSEC. No need to click Edit button, you don't set the keys here. Click OK.
Now select the Workstation object for your FW1 and click Edit. Click the VPN tab. Under Domain, click Other and select HQ-lan.
Under Encryption schemese, check Manual IPSEC. Click OK.

Add encryption rules

Add a rule for inbound traffic. Source is remote-lan, Dest is HQ-lan, Action is Encrypt.
Double-click on Encrypt in the Action column to display Encryption Properties.
Select Manual IPSec, Click on Edit.
Select the spi you're going to use for inbound, and select remote-cisco as the Allowed Peer Gateway. Click OK.
Now add a rule for outbound traffic. Source is HQ-lan, Dest is remote-lan, Action is Encrypt.
Double-click on Encrypt in the Action column to display Encryption Properties.
Select Manual IPSec, Click on Edit.
Select the you're going to use for outbound, and select remote-cisco as the Allowed Peer Gateway. Click OK.

Add translation rules

You need to add translation rules at the top of your translation rulebase so that encrypted traffic won't get NATed instead of encrypted.

In the Poilicy editor, select the Translation tab.
Select Edit/Add Rule at Top from the menu.
Set Source to HQ-LAN, Dest to remote-lan, Service to Any; leave all 3 translation entries as Original.
Select Edit/Add Rule at Top from the menu.
Set Source to remote-lan, Dest to HQ-LAN, Service to Any; leave all 3 translation entries as Original.

Install the policy

You know how to do this!

Configure the Cisco side

Create access lists

If Internet access is already working, you probably already have an access list. You'll need a new access list to define traffic to be encrypted, though, and just as important, the access list to the internet needs to DENY that same traffic. This is because NAT is processed before crypto, so you need to make sure that NAT fails on the traffic so the router will be sure to encrypt it.

# normal traffic to the internet; deny VPN traffic
access-list 110 deny ip 172.6.0.0 0.0.255.255 172.8.0.0 0.0.255.255
access-list 110 permit ip 172.6.0.0 0.0.255.255 any
# VPN traffic
access list 150 permit ip 172.6.0.0 0.0.255.255 any

If you're using NAT, bear in mind that the NAT command won't work right with this complex access-list, and it should be wrapped in a route map.

route-map rmap permit 10
  match ip address 110
!
ip nat inside source route-map rmap interface Dialer1 overload
!

Create crypto transform set

The transform set defines the algorithms used for encryption and authentication. We use the "old" forms of ah and esp, because these match those used on the Checkpoint side.

crypto ipsec transform-set hq-vpn ah-rfc1828 esp-rfc1829 
 initialization-vector size 4
 mode transport
!

Create crypto map

The crypto map specifies the IPSec peer, the transforms used, the traffic to be encrypted, and in the case of Manual IPSEC the actual keys. Use the keys you wrote down in the Checkpoint process. Specify the spi's in decimal, not hex, here. Remember that outbound and inbound are swapped, because this is the other side of the VPN.

# this line might be unnecessary, because a line in "interface Dialer1" is required.
crypto map toHQ local-address Dialer1
# the 10 is used to order various alternative keys for the map.  We've only got one, so it has no effect.
crypto map toHQ 10 ipsec-manual  
 set peer 151.204.37.2
 set transform-set hq-vpn
 match address 150
 set security-association inbound esp spi cipher encryptkey 
 set security-association outbound esp spi cipher encryptkey 
 set security-association inbound ah spi authkey
 set security-association outbound ah spi authkey
!

Apply map to interface

Finally, you have to tell the interface(s) to use the crypto map. Very simple:

interface dialer1
 crypto map toHQ
!
interface BRI0
 crypto map toHQ
!

We apply the crypto map to both interfaces for obscure reasons that Cisco tech support mentioned which I don't really understand, having to do with future tunneling, or something.

Test

At this point both ends should be properly configured. Try pinging from HQ to remote, then from remote to HQ. If that works, try something more complex, like telnet or ftp. With this minimal security, the two LANs should act like they're connected directly through two interfaces of the same router, and all traffic should get through.