Check Point Firewall-1 NG

VPN between Check Point Firewall-1 NG and (Linux) FreeS/WAN

• Gateway 1: Check Point Firewall-1 NG FP-2 installed on Red Hat Linux 7.2 running kernel 2.4.9-31
• Gateway 2  (in Pre-Shared Secret mode): Red Hat Linux 6.2 running kernel 2.2.19-6.2.15 extended with FreeS/WAN 1.96 and openwall patch
• Gateway 2  (in Public Key Signatures mode): Red Hat Linux 7.3 running kernel 2.4.18-5 extended with FreeS/WAN 1.98b (including X.509 patch 0.9.13 and algorithm patch 0.8.0) and grsecurity patch 1.9.5

•  FreeS/WAN
•  FreeS/WAN X.509 extension from strongSec
•  FreeS/WAN algorithm extensions
•  fswcert tool from strongSec
•  Linux Openwall patch (optional)
•  Linux grsecurity patch (optional)
•  TinyCA (Perl based X11 application for CA operations)

• How to patch FreeS/WAN for using X.509 or algorithm extension or Openwall/grsecurity is not scope of this document, see given URLs for more

Support matrix

IKE encryption

IKE integrity and authentication

IKE Diffie-Hellman Groups and Perfect Forward Secrecy

Payload encryption

Payload integrity and compression

Content

•  Check Point FW-1 NG FP-2 setup (mixed)
•  FreeS/WAN setup using pre-shared secrets
•  FreeS/WAN setup using X.509 certificates
•  Specify other algorithms in FreeS/WAN

Topology

Prework

Pre-Shared Secret:

• Think about a good secret string

Public Key Signatures:

• Because it's not possible at the moment to generate certificates for external servers by Check Point Management station itself you have to create an additional Certifite Authority (CA).
• Requirements from CA:
  • X.509 certificate of CA in PEM format, named ca-cert.pem
  • CRL of CA in PEM format, named ca-crl.pem
  • X.509 certificate of FreeS/WAN host in PEM format, named here freeswan-cert.pem
  • RSA key of FreeS/WAN host in PEM format, named here freeswan-key.pem

Setup of Check Point Firewall-1 NG

Create/modify objects: Networks behind gateways

That's easy, no screenshots should be required

Create/modify objects: Firewall itself

Check whether VPN-1 Pro is enabled

Of course VPN-1 module must be licensed ;-)

Define topology and VPN domain

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

Create/modify objects: Linux as VPN partner

Linux gateway has to be created as "Interoperable Device"

Define topology and VPN domain

Import external OPSEC CA certificate (only needed for Public Key Signatures)

Import a CA certificate as type OPSEC from external, is needed for validating the certificate of a remote FreeS/WAN gateway

Define IKE properties

Pre-Shared Secret:

Public Key Signatures:

Create/modify policy:

Switch to traditional mode

And create a new policy afterwards

Gateway-to-gateway rulesets

Network-to-network  rulesets

Properties of encryption

Install ruleset

That's easy, no screenshots should be required - good luck!

Logging (shared secret)

Log viewer should display following, after on Linux FreeS/WAN IPSec was restarted (use "fw log -tfln" to get log output on console):

14:30:18 accept  >eth0 product VPN-1 & FireWall-1 src 1.2.3.5 s_port IKE dst 1.2.3.4 service IKE proto udp rule 0

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion. CookieI cd4facedc444d81c
 CookieR 399e1a8b6543e4c2 methods: 3DES + MD5, Pre shared secrets

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7ba dstkeyid 0xd0932dbe peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 39d92aae methods: ESP: 3DES + MD5 IKE
 IDs: subnet: 172.16.1.0 (mask= 255.255.255.0) and subnet: 172.16.2.0 (mask= 255.255.255.0)

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b

14:30:18 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0xdb3ca7bb dstkeyid 0xd0932dbf peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI cd4facedc444d81c CookieR 399e1a8b6543e4c2 msgid 881b521b methods: ESP: 3DES + MD5 IKE
 IDs: host: 1.2.3.4 and host: 1.2.3.5

Logging (public key signatures)

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 peer gateway 1.2.3.5 scheme: IKE IKE: Main Mode completion.
 CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd methods: 3DES + MD5, RSA signatures

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode Sent Notification: Responder Lifetime CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6

16Apr2002 16:43:56 keyinst >daemon src 1.2.3.5 dst 1.2.3.4 srckeyid 0x6c916c22 dstkeyid 0x2764eed3 peer gateway 1.2.3.5 scheme: IKE
 IKE: Quick Mode completion CookieI d06d13f95066ba08 CookieR fce7a3180b16f5bd msgid 3fe711b6 methods: ESP: 3DES + MD5 IKE 
 IDs: host: 1.2.3.4 and host: 1.2.3.5

Setup of Linux FreeS/WAN in pre-shared secret mode

Define topology

Edit /etc/ipsec.conf

## Gateway-to-gateway: Check Point <-> FreeS/WAN
conn checkpoint-freeswan
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        # leftnexthop=
        # Right side is FreeS/WAN
        right=1.2.3.5
        # rightnexthop=
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start
        authby=secret

conn net-checkpoint-net-freeswan
        type=tunnel
        left=1.2.3.4
        # leftnexthop=
        leftsubnet=172.16.1.0/24
        right=1.2.3.5
        # rightnexthop=
        rightsubnet=172.16.2.0/24
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start
        authby=secret

Create secrets

Edit /etc/ipsec.secrets

1.2.3.4   1.2.3.5:   "verysecret"

(Re-)start ipsec

Good luck!

# service ipsec restart

Logging

Mar 25 15:44:58 ipsec__plutorun: Starting Pluto subsystem...
Mar 25 15:44:58 Pluto[3160]: Starting Pluto (FreeS/WAN Version 1.96)
Mar 25 15:44:59 Pluto[3160]: added connection description "net-checkpoint-net-freeswan"
Mar 25 15:44:59 Pluto[3160]: added connection description "checkpoint-freeswan"
Mar 25 15:44:59 Pluto[3160]: listening for IKE messages
Mar 25 15:44:59 Pluto[3160]: adding interface ipsec0/eth0 1.2.3.5
Mar 25 15:44:59 Pluto[3160]: loading secrets from "/etc/ipsec.secrets"
Mar 25 15:44:59 Pluto[3160]: "net-checkpoint-net-freeswan" #1: initiating Main Mode
Mar 25 15:44:59 Pluto[3160]: "net-checkpoint-net-freeswan" #1: ISAKMP SA established
Mar 25 15:44:59 Pluto[3160]: "net-checkpoint-net-freeswan" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 Pluto[3160]: "net-checkpoint-net-freeswan" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 Pluto[3160]: "net-checkpoint-net-freeswan" #2: sent QI2, IPsec SA established
Mar 25 15:44:59 Pluto[3160]: "checkpoint-freeswan" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
Mar 25 15:44:59 Pluto[3160]: "checkpoint-freeswan" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 25 15:44:59 Pluto[3160]: "checkpoint-freeswan" #3: sent QI2, IPsec SA established

Setup of Linux FreeS/WAN in public key signature mode

Extract, convert and store certificates

Check Point

• Export certificates of firewall object in PKCS7 format (note: the command option is not documented, but working, also e.g. "printcert")
  • # fwm exportcert -obj checkpoint -cert defaultCert -pem -file checkpoint-cert.pkcs7
• Transport certificates to FreeS/WAN gateway

FreeS/WAN (Check Point related)

• Convert certificates of firewall from PKCS7 to X.509 (results in a file containing the CA and the firewall certificate)
  • # openssl pkcs7 -in checkpoint-cert.pkcs7 -print_certs >temp.pem
• Split singe file into different ones, results in e.g. checkpoint-internal-ca.pem (CA certificate is first one in file) and checkpoint-cert.pem (firewall certificate is second one in file) [order hopefully constant]
• Copy the internal CA certificate to related FreeS/WANdirectory
  • # cp checkpoint-internal-ca.pem /etc/ipsec.d/cacerts/
• Extract RSA signature key out of the certificate for use in config
  • # fswcert --cert --left checkpoint-cert.pem
• Retrieving DER-encoded CRL from CheckPoint
  • # wget http://checkpoint:18264/ICA_CRL1.crl
• Converting DER-encoded CRL to PEM-encoded and store it in related directory
  • # openssl crl -in ICA_CRL1.crl -inform der -outform pem -out /etc/ipsec.d/crls/checkpoint.crl

FreeS/WAN (FreeS/WAN related)

• Copy created CA certificate to related FreeS/WANdirectory
  • # cp ca-cert.pem /etc/ipsec.d/cacerts/
• Copy created CRL to related FreeS/WANdirectory
  • # cp ca-crl.pem /etc/ipsec.d/crls/
• Copy RSA key of FreeS/WAN host to related FreeS/WANdirectory
  • # cp freeswan-key.pem /etc/ipsec.d/private/
• Convert X.509 certificate of FreeS/WAN host into DER format and store it on expected place with expected name (because of historical issues, currently no PEM format can be used)
  • # openssl x509 -in freeswan-cert.pem -outform DER -out /etc/x509cert.der
• Extract subject of X.509 certificate of FreeS/WAN host, used  in config
  • # openssl x509 -in freeswan-cert.pem -noout -subject

Define topology like shown above

Edit /etc/ipsec.conf

## Gateway-to-gateway: Check Point <-> FreeS/WAN X.509
conn freeswan-checkpoint-x509
        type=tunnel
        # Left side is Check Point
        left=1.2.3.4
        leftrsasigkey=0x0103......
        # leftid=  # !do not use for Check Point!
        # Right side is FreeS/WAN
        right=1.2.3.5
        rightid="/C=DE/ST=Bavaria/L=Hohenbrunn/O=AERAsec/OU=Lab/CN=Linux/Email=*******"
        rightrsasigkey=%cert
        # rightnexthop=
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start
        authby=rsa

Create secrets

Edit /etc/ipsec.secrets

# Define RSA key
: RSA /etc/ipsec.d/private/freeswan-key.pem "optional key passphrase here"

(Re-)start ipsec

Good luck!

# service ipsec restart

Logging

Apr 16 17:15:47 t1mobil Pluto[4269]: Starting Pluto (FreeS/WAN Version 1.96)
Apr 16 17:15:47 t1mobil Pluto[4269]:   including X.509 patch (Version 0.9.9)
Apr 16 17:15:47 t1mobil Pluto[4269]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded cacert file 'checkpoint-internal-ca.pem' (730 bytes)
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded cacert file 'ca-cert.pem' (1968 bytes)
Apr 16 17:15:47 t1mobil Pluto[4269]: Changing to directory '/etc/ipsec.d/crls'
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded crl file 'checkpoint.crl' (556 bytes)
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded crl file 'ca-crl.pem' (772 bytes)
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded my X.509 cert file '/etc/x509cert.der' (1428 bytes)
Apr 16 17:15:47 t1mobil Pluto[4269]: added connection description "freeswan-checkpoint-x509"
Apr 16 17:15:47 t1mobil Pluto[4269]: listening for IKE messages
Apr 16 17:15:47 t1mobil Pluto[4269]: adding interface ipsec0/eth0 1.2.3.5
Apr 16 17:15:47 t1mobil Pluto[4269]: loading secrets from "/etc/ipsec.secrets"
Apr 16 17:15:47 t1mobil Pluto[4269]:   loaded private key file '/etc/ipsec.d/private/freeswan-key.pem' (1803 bytes)
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #1: initiating Main Mode
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #1: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #1: CRL signature is invalid
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #1: ISAKMP SA established
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Apr 16 17:15:48 t1mobil Pluto[4269]: "freeswan-checkpoint-x509" #2: sent QI2, IPsec SA established

Specifying other encryption methods in Linux FreeS/WAN

• Specify the IKE encryption and integrity
  • AES-256, SHA1 and 1536 for Diffie-Hellman
    ike=aes256-sha-modp1536
  • AES-128, SHA1 and 1536 for Diffie-Hellman
    ike=aes128-md5-modp1536
• Specify the payload encryption and integrity
  • AES-256 and  SHA1
    esp=aes256-sha1

Unresolved issues

• FreeS/WAN has troubles with CRLs from Check Point - reason unknown...
  • Related error message: CRL signature is invalid

No warranty at all, your Feedback is welcome!
© 2002 AERAsec Network Services and Security GmbH, last change 2002-07-22
back to http://www.vpn-1.de/aerasec/