=======Gre over IPSEC between FreeBSD/Linux, Checkpoint, Cisco======= Below is a little updated copy of my [[https://forums.checkpoint.com/forums/message.jspa?messageID=32270|article]] 01.2011 on Checkpoint Forum. ==== Introduction. ==== Recently checkpoint 572 with IPS blade was bought for defence of our web servers (It was our first checkpoint). Our web-servers are located on collocation.\\ At first for technological purposes we needed to connect above mentioned servers to our network with VPN IPSEC. Our network is quite big with redundant internet connections and we are using protocol OSPF for dynamic routing within the network. We are using various devices like %%FreeBSD%% based, Cisco. Also we have linux devices. As i have spent many hours configuring checkpoint to connect to Cisco and %%FreeBSD%% i think that the following information will be useful for somebody. ==== Simplified Scheme and using parameters. ==== {{:ru:jobs:gre_over_ipsec.jpg?400|200}} ***Configurations of %%FreeBSD%% and Linux are identical on many settings. Not to inflate article i will unite both configuration in one.** Let's consider following characteristics: **1. Global IP:**\\ %%FreeBSD%%/Linux - IP_A,\\ Global IP Cisco 1841 - IP_B,\\ Global IP Checkpoint 572 - IP_C. **2. Gre IPs:**\\ %%FreeBSD%%/Linux 192.168.0.0/32 to Cisco 1841 192.168.0.1/32\\ %%FreeBSD%%/Linux 192.168.0.2/32 to Checkpoint 572 192.168.0.3/32\\ Cisco 1841 192.168.0.4/32 to Checkpoint 572 192.168.0.5/32 **3.Internal networks:**\\ %%FreeBSD%%/Linux 192.168.1.0/24\\ Cisco 1841 192.168.2.0/24\\ Checkpoint 572 192.168.3.0/24 **4. pre shared key** - test **5. IKE policy:**\\ encryption: aes128\\ hash: sha1\\ Diffie-Hellman group: 5 **6. IPSEC policy:**\\ encryption: aes128\\ hash: hmac_sha1\\ Diffie-Hellman group: 5 **7. VPN** - tunnel mode esp **8. ospf area** - 0.0.0.1\\ network 192.168.0.0/16\\ ** In the following configurations we omit firewall configuration of %%FreeBSD%%/Linux and Cisco.** ==== FreeBSD/Linux device configuration. ==== ===FreeBSD=== **1. Requirements packages:**\\ %%FreeBSD%% (we consider version higher than 6.4)\\ Kernel Source\\ Racoon (ipsec-tools)\\ Quagga ( version 0.98.6) **2. Package configurations:**\\ 2.1 Kernel must be compiled with following flags:\\ options IPSEC\\ options IPSEC_DEBUG\\ device gre\\ device crypto\\ 2.2. Racoon must be compiled with following options:\\ --enable-adminport --enable-frag\\ 2.3 Quagga must be compiled with ospfd options.\\ **1. Requirements packages:**\\ %%Linux Centos%% (versions 5)\\ Racoon (ipsec-tools)\\ Quagga ( version 0.98.6) **2. Installation:**\\ yum install ipsec-tools quagga **3. Configuration** 3.1 Racoon configuraton:\\ **setkey.conf**\\ flush;\\ spdflush;\\ spdadd IP_A IP_B gre -P out ipsec esp/tunnel/IP_A-IP_B/require; #link to cisco 1841\\ spdadd IP_B IP_A gre -P in ipsec esp/tunnel/IP_B-IP_A/require; #link to cisco 1841\\ spdadd IP_A IP_C gre -P out ipsec esp/tunnel/IP_A-IP_C/require; #link to checkpoint 572\\ spdadd IP_C IP_A gre -P in ipsec esp/tunnel/IP_B-IP_C/require; #link to checkpoint 572\\ **racoon.conf**\\ path pre_shared_key "location of pre-shared key file";\\ log debug;\\ padding # options are not to be changed\\ {\\ maximum_length 20;\\ randomize off;\\ strict_check off;\\ exclusive_tail off;\\ }\\ timer # timing options. change as needed\\ {\\ counter 5;\\ interval 20 sec;\\ persend 1;\\ # natt_keepalive 15 sec;\\ phase1 30 sec;\\ phase2 15 sec;\\ }\\ listen # address [port] that racoon will listening on\\ {\\ isakmp IP_A [500];\\ }\\ remote IP_B [500] #link to cisco 1841 isakmp policy\\ {\\ exchange_mode aggressive,main;\\ doi ipsec_doi;\\ situation identity_only;\\ my_identifier address IP_A;\\ peers_identifier address IP_B;\\ lifetime time 8 hour;\\ passive off;\\ proposal_check obey;\\ generate_policy off;\\ proposal {\\ encryption_algorithm aes 128;\\ hash_algorithm sha1;\\ authentication_method pre_shared_key;\\ lifetime time 28800 sec;\\ dh_group 5;\\ }\\ }\\ remote IP_C [500] #link to checkpoint 572 isakmp policy\\ {\\ exchange_mode aggressive,main;\\ doi ipsec_doi;\\ situation identity_only;\\ my_identifier address IP_A;\\ peers_identifier address IP_C;\\ lifetime time 8 hour;\\ passive off;\\ proposal_check obey;\\ generate_policy off;\\ proposal {\\ encryption_algorithm aes 128;\\ hash_algorithm sha1;\\ authentication_method pre_shared_key;\\ lifetime time 28800 sec;\\ dh_group 5;\\ }\\ }\\ sainfo anonymous #IPSEC POLICY\\ {\\ pfs_group 5;\\ lifetime time 28800 sec;\\ encryption_algorithm aes 128;\\ authentication_algorithm hmac_sha1;\\ compression_algorithm deflate;\\ }\\ **pre-shared key file**\\ IP_B test\\ IP_C test\\ **For start racoon write:**\\ /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf\\ ===FreeBSD=== 3.2 Configure GRE tuunels (**rc.conf** configuration):\\ enable_gateway="YES"\\ cloned_interfaces="gre0 gre1"\\ ifconfig_gre0="inet 192.168.0.0 192.168.0.1 netmask 255.255.255.255 link1 up tunnel IP_A IP_B" #link to cisco 1841\\ ifconfig_gre1="inet 192.168.0.2 192.168.0.3 netmask 255.255.255.255 link1 up tunnel IP_A IP_C" #link to checkpoint 572\\ ipsec_enable="YES" #for setkey policy\\ ipsec_file="path_to_setkey.conf" #for setkey policy\\ ===Linux=== 3.2 Configure GRE tuunels :\\ /etc/sysconfig/network-scripts/ifcfg-tun0\\ DEVICE=tun0\\ BOOTPROTO=none\\ ONBOOT=yes\\ TYPE=GRE\\ MTU=1476\\ PEER_OUTER_IPADDR=IP_B\\ PEER_INNER_IPADDR=192.168.0.1\\ MY_INNER_IPADDR=192.168.0.0\\ /etc/sysconfig/network-scripts/ifcfg-tun1\\ DEVICE=tun1\\ BOOTPROTO=none\\ ONBOOT=yes\\ TYPE=GRE\\ MTU=1476\\ PEER_OUTER_IPADDR=IP_C\\ PEER_INNER_IPADDR=192.168.0.3\\ MY_INNER_IPADDR=192.168.0.2\\ 3.3 Configure Quagga.\\ We show only **ospfd.conf**\\ hostname ospfd\\ password test\\ enable password test\\ log stdout\\ router ospf\\ ospf router-id Internal_IP\\ passive-interface Interface_IP_A\\ network 192.168.0.0/16 area 0.0.0.1\\ For start quagga write:\\ ===FreeBSD=== /usr/local/quagga/sbin/zebra -d -f path_to_zebra.conf\\ /usr/local/quagga/sbin/ospfd -d -f path_to_ospfd.conf\\ ===Linux=== service zebra start ==== Cisco 1841 device configuration. ==== **1. IOS Requierements** 12.X advanced ip services or Advanced Enterprise Service 15.X security license **2 . Configuration**\\ crypto isakmp policy 5\\ encr aes 128\\ authentication pre-share\\ group 5\\ lifetime 28800\\ !\\ crypto isakmp key test address IP_A\\ crypto isakmp key test address IP_C\\ !\\ crypto ipsec transform-set tunnel esp-aes 128 esp-sha-hmac\\ !\\ crypto ipsec profile VPN\\ set transform-set tunnel\\ set pfs group5\\ !\\ interface Tunnel1\\ description link to %%FreeBSD%%/Linux\\ ip address 192.168.0.1 255.255.255.254\\ ip mtu 1476\\ ip ospf network point-to-point\\ tunnel source Interface_IP_B\\ tunnel destination IP_A\\ tunnel protection ipsec profile VPN\\ ! mask 255.255.255.254 instruct ios that on another side is 192.168.0.0 address\\ interface Tunnel2\\ description link to checkpoint 572\\ ip address 192.168.0.4 255.255.255.254\\ ip mtu 1476\\ ip ospf network point-to-point\\ tunnel source Interface_IP_B\\ tunnel destination IP_A\\ tunnel protection ipsec profile VPN\\ ! mask 255.255.255.254 instruct ios that on another side is 192.168.0.5 address\\ router ospf 1\\ router-id Internal_IP\\ passive-interface Interface_IP_B\\ network 192.168.0.0 0.0.255.255 area 1\\ ==== Checkpoint 572 (R71.2) device configuration. ==== **Preface.** Let's assume that the checkpoint 527 is configured with VPN IPSEC flag (see official documentation CP_R71_VPN_AdminGuide). The following instruction will appear in steps. After every step in %%SmartDashboard%% you must save and install policy. **Configure.**\\ **Step 1. Configuring Global Properties:**\\ Policy->Global Properties->VPN\\ VPN configuration method ->Simplified mode to all new Firewall Polices (default mode)\\ Policy->Global Properties->VPN->Advanced\\ Set flag Enable VPN Directional Match in VPN Column\\ **Step 2. Create %%FreeBSD%%/Linux router**\\ Network objects->Interoperable Devices-> Interoperable Devices...\\ General Properties\\ Name: %%FreeBSD%%\\ IP Address: IP_A\\ Topology->Add->\\ %%BookMark%% General\\ Name: ext_ip\\ IP Address: IP_A\\ Net Mask:MASK_IP_A\\ %%BookMark%% Toplogy\\ Set flag External\\ Add->%%BookMark%% General\\ Name: gre_ip\\ IP Address: 192.168.0.2\\ Net Mask:255.255.255.255\\ %%BookMark%% Toplogy\\ Set flag External\\ Add->%%BookMark%% General\\ Name: int_ip\\ IP Address: Internal _IP\\ Net Mask:255.255.255.0\\ %%BookMark%% Toplogy\\ Set flag Internal->Set flag Network defined by the interface IP and Net Mask\\ **Step 3. Create Cisco 1841 router**\\ Network objects->Interoperable Devices-> Interoperable Devices...\\ General Properties\\ Name: Cisco\\ IP Address: IP_B\\ Topology->Add->\\ %%BookMark%% General\\ Name: ext_ip\\ IP Address: IP_B\\ Net Mask:MASK_IP_B\\ %%BookMark%% Toplogy\\ Set flag External\\ Add->%%BookMark%% General\\ Name: gre_ip\\ IP Address: 192.168.0.4\\ Net Mask:255.255.255.255\\ %%BookMark%% Toplogy\\ Set flag External\\ Add->\\ %%BookMark%% General\\ Name: int_ip\\ IP Address: Internal _IP\\ Net Mask:255.255.255.0\\ %%BookMark%% Toplogy\\ Set flag Internal->Set flag Network defined by the interface IP and Net Mask\\ **Step 4. Create objects: Range, Group, Network**\\ Network Objects->Address Ranges->Multicast Address Range..\\ Name: OSPF\\ Type: IP Address Range\\ First IP Addres: 224.0.0.5\\ Last IP Addres: 224.0.0.6\\ Network Objects->Groups->Groups->Simple Groups->\\ Name: EMPTY_GROUP\\ Network Objects->Networks->Network...\\ Name:TEST_NETWORK\\ Network Address: 192.168.0.0\\ Net Mask: 255.255.0.0\\ **Step 5. Configure VPN Community**\\ VPN Communities->Site To Site->New Site To Site...->Star..\\ General->\\ Name: TEST\\ Set flag Accept all encrypted traffic->Advanced->Set flag Both Center and Satellite Gateways\\ Center Gateways->Add->checkpoint 572\\ Satellite Gateways->Add->%%FreeBSD%%, Satellite Gateways->Add->Cisco\\ Encryption->\\ Encryption methods->Set flag IKEv1 only\\ Encryption suite->Set flag Custom->Advanced->\\ General->\\ IKE Security Association (Phase 1) Properties->\\ Perform key exchange encryption with->aes 128\\ Perform data integrity->sha-1\\ IPSEC Security Association (Phase 2) Properties->\\ Perform key exchange encryption with->aes 128\\ Perform data integrity->sha-1\\ Tunnel Management->\\ Set flag One VPN tunnel per Gateway pair\\ Advanced Settings->\\ VPN Routing->Set flag To center and to other satellites through center\\ Shared Secret->Set flag Use only Shared Secret for all External Members Opposite to Cisco and %%FreeBSD%% sets key "test"\\ Advanced VPN Properties->\\ IKE (Phase 1)->\\ Set Use Diffie-Hellman group->group 5\\ Renegotiate IKE security associations every->480 minutes\\ IPSEC (Phase 2)->\\ Set flag Use Perfect Forward Secrecy->Set Use Diffie-Hellman group->group 5\\ Renegotiate IKE security associations every->28800 seconds\\ **Step 6: Configuring VPN gre tunnel (using VPN shell from console):**\\ Enter to Expert mode.\\ #vpn shell\\ VPN shell:[/] > interface\\ VPN shell:[/interface] >add\\ VPN shell:[/interface/add] >numbered 192.168.0.3 192.168.0.2 %%FreeBSD%%/Linux tun_to_freebsd\\ .. VPN shell:[/interface]>modify\\ VPN shell:[/interface/modify] > ifname\\ VPN shell:[/interface/modify/ifname] > mtu tun_to_freebsd 1476\\ VPN shell:[/] > interface\\ add\\ VPN shell:[/interface/add] >numbered 192.168.0.5 192.168.0.4 Cisco tun_to_cisco\\ ..\\ VPN shell:[/interface]>modify\\ VPN shell:[/interface/modify] > ifname\\ VPN shell:[/interface/modify/ifname] > mtu tun_to_cisco 1476\\ **Step 7: Set Empty Group and etc**\\ For every device (Checkpoint 572, Cisco, %%FreeBSD%%/Linux) sets:\\ Topology->Manual Defined->EMPTY_GROUP\\ IPSEC VPN->Link Selection->Set flag Always Use this IP address->Set flag Selected Address from topology table: External IP (IP_A for %%FreeBSD%%/Linux, IP_B for Cisco, IP_C for Checkpoint)\\ For Cisco and %%FreeBSD%%/Linux sets:\\ IPSEC VPN->VPN Advanced->Set flag Custom Settings->Set flag One tunnel per gateway pair->GRE on IPSec\\ For Checkpoint set:\\ IPSEC VPN->VPN Advanced->Set flag Custom Settings->Set flag One tunnel per gateway pair\\ **Step 8: Configure Firewall**\\ In %%bookmark%% Firewall:\\ 1. Accept services IKE and ESP from Cisco and %%FreeBSD%%/Linux to Checkpoint and vice versa\\ 2. Accept any services from TEST_NETWORK to TEST_NETWORK and OSPF. In VPN column set edit:\\ set flags match traffic in this directional only->\\ add...\\ TEST->TEST\\ add...\\ TEST->Internal_clear\\ add...\\ Internal_clear->TEST\\ **Step 9: Configure OSPF (from console)**\\ Enter to expert mode.\\ Type: router\\ #Router:\\ en->conf t->router ospf 1->\\ router-id Internal_IP\\ network 192.168.0.0 0.0.255.255 area 0.0.0.1\\ exit\\ exit\\ write memory\\ ==== About author ==== [[https://www.linkedin.com/pub/alexey-vyrodov/59/976/16b|Profile]] of the author