Gre over IPSEC between FreeBSD/Linux, Checkpoint, Cisco
Below is a little updated copy of my article 01.2011 on Checkpoint Forum.
Introduction.
Recently checkpoint 572 with IPS blade was bought for defence of our web servers (It was our first checkpoint). Our web-servers are located on collocation.
At first for technological purposes we needed to connect above mentioned servers to our network with VPN IPSEC. Our network is quite big with redundant internet connections and we are using protocol OSPF for dynamic routing within the network. We are using various devices like FreeBSD based, Cisco. Also we have linux devices.
As i have spent many hours configuring checkpoint to connect to Cisco and FreeBSD i think that the following information will be useful for somebody.
Simplified Scheme and using parameters.
*Configurations of FreeBSD and Linux are identical on many settings. Not to inflate article i will unite both configuration in one.
Let's consider following characteristics:
1. Global IP:
FreeBSD/Linux - IP_A,
Global IP Cisco 1841 - IP_B,
Global IP Checkpoint 572 - IP_C.
2. Gre IPs:
FreeBSD/Linux 192.168.0.0/32 to Cisco 1841 192.168.0.1/32
FreeBSD/Linux 192.168.0.2/32 to Checkpoint 572 192.168.0.3/32
Cisco 1841 192.168.0.4/32 to Checkpoint 572 192.168.0.5/32
3.Internal networks:
FreeBSD/Linux 192.168.1.0/24
Cisco 1841 192.168.2.0/24
Checkpoint 572 192.168.3.0/24
4. pre shared key - test
5. IKE policy:
encryption: aes128
hash: sha1
Diffie-Hellman group: 5
6. IPSEC policy:
encryption: aes128
hash: hmac_sha1
Diffie-Hellman group: 5
7. VPN - tunnel mode esp
8. ospf area - 0.0.0.1
network 192.168.0.0/16
In the following configurations we omit firewall configuration of FreeBSD/Linux and Cisco.
FreeBSD/Linux device configuration.
FreeBSD
1. Requirements packages:
FreeBSD (we consider version higher than 6.4)
Kernel Source
Racoon (ipsec-tools)
Quagga ( version 0.98.6)
2. Package configurations:
2.1 Kernel must be compiled with following flags:
options IPSEC
options IPSEC_DEBUG
device gre
device crypto
2.2. Racoon must be compiled with following options:
–enable-adminport –enable-frag
2.3 Quagga must be compiled with ospfd options.
1. Requirements packages:
Linux Centos (versions 5)
Racoon (ipsec-tools)
Quagga ( version 0.98.6)
2. Installation:
yum install ipsec-tools quagga
3. Configuration
3.1 Racoon configuraton:
setkey.conf
flush;
spdflush;
spdadd IP_A IP_B gre -P out ipsec esp/tunnel/IP_A-IP_B/require; #link to cisco 1841
spdadd IP_B IP_A gre -P in ipsec esp/tunnel/IP_B-IP_A/require; #link to cisco 1841
spdadd IP_A IP_C gre -P out ipsec esp/tunnel/IP_A-IP_C/require; #link to checkpoint 572
spdadd IP_C IP_A gre -P in ipsec esp/tunnel/IP_B-IP_C/require; #link to checkpoint 572
racoon.conf
path pre_shared_key “location of pre-shared key file”;
log debug;
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp IP_A [500];
}
remote IP_B [500] #link to cisco 1841 isakmp policy
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address IP_A;
peers_identifier address IP_B;
lifetime time 8 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes 128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 28800 sec;
dh_group 5;
}
}
remote IP_C [500] #link to checkpoint 572 isakmp policy
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address IP_A;
peers_identifier address IP_C;
lifetime time 8 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes 128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 28800 sec;
dh_group 5;
}
}
sainfo anonymous #IPSEC POLICY
{
pfs_group 5;
lifetime time 28800 sec;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
pre-shared key file
IP_B test
IP_C test
For start racoon write:
/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf
FreeBSD
3.2 Configure GRE tuunels (rc.conf configuration):
enable_gateway=“YES”
cloned_interfaces=“gre0 gre1”
ifconfig_gre0=“inet 192.168.0.0 192.168.0.1 netmask 255.255.255.255 link1 up tunnel IP_A IP_B” #link to cisco 1841
ifconfig_gre1=“inet 192.168.0.2 192.168.0.3 netmask 255.255.255.255 link1 up tunnel IP_A IP_C” #link to checkpoint 572
ipsec_enable=“YES” #for setkey policy
ipsec_file=“path_to_setkey.conf” #for setkey policy
Linux
3.2 Configure GRE tuunels :
/etc/sysconfig/network-scripts/ifcfg-tun0
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
MTU=1476
PEER_OUTER_IPADDR=IP_B
PEER_INNER_IPADDR=192.168.0.1
MY_INNER_IPADDR=192.168.0.0
/etc/sysconfig/network-scripts/ifcfg-tun1
DEVICE=tun1
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
MTU=1476
PEER_OUTER_IPADDR=IP_C
PEER_INNER_IPADDR=192.168.0.3
MY_INNER_IPADDR=192.168.0.2
3.3 Configure Quagga.
We show only ospfd.conf
hostname ospfd
password test
enable password test
log stdout
router ospf
ospf router-id Internal_IP
passive-interface Interface_IP_A
network 192.168.0.0/16 area 0.0.0.1
For start quagga write:
FreeBSD
/usr/local/quagga/sbin/zebra -d -f path_to_zebra.conf
/usr/local/quagga/sbin/ospfd -d -f path_to_ospfd.conf
Linux
Cisco 1841 device configuration.
1. IOS Requierements
12.X advanced ip services or Advanced Enterprise Service
15.X security license
2 . Configuration
crypto isakmp policy 5
encr aes 128
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp key test address IP_A
crypto isakmp key test address IP_C
!
crypto ipsec transform-set tunnel esp-aes 128 esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set tunnel
set pfs group5
!
interface Tunnel1
description link to FreeBSD/Linux
ip address 192.168.0.1 255.255.255.254
ip mtu 1476
ip ospf network point-to-point
tunnel source Interface_IP_B
tunnel destination IP_A
tunnel protection ipsec profile VPN
! mask 255.255.255.254 instruct ios that on another side is 192.168.0.0 address
interface Tunnel2
description link to checkpoint 572
ip address 192.168.0.4 255.255.255.254
ip mtu 1476
ip ospf network point-to-point
tunnel source Interface_IP_B
tunnel destination IP_A
tunnel protection ipsec profile VPN
! mask 255.255.255.254 instruct ios that on another side is 192.168.0.5 address
router ospf 1
router-id Internal_IP
passive-interface Interface_IP_B
network 192.168.0.0 0.0.255.255 area 1
Checkpoint 572 (R71.2) device configuration.
Preface.
Let's assume that the checkpoint 527 is configured with VPN IPSEC flag (see official documentation CP_R71_VPN_AdminGuide). The following instruction will appear in steps. After every step in SmartDashboard you must save and install policy.
Configure.
Step 1. Configuring Global Properties:
Policy→Global Properties→VPN
VPN configuration method →Simplified mode to all new Firewall Polices (default mode)
Policy→Global Properties→VPN→Advanced
Set flag Enable VPN Directional Match in VPN Column
Step 2. Create FreeBSD/Linux router
Network objects→Interoperable Devices→ Interoperable Devices…
General Properties
Name: FreeBSD
IP Address: IP_A
Topology→Add→
BookMark General
Name: ext_ip
IP Address: IP_A
Net Mask:MASK_IP_A
BookMark Toplogy
Set flag External
Add→BookMark General
Name: gre_ip
IP Address: 192.168.0.2
Net Mask:255.255.255.255
BookMark Toplogy
Set flag External
Add→BookMark General
Name: int_ip
IP Address: Internal _IP
Net Mask:255.255.255.0
BookMark Toplogy
Set flag Internal→Set flag Network defined by the interface IP and Net Mask
Step 3. Create Cisco 1841 router
Network objects→Interoperable Devices→ Interoperable Devices…
General Properties
Name: Cisco
IP Address: IP_B
Topology→Add→
BookMark General
Name: ext_ip
IP Address: IP_B
Net Mask:MASK_IP_B
BookMark Toplogy
Set flag External
Add→BookMark General
Name: gre_ip
IP Address: 192.168.0.4
Net Mask:255.255.255.255
BookMark Toplogy
Set flag External
Add→
BookMark General
Name: int_ip
IP Address: Internal _IP
Net Mask:255.255.255.0
BookMark Toplogy
Set flag Internal→Set flag Network defined by the interface IP and Net Mask
Step 4. Create objects: Range, Group, Network
Network Objects→Address Ranges→Multicast Address Range..
Name: OSPF
Type: IP Address Range
First IP Addres: 224.0.0.5
Last IP Addres: 224.0.0.6
Network Objects→Groups→Groups→Simple Groups→
Name: EMPTY_GROUP
Network Objects→Networks→Network…
Name:TEST_NETWORK
Network Address: 192.168.0.0
Net Mask: 255.255.0.0
Step 5. Configure VPN Community
VPN Communities→Site To Site→New Site To Site…→Star..
General→
Name: TEST
Set flag Accept all encrypted traffic→Advanced→Set flag Both Center and Satellite Gateways
Center Gateways→Add→checkpoint 572
Satellite Gateways→Add→FreeBSD, Satellite Gateways→Add→Cisco
Encryption→
Encryption methods→Set flag IKEv1 only
Encryption suite→Set flag Custom→Advanced→
General→
IKE Security Association (Phase 1) Properties→
Perform key exchange encryption with→aes 128
Perform data integrity→sha-1
IPSEC Security Association (Phase 2) Properties→
Perform key exchange encryption with→aes 128
Perform data integrity→sha-1
Tunnel Management→
Set flag One VPN tunnel per Gateway pair
Advanced Settings→
VPN Routing→Set flag To center and to other satellites through center
Shared Secret→Set flag Use only Shared Secret for all External Members
Opposite to Cisco and FreeBSD sets key “test”
Advanced VPN Properties→
IKE (Phase 1)→
Set Use Diffie-Hellman group→group 5
Renegotiate IKE security associations every→480 minutes
IPSEC (Phase 2)→
Set flag Use Perfect Forward Secrecy→Set Use Diffie-Hellman group→group 5
Renegotiate IKE security associations every→28800 seconds
Step 6: Configuring VPN gre tunnel (using VPN shell from console):
Enter to Expert mode.
#vpn shell
VPN shell:[/] > interface
VPN shell:[/interface] >add
VPN shell:[/interface/add] >numbered 192.168.0.3 192.168.0.2 FreeBSD/Linux tun_to_freebsd
..
VPN shell:[/interface]>modify
VPN shell:[/interface/modify] > ifname
VPN shell:[/interface/modify/ifname] > mtu tun_to_freebsd 1476
VPN shell:[/] > interface
add
VPN shell:[/interface/add] >numbered 192.168.0.5 192.168.0.4 Cisco tun_to_cisco
..
VPN shell:[/interface]>modify
VPN shell:[/interface/modify] > ifname
VPN shell:[/interface/modify/ifname] > mtu tun_to_cisco 1476
Step 7: Set Empty Group and etc
For every device (Checkpoint 572, Cisco, FreeBSD/Linux) sets:
Topology→Manual Defined→EMPTY_GROUP
IPSEC VPN→Link Selection→Set flag Always Use this IP address→Set flag Selected Address from topology table: External IP (IP_A for FreeBSD/Linux, IP_B for Cisco, IP_C for Checkpoint)
For Cisco and FreeBSD/Linux sets:
IPSEC VPN→VPN Advanced→Set flag Custom Settings→Set flag One tunnel per gateway pair→GRE on IPSec
For Checkpoint set:
IPSEC VPN→VPN Advanced→Set flag Custom Settings→Set flag One tunnel per gateway pair
Step 8: Configure Firewall
In bookmark Firewall:
1. Accept services IKE and ESP from Cisco and FreeBSD/Linux to Checkpoint and vice versa
2. Accept any services from TEST_NETWORK to TEST_NETWORK and OSPF. In VPN column set edit:
set flags match traffic in this directional only→
add…
TEST→TEST
add…
TEST→Internal_clear
add…
Internal_clear→TEST
Step 9: Configure OSPF (from console)
Enter to expert mode.
Type: router
#Router:
en→conf t→router ospf 1→
router-id Internal_IP
network 192.168.0.0 0.0.255.255 area 0.0.0.1
exit
exit
write memory
About author