Friday, 19 August 2011

IPSec VPN between Check Point and Cisco Router

Setting up a VPN between these two devices is a bit cryptic the first time you encounter it but once you have completed the task it just makes sense. This tutorial continues on from a previous post which describes how to setup a virtualized check point firewall.

The Cisco router is simulated using dynamips and the following parameters:

        image =  C:\lab\IOS\c3725-adventerprisek9-mz.124-15.T14.bin
        idlepc = 0x6026be14
        ram = 160
        disk0 = 32

    [[ROUTER R1]]
        model = 3725
        #This is the vmnet1 device
        FA0/0 = NIO_gen_eth:\Device\NPF_{A5C8EFBE-0743-4930-9373-4D2A4DBF800A}

The network diagram is

                    (Fa0/0) R1
     External   +                          Internal
Pluto ----- (eth1) CP R75 (eth2)----- Eris

Network block are allocated as shown below. The remote network is configured as a loopback interface on R1.
  • management network -
  • external network -
  • internal network -
  • remote network -
The ip address allocations are:
  • pluto -
  • eth1 -
  • eth2 -
  • eris -
  • fa0/0 R1 -
  • loop0 R1 -
The best introduction I've read to IKE and IPSec is in the Checkpoint VPN Admin guide. I would highly recommend reading chapter 2 of this document even if you have a good understanding of these protocols

Router R1 Configuration

Create the IKE policy and assume pre-shared keys

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key abc123 address

Create the IPSec transform set (ie the encryption parameters it will work with)

crypto ipsec transform-set mytransform esp-aes 256 esp-sha

Define the interesting traffic

access-list 101 permit ip

Now put it all together and apply it to an interface

crypto map mymap 1 ipsec-isakmp
 set peer
 set transform-set mytransform
 match address 101
interface FastEthernet0/0
 crypto map mymap

Checkpoint Configuration

Click on the IPSec VPN Tab. The first task is to define the remote end point. Click on the IPSec VPN Tab and in the tree on the left hand side right click on Interoperable Device and add a new device which we'll call CiscoRTR. In the IP address field put in

Click on the toplogy of CiscoRTR and add the following:

  • fa0/0:, netmask; topology: Leads to internet
  • loop0:, netmask; topology: Internal, Network defined by IP address and netmask
Now create a new VPN community, type Star called MyVPN, with the following settings:

  • Center gateways: the object representing the Check Point enforcement point
  • Satellite gateways: the object representing the Cisco router - CiscoRTR
  • Encryption:
    • Encryption Method: IKEv1 Only
    • Encryption Suite: Custom with the following properties
    • IKE (Phase 1) Properties
    • Perform key exchange encryption with: AES-256
    • Perform data integrity with: SHA-1
    • IPSec (Phase 2) Properties
    • Perform IPSec data encryption with: AES-256
    • Perform data integrity with: SHA-1
  • Tunnel Management: VPN Tunnel sharing: One VPN tunnel per subnet pair
  • Advanced settings
    • VPN Routing: To center only
    • Shared Secret: Use only Shared Secret for all external members, then add the shared secret to CiscoRTR
    • Advanced VPN Properties:IKE (Phase 1): Use Diffie-Helman Group: Group 2
Now click on the Firewall tab and add the following two rules:

Name: InterestingVPNTrafffic
VPN: MyVPN (ie the community defined above)
Service: Any
Action: Accept
Track: Log

Name: Encrypted Traffic
Source: Checkpoint Gateway
Destination: CiscoRTR
VPN: Any traffic
Service: IKE & IPSec
Action: Accept
Track: Log

Now apply this changes to the checkpoint and you should then be able to ping from Eris to the loopback of R1.

1 comment: