How To Set Up Checkpoint Vpn For A Home Office Worker

(1)

SofaWare VPN Configuration

Guide

Part No.: 700411 Oct 2002

For Safe@ gateway version 3

(2)

COPYRIGHT & TRADEMARKS

Check Point, the Check Point logo, FireWall-1, FireWall-1 SecureServer, FireWall-1 SmallOffice, FloodGate-1, INSPECT, IQ Engine, Meta IP, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecureUpdate, SiteManager-1, SVN, UAM, User-to-Address Mapping, UserAuthority, Visual Policy Editor, VPN-1, VPN-1 Accelerator Card, VPN-1 Gateway, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice, and ConnectControl are trademarks, service marks, or registered trademarks of Check Point Software Technologies Ltd. or its affiliates.

All other product names mentioned herein are trademarks or registered trademarks of their respective owners.

The products described in this document are protected by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by other U.S.

Patents, foreign patents, or pending applications.

(3)

Contents ... 3

Introduction ... 5

SofaWare Safe@Home ... 6

SofaWare Safe@Home Pro ... 6

SofaWare Safe@Office ... 6

SofaWare Safe@Office Plus ... 6

About This Guide ... 6

Typological Conventions ... 7

Contacting Technical Support ... 7

VPN Connectivity Solution Models ... 9

Safe@Office to Safe@Office (Site-to-Site VPN) ... 10

Safe@Office to VPN-1 (Site-to-Site VPN)... 11

VPN RAS Client to VPN-1 VPN RAS Server ... 12

VPN RAS Client to Safe@Office VPN RAS Server ... 13

Using Safe@Home Pro as a VPN RAS Client ... 14

Configuring VPN-1 NG FP1 and FP2 for Site-to-Site VPN... 15

Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN... 16

Configuring VPN-1 4.1 for Site-to-Site VPN... 37

Configuring VPN-1 4.1 for Site-to-Site VPN ... 38

(4)

Configuring VPN-1 for Safe@ RAS VPN ... 53

Configuring VPN-1 NG for Safe@ RAS VPN ... 53

Configuring VPN-1 4.1 for Safe@ RAS VPN ... 64

Configuring VPN-1 NG FP3... 73

Configuring Safe@ gateway to NG FP3 In “Client to Site” Mode ... 74

Configuring Safe@ gateway to NG FP3 in “Site To Site” mode ... 79

(5)

Introduction

The SofaWare S-box is available with the following software configurations: SofaWare Safe@Home, SofaWare Safe@Home Pro, SofaWare Safe@Office and SofaWare Safe@Office Plus. All four provide a web-based management interface, which enables you to manage and configure the S-box operation and options.

Table1 summarizes the differences between the available Safe@ software configurations.

Table 1: Safe@ Product Summary

Safe@Home Safe@Home Pro Safe@Office and Safe@Office Plus

Solution Home user firewall Telecommuter and home office

Small branch offices

Nodes 5 5 10/25

Standalone firewall Yes Yes Yes

VPN functionality No Remote Access Client Remote Access Client/Server Your S-box can be upgraded to a more advanced product level, without replacing the hardware. For more information, contact your reseller or email [email protected].

(6)

SofaWare Safe@Home

Safe@Home protects your home network from hostile Internet activity. It is intended for home users and can be used by up to five computers and users.

SofaWare Safe@Home Pro

In addition to all the benefits of SofaWare Safe@Home, SofaWare Safe@Home Pro provides Virtual Private Networking (VPN) functionality. SofaWare Safe@Home Pro contains a remote access VPN client, which enables employees working from home to securely connect to the corporate network.

SofaWare Safe@Home Pro is intended for home users who are part of an extended enterprise network. It can be used by up to five computers and users.

SofaWare Safe@Office

SofaWare Safe@Office provides all the benefits of SofaWare Safe@Home Pro, along with expanded VPN functionality. It acts not only as a remote access VPN client, but as a remote access VPN server which is installed office-side to protect the company’s VPN and make it available to telecommuting employees. SofaWare

Safe@Office can also be configured as a VPN gateway, which allows permanent Site-to-Site VPN connections between two gateways, such as two company offices.

SofaWare Safe@Office is intended both for companies with extended enterprise networks and for their employees working from home. It can be used by up to ten computers and users.

SofaWare Safe@Office Plus

SofaWare Safe@Office Plus extends SofaWare Safe@Office to support up to 25 computers and users.

About This Guide

This guide describes supported VPN solutions and provides instructions for implementing them.

You should be familiar with the following before using this guide:

!

Basic FW-1/VPN-1 use. For information, refer to the Check Point VPN-1/FireWall-1 Administration Guide.

!

S-box use for your software configuration. For information, refer to the SofaWare S-box Getting Started Guide.

(7)

To make finding information in this manual easier, some types of information are marked with special symbols or formatting.

Boldface type is used for command and button names.

Note: Notes are denoted by indented text and preceded by the Note icon.

Important: Important notes are denoted by indented text and preceded by the Important icon.

Contacting Technical Support

To contact technical support, send an email to: [email protected]

(8)

(9)

VPN Connectivity Solution Models

A virtual private network (VPN) consists of at least one VPN remote access (RAS) server or VPN gateway, and several VPN RAS clients. A VPN RAS server makes the corporate network remotely available to authorized users, such as employees working from home, who connect to the VPN RAS server using VPN RAS clients. A VPN gateway can be connected to another VPN gateway in a permanent, bi-directional relationship (Site-to-Site VPN). The two connected networks function as a single network.

A connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic passing through them. Through these tunnels, employees can safely use their company’s network resources when working at home. For example, they can securely read email, use the company’s intranet, or access the company’s database from home.

SofaWare Safe@Home Pro and SofaWare Safe@Office provide VPN functionality. SofaWare Safe@Home Pro contains a VPN RAS client. SofaWare Safe@Office can act as a VPN RAS client, a VPN RAS server, or a Site- to-Site VPN gateway.

Both SofaWare Safe@Office and Safe@Home Pro enable an exciting number of solutions to support your VPN connectivity needs. This chapter describes the following four basic solutions:

! “Safe@Office to Safe@Office (Site-to-Site VPN) ,” page 10

! “Safe@Office to VPN-1 (Site-to-Site VPN),” page 11

! “VPN RAS Client to VPN-1 VPN RAS Server,” page 12

! “VPN RAS Client to Safe@Office VPN RAS Server,” page 13

(10)

Safe@Office to Safe@Office (Site-to-Site VPN)

This solution enables you to establish Site-to-Site VPN connections between Safe@Office Site-to-Site VPN gateways.

Note: In this solution model, both Safe@Office Site-to-Site VPN gateways must have a static IP address.

Figure 1 shows a sample implementation of the Safe@Office to Safe@Office solution with three Safe@Office appliances (sbox1, sbox2, and sbox3). Each S-box acts as a Site-to-Site VPN gateway for a fully secure network.

The networks communicate via VPN connections.

Figure 1: Safe@Office to Safe@Office (Site-to-Site VPN)

For information on configuring Safe@Office for Site-to-Site VPN, refer to the SofaWare S-box Getting Started Guide.

(11)

Safe@Office to VPN-1 (Site-to-Site VPN)

This solution enables you to establish Site-to-Site VPN connections between a Safe@Office Site-to-Site VPN gateway and a VPN-1 Site-to-Site VPN gateway.

Note: In this solution model, both the VPN-1 and Safe@Office Site-to-Site VPN gateways must have a static IP address. Dynamic IP in Site-to-Site VPN is supported using a certificate. For more information refer to www.sofaware.com or contact [email protected].

Figure 2 shows a sample implementation of the Safe@Office to VPN-1 solution, in which two Safe@Office appliances (sbox1 and sbox2) are connected to a VPN-1 Site-to-Site VPN gateway.

Figure 2: Safe@Office to VPN-1 (Site-to-Site VPN)

For information on configuring VPN-1 NG for Site-to-Site VPN, see “Configuring VPN-1 NG FP3 ,” page 73.

For information on configuring VPN-1 4.1 for Site-to-Site VPN, see “Configuring VPN-1 4.1 for Site-to-Site VPN,” page 37.

(12)

VPN RAS Client to VPN-1 VPN RAS Server

This solution enables Safe@, Check Point SecureClient, and Check Point SecuRemote VPN RAS clients to connect to a VPN-1 VPN RAS server.

Note: In this solution model, the VPN-1 VPN RAS server must have a static IP address.

Figure 3 shows a sample implementation of the VPN RAS Client to VPN-1 VPN RAS Server solution, in which two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act as VPN RAS clients that download topology information from a VPN-1 VPN RAS gateway.

Figure 3: VPN RAS Client to VPN-1 VPN RAS Server

For information on configuring a VPN-1 NG or VPN-1 4.1 as a VPN RAS Server, see “Configuring VPN-1 4.1 for Safe@ RAS VPN,” page 64.

(13)

This solution enables Safe@Home Pro, Safe@Office, Check Point SecureClient, and Check Point SecuRemote VPN RAS clients to connect to a Safe@Office VPN RAS server.

Note: In this solution model, the Safe@Office VPN RAS server must have a static IP address.

Figure 4 shows a sample implementation of the VPN RAS Client to Safe@Office VPN RAS Server solution, in which two Safe@ appliances (sbox1 and sbox2), a Check Point SecuRemote, and a Check Point SecureClient act as VPN RAS clients that download topology information from the Safe@Office VPN RAS server (sbox3).

Figure 4: VPN RAS Client to Safe@Office VPN RAS Server

For information on configuring Safe@Home Pro, Safe@Office, Check Point SecuRemote, or Check Point SecureClient as a VPN RAS client to a Safe@Office VPN RAS server, refer to the SofaWare S-box Getting Started Guide.

(14)

Using Safe@Home Pro as a VPN RAS Client

Safe@Home Pro functions in VPN RAS client mode, in which connection is initiated only by the VPN RAS client.

Safe@Home Pro uses only Manual mode VPN connection, in which the end-user surfs to http://my.vpn and selects the VPN RAS server to which they want to establish a VPN connection.

Figure 5 shows Safe@Home Pro acting as a VPN RAS client to VPN-1 and Safe@Office VPN RAS servers.

Figure 5: Safe@Home Pro VPN RAS Client

(15)

Configuring VPN-1 NG FP1 and FP2 for

Site-to-Site VPN

This chapter explains how to configure Check Point VPN-1 NG FP1/FP2 for the Safe@Office to VPN-1 (Site-to- Site VPN) solution described in “Safe@Office to VPN-1 (Site-to-Site VPN),” page 11.

Note: To configure NG FP3, refer to chapter 6 “Configure VPN-1 NG FP3” page 75 This chapter contains the following sections:

! “Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN ,” page 16

VPN-1 NG FP2 must be configured to work in Traditional Mode.

Note: The screens shown in this chapter appear in both VPN-1 NG FP1 and FP2.

Where FP1 and FP2 screens differ, both are shown.

Note: You must configure the VPN-1 object to use a pre-shared secret before you configure VPN-1 NG FP1/FP2 for Site-to-Site.

Note: Working with Dynamic IP’s and certificates is supported. For more information, please refer to www.sofaware.com or contact [email protected].

(16)

Configuring VPN-1 NG FP1/FP2 for Site-to-Site VPN

To configure VPN-1 NG FP1/FP2 for Site-to-Site VPN 1. Open the Check Point Policy Editor.

2. Create an S-box object by doing the following:

a. In the Manage menu, click Network Objects.

The Network Objects dialog box appears.

b. If you are using FP1, click New… and then click Workstation.

The Workstation Properties dialog box appears with the General tab displayed.

(17)

2) In the IP Address field, type the S-box’s hiding address.

3) In the Type area, select Gateway.

4) Select Check Point products installed.

5) In the Version list, select 4.1.

6) In the Check Point Products list, select Firewall-1 and VPN-1.

7) In the Object Management area, select Managed by another Management Server [External].

c. If you are using FP2, click New…, Check Point, and then Externally Managed Gateway.

The Externally Managed Check Point Gateway dialog box opens with General Properties tab displayed.

Do the following:

(18)

1) In the Name field, type the object’s name.

2) In the Version list, select 4.1.

4) In the Check Point Products list, select Firewall-1 and VPN-1 Pro.

d. Click Topology.

The Topology tab is displayed. By default, no interfaces are defined.

e. Add both an internal and external S-box interface. Do the following for each interface:

1) Click Add.

The Interface Properties dialog box appears with the General tab displayed.

2) Type the interface’s name, IP address, and subnet mask in the appropriate fields.

3) Click on the Topology tab.

The Topology tab is displayed.

(19)

4) If you are configuring the external interface, select External (leads out to the Internet) in the Topology area. Do not change the other settings.

5) If you are configuring the internal interface, select Internal (leads to the local network) in the Topology area, and select Network defined by the interface IP in the IP address Behind this interface area. Do not change the other settings.

(20)

6) Select “All IP Address behind Gateway based on Topology”

7) Click OK.

f. In the menu, click VPN.

The VPN tab is displayed.

(21)

Note: In FP1, FWZ appears in the Encryption Schemes list. Do not select FWZ.

g. Click Edit….

The IKE Properties dialog box appears.

(22)

h. In the Support authentication methods area, select Pre-shared Secret, and click Edit Secrets....

The Shared Secret dialog box appears.

Do the following:

1) In the Peer Name column, click on the S-box’s peer name.

(23)

Note: If the VPN-1 object was not configured to use a pre-shared secret, the peer name will not be listed.

2) In the Enter Secrets field, type the unique password that should be used by the S-box and VPN-1 when establishing VPN connections to each other.

3) Click Set.

4) Click OK.

The IKE Properties dialog box reappears.

i. Click Advanced….

The Advanced IKE properties dialog box appears.

j. Optional - Select the Support aggressive mode check box.

(24)

Note: Main mode is supported in Site to Site configuration.

k. Click OK.

l. Click OK.

The Externally Managed VPN Host dialog box reappears with the VPN tab is displayed.

m. Click OK.

3. Set VPN properties for the VPN-1 NG FP1/FP2 object by doing the following:

b. Select the VPN-1 NG object and click Edit….

The Check Point Gateway dialog box opens with General Properties tab displayed.

(25)

c. In the menu, click VPN.

d. Select IKE and click Edit….

e. Click Advanced….

f. Select the Support aggressive mode check box.

g. Click OK.

h. Click OK.

The VPN tab reappears with certificate information displayed.

(26)

4. If desired, create a Topology user by doing the following:

Note: A Topology user is a User object that enables the S-box to download the VPN-1 NG FP1/FP2 topology. If you do not create a Topology user, you must specify the VPN-1’s network configuration in the S-box VPN wizard.

a. In the menu, click Topology.

The Topology tab is displayed.

(27)

b. Select Exportable for SecuRemote/SecureClient.

c. Click OK.

d. In the Manage menu, choose Users and Administrators….

The Users window opens.

(28)

e. Click New, Users by Template, and then Default….

The Users Properties dialog box appears with the General tab displayed.

(29)

f. Type the login name. In this example the name Topology is used.

g. Click on the Encryption tab.

The Encryption tab is displayed.

(30)

Note: In FP1, FWZ appears in the Client Encryption Methods list. Do not select FWZ.

h. Select IKE and click Edit….

(31)

Do the following:

1) Select the Password (pre-shared Secret) checkbox.

The Password and Confirm Password fields are enabled.

2) In the Password and Confirm Password fields, type the pre-shared secret for the S-box.

3) Click on the Encryption tab.

If you are using FP1, the screen appears as follows:

(32)

If you are using FP2, the screen appears as follows:

4) If you are using FP2, select Defined below.

5) In the Encryption Algorithm list, select 3DES.

6) In the Data Integrity area, select SHA1.

7) Click OK.

The User Properties dialog box reappears with the Encryption tab displayed.

i. Click OK.

The Users window reappears.

j. Click Close.

5. Configure the rule base.

(33)

Note: Example 1 matches the “Unrestricted” configuration mode in the Safe@

gateway. In this case, all traffic should be directed to the secured network (and not to the external IP of the Safe@ gateway). All VPN traffic will be allowed into the safe@

secured network, and no “VPN ONLY” Allow / Server rules must be defined in the Safe@ gateway.

Note: The object Internal represents the encryption domain of the NG firewall. The object Sbox_Network represents the subnet behind the Safe@ gateway.

Note: If VPN access to the NG firewall itself is also needed, the NG object needs to appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP, Telnet and FTP.

Example 2 –

(34)

Note: Example 2 matches “Restricted” configuration in the Safe@ gateway. In this case all traffic must be directed to the external interface of the Safe@ gateway, and can be forward inbound using “VPN ONLY” allow / server rules. Directing the traffic to the secured network behind the Safe@ gateway is not allowed in this mode.

Note: The object called Internal represents the encryption domain of the NG firewall.

Note: If VPN access to the NG firewall itself is also needed, the NG object needs to appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP, Telnet and FTP.

6. Set encryption properties for each of the rules by doing the following:

a. In desired rule’s row, right-click on the Encrypt icon, and click Set Properties… in the popup menu that appears.

The Encryption Properties dialog box appears.

(35)

b. Click Edit….

The IKE Phase 2 Properties dialog box appears.

c. In the Data Integrity list, select SHA1.

(36)

d. Click OK.

e. Click OK.

7. Compile the policy.

(37)

Configuring VPN-1 4.1 for Site-to-Site

VPN

This chapter explains how to configure Check Point VPN-1 4.1 for the Safe@Office to VPN-1 (Site-to-Site VPN) solution described in “Safe@Office to VPN-1 (Site-to-Site VPN),” page 11.

Note: The information in this chapter is correct for VPN-1 4.1, SP4, and higher.

This chapter contains the following sections:

! “Configuring VPN-1 4.1 for Site-to-Site VPN”

Note: You must configure the VPN-1 object to use a pre-shared secret before you configure VPN-1 NG 4.1 for Site-to-Site.

(38)

Configuring VPN-1 4.1 for Site-to-Site VPN

To configure VPN-1 4.1 for Site-to-Site VPN 1. Open the Check Point Policy Editor.

2. Create the Safe@ Gateway object by doing the following:

a. In the Manage menu, choose Network Objects.

b. Click New… and then click Workstation.

(39)

Do the following:

1) In the Name field, type the object’s name.

3) In the Location area, select External.

4) In the Type area, select Gateway.

5) In the Modules Installed area, select VPN-1& FireWall-1 version 4.1.

c. Click OK.

3. Configure the Safe@ Gateway internal network object by doing the following:

b. Click New… and then click Network.

The Network Properties dialog box appears with the General tab displayed.

(40)

Do the following:

1) In the Name field, type the network object name.

2) In the IP Address field, type the network object’s IP address.

3) In the Net Mask field, type the network object’s subnet mask. The subnet mask represents the home network.

4) Click OK.

c. Open the Safe@ Gateway object you defined earlier.

d. In the menu, click VPN.

(41)

.

e. In the Domain area, select Other, and then select network object from the Other list. (In the example above, the network object is Mynet.)

f. Click Edit….

(42)

g. In the Support authentication methods area, select Pre-shared Secret, and click Edit Secrets....

The Shared Secret dialog box appears.

Do the following:

1) In the Peer Name column, click on the VPN-1’s peer name.

Note: If the VPN-1 object was not configured to use a pre-shared secret, the peer name will not be listed.

(43)

when establishing VPN connections to each other.

3) Click Set.

4) Click OK.

h. Click OK.

The Workstation Properties dialog box reappears with the VPN tab displayed.

i. Click OK.

4. Configure the VPN-1 object by doing the following:

b. Select the VPN-1 object and click Edit….

c. Click on the VPN tab.

(44)

Note: Your Domain area may look different, depending on the VPN topology of your network.

d. In the Domain section, select the Exportable for SecuRemote check box.

e. In the Encryption schemes defined area, click Edit….

The IKE Properties dialog-box appears.

(45)

f. Verify that the following options are selected:

! Pre-shared Secret

! Optional - Support Aggressive Mode

Note: Main Mode is also supported so Aggressive mode is optional.

! Support keys exchange for subnets

4. If desired, create a Topology user by doing the following:

Note: A Topology user is a User object that enables the S-box to download the VPN-1 NG FP1/FP2 topology. If you do not create a Topology user, you must specify the VPN-1’s network configuration in the S-box VPN wizard.

a. In the Manage menu choose Users.

The Users dialog box appears.

(46)

b. Click New… ,and then click Default.

The Users Properties dialog box appears with the General tab displayed.

c. In the Name field, type the user name. In this example the name Topology is used.

d. In the Expiration Date field, type the expiration date.

e. Click on the Encryption tab.

(47)

f. In the Client Encryption Methods area, select the IKE check box and clear the FWZ check box.

g. Click Edit….

The IKE Properties dialog box appears with the Authentication tab displayed.

h. Select Password, and type the password in the field.

i. Click on the Encryption tab.

(48)

Do the following:

1) In the Data Integrity area, select SHA1.

2) In the Encryption Algorithm list, select 3DES.

3) Click OK.

The Users Properties dialog box reappears with the Encryption tab displayed.

j. Click OK.

5. Edit the existing rule base.

Example 1 –

Note: Example 1 matches the “Unrestricted” configuration mode in the Safe@

(49)

secured network, and no “VPN ONLY” Allow / Server rules must be defined in the Safe@ gateway.

Note: The object Local_VPN_Domain represents the encryption domain of the behind the 4.1 firewall. The object Mynet represents the subnet behind the Safe@

gateway.

Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs to appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP, and FTP.

Example 2 –

This example shows the rules that must be added to an existing rule base in order for FTP and ICMP to be encrypted to and from the S-box.

Note: Example 2 matches “Restricted” configuration in the Safe@ gateway. In this case all traffic must be directed to the external interface of the Safe@ gateway, and can be forward inbound using “VPN ONLY” allow / server rules. Directing the traffic to the secured network behind the Safe@ gateway is not allowed in this mode.

Note: The object Local_VPN_Domain is the subnet behind the FW-1 4.1 firewall.

(50)

Note: If VPN access to the 4.1 firewall itself is also needed, the 4.1 object needs to appear in the rule base as well.

Note: In this instance, the services that will be encrypted in both directions are ICMP, and FTP.

6. Set encryption properties for each of the rules by doing the following:

a. In desired rule’s row, right-click on the Encrypt icon, and click Set Properties… in the popup menu that appears.

b. Click Edit….

(51)

c. In the Data Integrity list, select SHA1.

d. Click OK.

The Encryption Properties dialog box reappears.

e. Click OK.

(52)

(53)

Configuring VPN-1 for Safe@ RAS VPN

This chapter explains how to configure Check Point VPN-1 as a VPN RAS server, as described in the solution

“VPN RAS Client to VPN-1 VPN RAS Server,” page 12. The VPN-1 versions supported are Check Point 4.1 SP4 and above, NG FP1, and NG FP2. If you are using NG FP3, please refer to “Configuring VPN-1 NG FP3 ,”

page 73

After configuring VPN-1, you must configure the Safe@ appliance to act as a VPN RAS client. For instructions, refer to the SofaWare Safe@ Getting Started Guide. The SofaWare Safe@ Gateway uses IKE shared secrets to establish an IPSEC VPN connection from the Safe@ Gateway to the Check Point Enterprise VPN-1.

This chapter contains the following sections:

! “Configuring VPN-1 NG for Safe@ RAS VPN ,” page 53.

! “Configuring VPN-1 4.1 for Safe@ RAS VPN,” page 64

Configuring VPN-1 NG for Safe@ RAS VPN

Note: This procedure can be used for VPN-1 NG FP1 and FP2.

To configure VPN-1 NG for Safe@ RAS VPN 1. Open the Check Point Policy Editor.

2. Edit the VPN-1 NG properties by doing the following:

a. From the Manage menu, select Network Objects.

(54)

b. Click on the VPN-1 workstation object that should receive the Safe@ gateway VPN session request.

(55)

d. In the Encryption schemes area, verify that the IKE check box is selected.

e. Click Edit….

(56)

f. Verify that the following selections are made:

! In the Support key exchange encryption with list: DES and/or 3DES

! In the Support data integrity with area: MD5 and/or SHA1

Note: These are the minimal selections. If desired, you can select additional options.

g. Click Advanced….

(57)

Do the following:

1) Select the Use UDP encapsulation check box.

2) From the Use UDP encapsulation list, select VPN1_IPSEC_encapsulation.

3) In the Rekeying Parameters area, set Renegotiate IKE security associations to 1440 minutes, and set Renegotiate IPSEC Security associations every to 3600 seconds.

4) In the Misc area, select Support IP compression for SecureClient, Support aggressive mode, and Support key exchange for subnets.

5) Click OK.

h. Click OK.

i. Click OK.

(58)

3. Create a new group object by doing the following:

a. In the Manage menu, click Users.

b. Click New… and then Group….

The Group Properties dialog box appears.

(59)

d. If users are already defined and you wish to add them to the new group, add users to your group by doing the following:

1) In the Not in Group list, select desired users.

2) Click Add>.

The selected users are moved to the In Group list.

e. Click OK.

The Users dialog box reappears. The new group object appears in the Users list.

f. Click Close.

4. If you wish to create a new Safe@ gateway user object, do the following:

a. In the Manage menu, click Users.

The Users window appears.

b. Click New…, User by Template, and then Default.

The User Properties dialog box appears with the General tab displayed.

(60)

c. Type a login name for the new Safe@ gateway user.

d. Click the Groups tab.

The Groups tab is displayed.

e. In the Available Groups list, select the group you created earlier and click Add>.

The group is moved to the Belongs to Groups list.

f. Click on the Encryption tab.

(61)

g. In the Client Encryption Methods area, verify that the IKE check box is selected.

h. Click Edit….

(62)

Do the following:

1) Select Password.

The Password and Confirm Password fields are enabled.

2) In the Password and Confirm Password fields, type the pre-shared secret for the Safe@ gateway.

(63)

5) In the Data Integrity area, select SHA1 or MD5.

6) In the Encryption Algorithm list, select DES or 3DES.

7) Click OK.

i. Click OK.

j. Click Close.

5. Add a rule to your rule base:

Note: The rule above is only an example. The Destination and Service may vary according to your VPN settings and your network needs.

Note: The object Internal represent the encryption domain of the NG firewall.

(64)

Configuring VPN-1 4.1 for Safe@ RAS VPN

To configure VPN-1 4.1 for Safe@ RAS VPN 1. Open the Check Point Policy Editor.

2. Edit the VPN-1 4.1 properties by doing the following:

a. From the Manage menu, select Network Objects.

b. Click on the VPN-1 4.1 object that should receive the Safe@ gateway VPN session request, and click Edit….

(65)

c. Click on the VPN tab.

(66)

d. In the Encryption schemes defined area, verify that the IKE check box is selected.

Note: In the example above, the Local_VPN_Domain object represents the secured networks protected by VPN-1. Your VPN-1 may have other network objects defined.

e. Click Edit….

(67)

f. Verify that the following selections are made:

! In the Key Negotiation Encryption Method(s) list: DES and/or 3DES

Note: CAST is not supported by Safe@ gateway, but can be selected if desired.

! In the Hash Method area: MD5 and/or SHA1

! Support Aggressive Mode

! Support Subnets

Note: These are the minimal selections. If desired, you can select additional options.

g. Click OK.

h. Click OK.

3. Create a new group object by doing the following:

a. From the Manage menu, click Users.

(68)

b. Click New… and then click Group.

The Group Properties dialog box appears.

c. In the Name field, type the group object’s name.

d. If users are already defined, and you wish to add them to the new group, do the following:

1) In the Not in Group list, select desired users.

2) Click Add>.

(69)

The Users dialog box reappears. The new group appears in the Users list.

f. Click Close.

4. If you wish to create a new Safe@ gateway user object, do the following:

a. From the Manage menu, click Users.

The Users window appears.

b. Click New… and then click Default.

The User Properties dialog box appears with the General tab displayed.

Do the following:

1) In the Name field, type a name for the new Safe@ gateway user.

2) If desired, type a new expiration date for the Safe@ gateway user object in the Expiration Date field.

c. Click the Groups tab.

The Groups tab is displayed.

(70)

d. In the Available Groups list, select the group you created earlier and click Add >.

The group is moved to the Belongs to Groups list.

e. Click on the Encryption tab.

(71)

Do the following:

1) Select Password.

The Password field is enabled.

2) In the Password field, type the pre-shared secret for the Safe@ gateway.

(72)

4) In the Transform area, select Encryption + Data Integrity (ESP).

5) In the Data Integrity area, select SHA1 or MD5.

6) In the Encryption Algorithm list, select DES or 3DES.

7) Click OK.

h. Click OK.

i. Click Close.

5. Add a rule to your rule base:

Note: The rule above is only an example. The Destination and Service may vary according to your VPN settings and your network needs.

Note: The object Internal represents the encryption domain of the FW-1 4.1 firewall.

(73)

Configuring VPN-1 NG FP3

This chapter explains how to create Site-to-Site and Client-to-Site VPN tunnels between Safe@ gateway and NG FP3 using communities.

Note: SSC (SofaWare SmartCenter Connector) add-on must be installed on the NG FP3 firewall

(74)

Configuring Safe@ gateway to NG FP3 In “Client to Site” Mode

Create and Configure Safe@ object 1. Open the Check Point Policy Editor.

2. Create a Safe@ Gateway object by doing the following:

b. Click New…, Check Point, and then Safe@ Gateway...

c. The Safe@ Gateway properties page appears

3. Configure the Safe@ Gateway Object by doing the following:

(75)

a. In the Name field, type the object’s name.

b. Next to the IP Address field select the “Dynamic Address” checkbox.

c. In the Type field choose GW Type.

d. In the SofaWare Profile field choose Profile.

e. In the Password field enter a password, or press on the Generate Password button.

f. Select the VPN Enabled check box.

g. Save the object by clicking OK.

Note: The Safe@ password is automatically used as its shared secret in the community.

(76)

Configure the Community

1. Define the Community by doing the following:

a. Select the VPN Manager tab:

b. Double click on the RemoteAccess community.

The RemoteAccess Community Properties window appears.

2. Add participants to the pre-defined RemoteAccess Community:

a. In the General Tab, Enter Object name.

b. In the Participating Gateways, choose the firewall gateways you wish to use.

(77)

c. In the Participating User Groups, select “All SofaWare VPN GW’s”

d. Click OK.

Note: You can choose “All Users”, and it will include “All SofaWare VPN GW’s”

(78)

Configure Global Properties

1. From the menu select Policy and Global Properties 2. The Global Properties page appears.

3. Select Remote Access and then VPN Basic in the tree on the left side of the dialog-box.

4. Select the Hybrid Mode (VPN-1 & Firewall-1 authentication) checkbox.

Note: If using Safe@ Gateways version 2.0.x, it is mandatory to select also Pre- shared Secret

5. Click OK Rule base

Note: The If Via access rule condition means "Accept if encrypted between community members".

In the example below, all services are allowed via the RemoteAccess community.

(79)

6. Install the policy on the desired gateways and profiles.

Configuring Safe@ gateway to NG FP3 in “Site To Site” mode

Note: Working with Dynamic IP’s and certificates is supported. For more information, please refer to www.sofaware.com or contact [email protected].

Create a network object

1. Open the Check Point Policy Editor.

(80)

b. Click New.

c. Select Network...

d. The Network Properties window opens

e. In the Name field type the name of the object

(81)

h. Click OK

Create and Configure Safe@ object 1. Open the Check Point Policy Editor.

a. In the Manage menu, click Network Objects.

b. Click New…, Check Point, and then Safe@ Gateway.

c. The Safe@ Gateway properties page appears.

3. Configure the Safe@ Gateway object by doing the following:

(82)

a. In the Name field, type the object’s name.

b. In the IP Address field, type your IP address.

c. In the Type field, choose GW Type

d. In the SofaWare Profile field, choose Profile

e. In the Password field, enter a password, or press the Generate Password button.

f. Select the VPN Enabled check box.

4. Configure Topology by doing the following:

a. Select the Topology tab

(83)

b. From the Manually defined drop-down menu select the network object that represents the network protected by the safe@ gateway

c. Save the object by clicking OK.

Configure the Community 1. Define the Community

a. Select the VPN Manager tab.

b. Right-click in the VPN Manager, then from the New Community menu choose Star.

Note: Meshed communities are not supported in NG FP3 with Safe@ gateways

The Start community Properties page appears

(84)

c. In the Name field type the name of the object.

Note: In order to accept encrypted traffic, the user can check the "Accept all encrypted traffic" checkbox on the community object. This will add an automatic access rule for all encrypted traffic between community members.

d. Select the Central Gateways tab.

e. Add the gateway object you wish to be the Central Gateway.

(85)

g. Click Add... and choose the Safe@ gateway object.

h. Services in the Clear definitions will not effect the tunnel between Safe@ and FP3. The Safe@ will encrypt all traffic.

i. Click on VPN Properties tab.

j. Define Phase 1 and Phase 2 properties.

(86)

Note: All VPN Encryption and Data Integrity combinations are allowed. In the example above Phase 1 is configured to use 3DES + MD5, and phase 2 is configured to use 3DES + SHA1. Other combinations are allowed.

Note: There is no need to define Advanced Properties.

Note: There is no need to define the shared secret on the community. The Safe@

password is automatically used as its shared secret in the community.

k. Click OK

l. The new Start community is presented in the VPN Manager tab.

(87)

Rule Base

Note: The "If Via" access rule condition means "Accept if encrypted between community members."

Note: In the example below, only FTP and ICMP protocols will be Encrypted via the Star_1 Community.