Upload
lamnhan
View
237
Download
3
Embed Size (px)
Citation preview
VPN Tracker for Mac OS X
How-to:
Interoperability with
Check Point VPN-1 GateWay
Rev. 1.1
Copyright © 2003 equinux USA Inc. All rights reserved.
1. Introduction
2
1. Introduction
This document describes how VPN Tracker can be used to establish a connection
between a Macintosh running Mac OS X and a Check Point VPN-1 GateWay. equinux
has tested the Check Point VPN-1 GateWay with FP3 and FP4.
The Check Point VPN-1 GateWay is configured as a router, connecting a company LAN
to the Internet.
The example demonstrates a connection scenario, with a dial-in Mac connecting to a
Check Point VPN-1 GateWay.
This paper is only a supplement to, not a replacement for, the instructions that have
been included with your Check Point VPN-1 GateWay. Please be sure to read and
understand those instructions before beginning.
All trademarks, product names, company names, logos, screenshots displayed, cited or
otherwise indicated on the How-to are the property of their respective owners.
EQUINUX SHALL HAVE ABSOLUTELY NO LIABILITY FOR ANY DIRECT OR INDIRECT,
SPECIAL OR OTHER CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE USE OF THE
HOW-TO OR ANY CHANGE TO THE ROUTER GENERALLY, INCLUDING WITHOUT
LIMITATION, ANY LOST PROFITS, BUSINESS, OR DATA, EVEN IF EQUINUX HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2. Prerequisites
3
2. Prerequisites
Firstly, you should use a recent software version.
For this document, VPN-1 FP3 and FP4 has been used.
The type of the VPN Tracker license needed (personal or professional edition) depends
on the connection scenario you are using:
• If you connect a dial-in Mac without it’s own subnet to the Check Point VPN-1GateWay you need a Personal License.
• If you want to establish a LAN-to-LAN connection from your Mac to the Check PointVPN-1 GateWay, you need a VPN Tracker Professional License.
• If you connect a dial-in Mac without it’s own subnet to multiple Networks onCheckPoint side you also need the Professional License.
VPN Tracker is compatible with Mac OS X 10.2 or higher.
Be sure to use VPN Tracker 2.0.3 or higher.1 For this document VPN Tracker version
2.0.3 has been used.
1 All VPN Tracker versions prior to 2.0.3 did not include a correct connection type for CheckPoint VPN-1.
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
4
3. Connecting to a Check Point VPN-1
GateWay using pre-shared secrets
In this example, the Mac running VPN Tracker is directly connected to the internet via
a dialup or PPP connection.2 The Check Point VPN-1 GateWay is configured in NAT
mode and has the static WAN IP address 169.1.2.3 with gateway 169.1.2.1 and the
private LAN IP address 192.168.1.1. The stations in the LAN behind the Check Point
VPN-1 GateWay use 192.168.1.1 as their default gateway and should have a working
Internet connection. The firewall rules are already defined and the VPN connection
between the windows clients and the Check Point VPN-1 GateWay works.
Figure 1: VPN Tracker - Check Point VPN-1 GateWay connection diagram (host to
network)
2 Please note that the connection via a router, which uses Network Address Translation (NAT), only works
if the NAT router supports „IPsec passthrough“. Please contact your router’s manufacturer for details.
VPN Tracker Mac
(dynamic IP)
cpmodule
WAN 169.1.2.3
LAN 192.168.1.1
LAN
192.168.1.0/24
192.168.1.10
192.168.1.20
192.168.1.30
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
5
3.1 Check P oint VPN-1 GateW ay configuration
The pre-defined VPN Tracker connection type has been created using the defaultsettings on Check Point VPN-1 GateWay. If you change any of the settings on theCheck Point VPN-1 GateWay, you will subsequently have to adjust the connection typein VPN Tracker.
VPN - Basic Setup:
Please enable the “Pre-Shared Secret” Feature in the Global Properties, witch is
disabled by default.
Figure 2: Global Properties
Step 1
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
6
VPN – Advanced Setup:
Please check all the settings. The VPN Tracker connection type uses these settings.
Figure 3: Global Properties - Advanced
Step 2
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
7
User properties:
Please enter a Login Name in the form user@domain . If you use a VPN Tracker versionprior to 2.0.5, the username must contain the "@" sign.
With VPN Tracker 2.0.5 you can also use a Login Name in the form: “vpntracker”.
Figure 4: User Properties - General
Please check the other user settings. Please use no “authentication scheme” and don’tgenerate a certificate for the pre-shared key based connection.
Step 3
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
8
Figure 5: User Properties - Authentication
Figure 6: User Properties - Certificates
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
9
Enable the IKE Encryption Method and the Log.
Figure 7: User Properties - Encryption
Edit the IKE encryption method and enter your Password (Pre-shared secret). Pleasebe sure that „Public Key“ isn’t enabled.
Figure 8: IKE Phase 2 Properties
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
10
Add user in a RemoteAccess Group.
The screenshots are only a example of adding the previously created user in a groupcalled “RemoteAccessUsers”. You may already have existing Access Groups. We usedthe following.
Figure 9: Group Properties - RemoteAccessusers
Figure 10: Main Screen - cpmodule
Step 4
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
11
Tradition mode configuration.
Please be sure that the previously created group is in the VPN community. Click on the“Tradition mode configuration” button.
Figure 11: Check Point Gateway - cpmodule
Please enable “Pre-Shared Secret” and click on the “Advanced...” button.
Figure 12: Traditional mode IKE Properties
Step 4
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
12
Enable in the “Traditional mode advanced IKE properties” the “Support for aggressivemode”. This is very import for the pre-shared key based communication. If you wantto use certificates with VPN Tracker you’ll always use the main mode.
Figure 13: Traditional mode advanced IKE properties
> Multiple VPN Tracker Hosts
Just create another user with the same settings.
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
13
3.2 VPN T racker configuration
Add a new connection with the following options: Choose „Check Point (Pre-shared
key) “ as the Connection Type, „Host to Network“ as Topology, then type in the
remote endpoint (169.1.2.3) and the remote network (192.168.1.0/24).
Figure 14: VPN Tracker main dialog (with PSK)
Click select „Pre-shared key“ and click “Edit...”. Type in the same pre-shared secretthat you typed-in in the Check Point VPN-1 GateWay configuration (Figure 2). Use the“login name” as local identifier. If you have typed in a correct username, the word"email" should be visible beside the input field.
With VPN Tracker version 2.0.5 you can use a username in the form “vpntracker” butyou have to type in “@vpntracker” as local identifier. An identifier of the form "@user"will be interpreted as "user" with a type of "email" (User-FQDN). This is to help allCheck Point users who have usernames without an "@" in them, as Check Pointalways expects an User-FQDN identifier.
Step 1
Step 2
3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets
14
Figure 15: Pre-shared key dialog
Save the connection and Click „Start IPsec“ in the VPN Tracker main window.
You’re done. After 10-20 seconds the red status indicator for the connection shouldchange to green, which means you’re securely connected to the Check Point VPN-1GateWay. After IPsec has been started, you may quit VPN Tracker. The IPsec servicewill keep running.
Now to test your connection simply ping a host in the Check Point VPN-1 GateWaynetwork from the dialed-in Mac in the “Terminal” utility:
ping 192.168.1.10
> Debugging
If the status indicator does not change to green please have a look at the log file onboth sides. You can define the amount of information available in the log file in theVPN Tracker preferences.
Step 3
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates
15
4. Connecting to a Check Point VPN-1
GateWay using RSA X.509 cerificates
4.1 Check P oint VPN-1 GateW ay configuration
The setup of enabling IPsec works the same way as described in section 4.
User Properties:
Please enter a “Login Name” in the form “certificateUser” or “certificateUser@domain”
Figure 16: User Properties - General
Step 1
Step 2
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates
16
Figure 17: User Properties - Groups
Generate and save the certificate. The PKCS#12 file contains the certificate, yourprivate key and the CA.
Figure 18: user Properties - Certificates
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates
17
Please be sure that you enable the “Public Key” Authentication” in the IKE Phase 2Properties.
Figure 19: IKE Phase 2 Properties
Tradition mode IKE properties:
Please enable the “Public key Signatures”. You can leave the “Pre-Shared Secrets”
enabled.
Figure 20: Traditional mode IKE properties
Step 4
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates
18
4.2 VPN T racker configuration
Open the Certificate manager (File -> Show certificates) of VPN Tracker and import the
PKCS#12 file you previously exported from your Check Point VPN-1 GateWay.
Figure 21: VPN Tracker - Certificate Import
Add a new connection with the following options: Choose „CheckPoint (Certificates)“
as the Connection Type, „Host to Network“ as Topology, then type in the remote
endpoint (169.1.2.3) and the remote network (192.168.1.0/24).
Figure 22: VPN Tracker main dialog (with certificates)
Step 1
Step 2
4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates
19
Choose as “own certificate” the certificate you imported in step 1 and verify the
remote certificate “with CAs”. Choose “own certificate” as local identifier and IP
address as remote identifier. Do not “Verify the remote certificate”.
Figure 23: Certificate dialog
Step 3