VPN Tracker for Mac OS X - equinux Websitedownload.equinux.com/HowTo_CheckPoint_Rev_1.1.pdf · VPN Tracker for Mac OS X How-to: ... 192.168.1.0/24 192.168.1.10 ... „Host to Network“

VPN Tracker for Mac OS X

How-to:

Interoperability with

Check Point VPN-1 GateWay

Rev. 1.1

Copyright © 2003 equinux USA Inc. All rights reserved.

1. Introduction

2

1. Introduction

This document describes how VPN Tracker can be used to establish a connection

between a Macintosh running Mac OS X and a Check Point VPN-1 GateWay. equinux

has tested the Check Point VPN-1 GateWay with FP3 and FP4.

The Check Point VPN-1 GateWay is configured as a router, connecting a company LAN

to the Internet.

The example demonstrates a connection scenario, with a dial-in Mac connecting to a

Check Point VPN-1 GateWay.

This paper is only a supplement to, not a replacement for, the instructions that have

been included with your Check Point VPN-1 GateWay. Please be sure to read and

understand those instructions before beginning.

All trademarks, product names, company names, logos, screenshots displayed, cited or

otherwise indicated on the How-to are the property of their respective owners.

EQUINUX SHALL HAVE ABSOLUTELY NO LIABILITY FOR ANY DIRECT OR INDIRECT,

SPECIAL OR OTHER CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE USE OF THE

HOW-TO OR ANY CHANGE TO THE ROUTER GENERALLY, INCLUDING WITHOUT

LIMITATION, ANY LOST PROFITS, BUSINESS, OR DATA, EVEN IF EQUINUX HAS BEEN

ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

2. Prerequisites

3

2. Prerequisites

Firstly, you should use a recent software version.

For this document, VPN-1 FP3 and FP4 has been used.

The type of the VPN Tracker license needed (personal or professional edition) depends

on the connection scenario you are using:

• If you connect a dial-in Mac without it’s own subnet to the Check Point VPN-1GateWay you need a Personal License.

• If you want to establish a LAN-to-LAN connection from your Mac to the Check PointVPN-1 GateWay, you need a VPN Tracker Professional License.

• If you connect a dial-in Mac without it’s own subnet to multiple Networks onCheckPoint side you also need the Professional License.

VPN Tracker is compatible with Mac OS X 10.2 or higher.

Be sure to use VPN Tracker 2.0.3 or higher.1 For this document VPN Tracker version

2.0.3 has been used.

1 All VPN Tracker versions prior to 2.0.3 did not include a correct connection type for CheckPoint VPN-1.

3. Connecting to a Check Point VPN-1 GateWay using pre-shared secrets

4

3. Connecting to a Check Point VPN-1

GateWay using pre-shared secrets

In this example, the Mac running VPN Tracker is directly connected to the internet via

a dialup or PPP connection.2 The Check Point VPN-1 GateWay is configured in NAT

mode and has the static WAN IP address 169.1.2.3 with gateway 169.1.2.1 and the

private LAN IP address 192.168.1.1. The stations in the LAN behind the Check Point

VPN-1 GateWay use 192.168.1.1 as their default gateway and should have a working

Internet connection. The firewall rules are already defined and the VPN connection

between the windows clients and the Check Point VPN-1 GateWay works.

Figure 1: VPN Tracker - Check Point VPN-1 GateWay connection diagram (host to

network)

2 Please note that the connection via a router, which uses Network Address Translation (NAT), only works

if the NAT router supports „IPsec passthrough“. Please contact your router’s manufacturer for details.

VPN Tracker Mac

(dynamic IP)

cpmodule

WAN 169.1.2.3

LAN 192.168.1.1

LAN

192.168.1.0/24

192.168.1.10

192.168.1.20

192.168.1.30


5

3.1 Check P oint VPN-1 GateW ay configuration

The pre-defined VPN Tracker connection type has been created using the defaultsettings on Check Point VPN-1 GateWay. If you change any of the settings on theCheck Point VPN-1 GateWay, you will subsequently have to adjust the connection typein VPN Tracker.

VPN - Basic Setup:

Please enable the “Pre-Shared Secret” Feature in the Global Properties, witch is

disabled by default.

Figure 2: Global Properties

Step 1


6

VPN – Advanced Setup:

Please check all the settings. The VPN Tracker connection type uses these settings.

Figure 3: Global Properties - Advanced

Step 2


7

User properties:

Please enter a Login Name in the form user@domain . If you use a VPN Tracker versionprior to 2.0.5, the username must contain the "@" sign.

With VPN Tracker 2.0.5 you can also use a Login Name in the form: “vpntracker”.

Figure 4: User Properties - General

Please check the other user settings. Please use no “authentication scheme” and don’tgenerate a certificate for the pre-shared key based connection.

Step 3


8

Figure 5: User Properties - Authentication

Figure 6: User Properties - Certificates


9

Enable the IKE Encryption Method and the Log.

Figure 7: User Properties - Encryption

Edit the IKE encryption method and enter your Password (Pre-shared secret). Pleasebe sure that „Public Key“ isn’t enabled.

Figure 8: IKE Phase 2 Properties


10

Add user in a RemoteAccess Group.

The screenshots are only a example of adding the previously created user in a groupcalled “RemoteAccessUsers”. You may already have existing Access Groups. We usedthe following.

Figure 9: Group Properties - RemoteAccessusers

Figure 10: Main Screen - cpmodule

Step 4


11

Tradition mode configuration.

Please be sure that the previously created group is in the VPN community. Click on the“Tradition mode configuration” button.

Figure 11: Check Point Gateway - cpmodule

Please enable “Pre-Shared Secret” and click on the “Advanced...” button.

Figure 12: Traditional mode IKE Properties

Step 4


12

Enable in the “Traditional mode advanced IKE properties” the “Support for aggressivemode”. This is very import for the pre-shared key based communication. If you wantto use certificates with VPN Tracker you’ll always use the main mode.

Figure 13: Traditional mode advanced IKE properties

> Multiple VPN Tracker Hosts

Just create another user with the same settings.


13

3.2 VPN T racker configuration

Add a new connection with the following options: Choose „Check Point (Pre-shared

key) “ as the Connection Type, „Host to Network“ as Topology, then type in the

remote endpoint (169.1.2.3) and the remote network (192.168.1.0/24).

Figure 14: VPN Tracker main dialog (with PSK)

Click select „Pre-shared key“ and click “Edit...”. Type in the same pre-shared secretthat you typed-in in the Check Point VPN-1 GateWay configuration (Figure 2). Use the“login name” as local identifier. If you have typed in a correct username, the word"email" should be visible beside the input field.

With VPN Tracker version 2.0.5 you can use a username in the form “vpntracker” butyou have to type in “@vpntracker” as local identifier. An identifier of the form "@user"will be interpreted as "user" with a type of "email" (User-FQDN). This is to help allCheck Point users who have usernames without an "@" in them, as Check Pointalways expects an User-FQDN identifier.

Step 1

Step 2


14

Figure 15: Pre-shared key dialog

Save the connection and Click „Start IPsec“ in the VPN Tracker main window.

You’re done. After 10-20 seconds the red status indicator for the connection shouldchange to green, which means you’re securely connected to the Check Point VPN-1GateWay. After IPsec has been started, you may quit VPN Tracker. The IPsec servicewill keep running.

Now to test your connection simply ping a host in the Check Point VPN-1 GateWaynetwork from the dialed-in Mac in the “Terminal” utility:

ping 192.168.1.10

> Debugging

If the status indicator does not change to green please have a look at the log file onboth sides. You can define the amount of information available in the log file in theVPN Tracker preferences.

Step 3

4. Connecting to a Check Point VPN-1 GateWay using RSA X.509 cerificates

15

4. Connecting to a Check Point VPN-1

GateWay using RSA X.509 cerificates

4.1 Check P oint VPN-1 GateW ay configuration

The setup of enabling IPsec works the same way as described in section 4.

User Properties:

Please enter a “Login Name” in the form “certificateUser” or “certificateUser@domain”

Figure 16: User Properties - General

Step 1

Step 2


16

Figure 17: User Properties - Groups

Generate and save the certificate. The PKCS#12 file contains the certificate, yourprivate key and the CA.

Figure 18: user Properties - Certificates


17

Please be sure that you enable the “Public Key” Authentication” in the IKE Phase 2Properties.

Figure 19: IKE Phase 2 Properties

Tradition mode IKE properties:

Please enable the “Public key Signatures”. You can leave the “Pre-Shared Secrets”

enabled.

Figure 20: Traditional mode IKE properties

Step 4


18

4.2 VPN T racker configuration

Open the Certificate manager (File -> Show certificates) of VPN Tracker and import the

PKCS#12 file you previously exported from your Check Point VPN-1 GateWay.

Figure 21: VPN Tracker - Certificate Import

Add a new connection with the following options: Choose „CheckPoint (Certificates)“

as the Connection Type, „Host to Network“ as Topology, then type in the remote

endpoint (169.1.2.3) and the remote network (192.168.1.0/24).

Figure 22: VPN Tracker main dialog (with certificates)

Step 1

Step 2


19

Choose as “own certificate” the certificate you imported in step 1 and verify the

remote certificate “with CAs”. Choose “own certificate” as local identifier and IP

address as remote identifier. Do not “Verify the remote certificate”.

Figure 23: Certificate dialog

Step 3

Documents

VPN Tracker for Mac OS X - equinux Websitedownload.equinux.com/HowTo_CheckPoint_Rev_1.1.pdf · VPN Tracker for Mac OS X How-to: ... 192.168.1.0/24 192.168.1.10 ... „Host to Network“