15 December 2010 Administration Guide VPN R75 © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11675 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 15 December 2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on VPN R75 Administration Guide). Contents Important Information 3 The Check Point VPN Solution 9 VPN Components 9 Understanding the Terminology 9 Site to Site VPN 10 VPN Communities 10 Remote Access VPN 12 IPSEC & IKE 13 Overview 13 IKE Phase I 13 IKE Phase II (Quick mode or IPSec Phase) 15 IKEv1 and IKEv2 16 Methods of Encryption and Integrity 16 Phase I modes 17 Renegotiating IKE & IPSec Lifetimes 17 Perfect Forward Secrecy 17 IP Compression 18 Subnets and Security Associations 18 IKE DoS Protection 20 Understanding DoS Attacks 20 IKE DoS Attacks 20 Defense Against IKE DoS Attacks 20 SmartDashboard IKE DoS Attack Protection Settings 21 Advanced IKE Dos Attack Protection Settings 21 Configuring Advanced IKE Properties 23 On the VPN Community Network Object 23 On the Gateway Network Object 23 Introduction to Site to Site VPN 24 The Need for Virtual Private Networks 24 Confidentiality 24 Authentication 24 Integrity 24 How it Works 25 VPN Communities 25 Authentication Between Community Members 26 VPN Topologies 27 Access Control and VPN Communities 32 Routing Traffic within a VPN Community 33 Excluded Services 33 Special Considerations for Planning a VPN Topology 33 Configuring Site to Site VPNs 33 Migrating from Traditional Mode to Simplified Mode 34 Configuring a Meshed Community Between Internally Managed Gateways 34 Configuring a Star VPN Community 35 Confirming a VPN Tunnel Successfully Opens 35 Configuring a VPN with External Security Gateways Using PKI 35 Configuring a VPN with External Security Gateways Using a Pre-Shared Secret37 How to Authorize Firewall Control Connections in VPN Communities 39 Why Turning off FireWall Implied Rules Blocks Control Connections 39 Allowing Firewall Control Connections Inside a VPN 39 Discovering Which Services are Used for Control Connections 40 Public Key Infrastructure 41 Need for Integration with Different PKI Solutions 41 Supporting a Wide Variety of PKI Solutions 41 PKI and Remote Access Users 42 PKI Deployments and VPN 42 Trusting An External CA 44 Enrolling a Managed Entity 44 Validation of a Certificate 45 Special Considerations for PKI 48 Using the Internal CA vs. Deploying a Third Party CA 48 Distributed Key Management and Storage 48 Configuration of PKI Operations 48 Trusting a CA – Step-By-Step 48 Certificate Revocation (All CA Types) 50 Certificate Recovery and Renewal 50 CA Certificate Rollover 50 Adding Matching Criteria to the Validation Process 52 CRL Cache Usage 52 Modifying the CRL Pre-Fetch Cache 52 Configuring CRL Grace Period 52 Configuring OCSP 52 Site-to-Site VPN 54 Domain Based VPN 55 Overview of Domain-based VPN 55 VPN Routing and Access Control 55 Configuring Domain Based VPN 56 Route Based VPN 60 Overview of Route-based VPN 60 VPN Tunnel Interface (VTI) 60 Using Dynamic Routing Protocols 62 Configuring Numbered VTIs 63 VTIs in a Clustered Environment 64 Configuring VTIs in a Clustered Environment 64 Enabling Dynamic Routing Protocols on VTIs 70 Configuring Anti-Spoofing on VTIs 73 Configuring a Loopback Interface 73 Configuring Unnumbered VTIs 73 Routing Multicast Packets Through VPN Tunnels 74 Tunnel Management 75 Overview of Tunnel Management 75 Configuring Tunnel Features 77 Route Injection Mechanism 81 Overview of Route Injection 81 Automatic RIM 81 Custom Scripts 83 tnlmon.conf File 84 Injecting Peer Security Gateway Interfaces 84 Configuring RIM 85 Wire Mode 87 Overview of Wire Mode 87 Wire Mode Scenarios 87 Special Considerations for Wire Mode 90 Configuring Wire Mode 90 Directional VPN Enforcement 92 Overview of Directional VPN 92 Directional Enforcement within a Community 93 Configurable Objects in a Direction 94 Directional Enforcement between Communities 94 Configuring Directional VPN 95 Link Selection 96 Link Selection Overview 96 Configuring IP Selection by Remote Peer 96 Probing Settings 97 Configuring Outgoing Route Selection 98 When Initiating a Tunnel 98 Configuring Source IP Address Settings 100 Outgoing Link Tracking 100 Link Selection Scenarios 100 Service Based Link Selection 104 Trusted Links 108 On Demand Links (ODL) 112 Link Selection and ISP Redundancy 113 Link Selection and ISP Redundancy Scenarios 114 Link Selection with non-Check Point Devices 115 Multiple Entry Point VPNs 116 Overview of MEP 116 Explicit MEP 117 Implicit MEP 122 Routing Return Packets 124 Special Considerations 125 Configuring MEP 125 Traditional Mode VPNs 129 Introduction to Traditional Mode VPNs 129 VPN Domains and Encryption Rules 130 Defining VPN Properties 131 Internally and Externally Managed Security Gateways 131 Considerations for VPN Creation 131 Configuring Traditional Mode VPNs 131 Converting a Traditional Policy to a Community Based Policy 136 Introduction to Converting to Simplified VPN Mode 136 How Traditional VPN Mode Differs from a Simplified VPN Mode 136 How an Encrypt Rule Works in Traditional Mode 137 Principles of the Conversion to Simplified Mode 138 Placing the Security Gateways into the Communities 138 Conversion of Encrypt Rule 139 Remote Access VPN 142 Remote Access VPN Overview 143 Need for Remote Access VPN 144 The Check Point Solution for Remote Access 144 VPN for Remote Access Considerations 149 VPN for Remote Access Configuration 150 Office Mode 160 The Need for Remote Clients to be Part of the LAN 160 Office Mode 160 Enabling IP Address per User 165 Office Mode Considerations 168 Configuring Office Mode 168 Packaging SecureClient 174 Introduction: The Need to Simplify Remote Client Installations 174 The Check Point Solution - SecureClient Packaging Tool 174 Creating a Preconfigured Package 175 Configuring MSI Packaging 176 Desktop Security 179 The Need for Desktop Security 179 Desktop Security Solution 179 Desktop Security Considerations 182 Configuring Desktop Security 182 Layer Two Tunneling Protocol (L2TP) Clients 184 The Need for Supporting L2TP Clients 184 Solution - Working with L2TP Clients 184 Considerations for Choosing Microsoft IPSec/L2TP Clients 187 Configuring Remote Access for Microsoft IPSec/L2TP Clients 188 Secure Configuration Verification 192 The Need to Verify Remote Client's Security Status 192 The Secure Configuration Verification Solution 192 Considerations regarding SCV 195 Configuring SCV 195 VPN Routing - Remote Access 216 The Need for VPN Routing 216 Check Point Solution for Greater Connectivity and Security 217 Configuring VPN Routing for Remote Access VPN 220 Link Selection for Remote Access Clients 222 Overview 222 Configuring Link Selection for Remote Access Only 222 Using Directional VPN for Remote Access 224 Enhancements to Remote Access Communities 224 Configuring Directional VPN with Remote Access Communities 225 Remote Access Advanced Configuration 226 Non-Private Client IP Addresses 226 Preventing a Client Inside the Encryption Domain from Encrypting 227 Authentication Timeout and Password Caching 230 Secure Domain Logon (SDL) 231 Back Connections (Server to Client) 232 Auto Topology Update (Connect Mode only) 232 How to Work with non-Check Point Firewalls 232 Resolving Internal Names with the SecuRemote DNS Server 233 Multiple Entry Point for Remote Access VPNs 234 The Need for Multiple Entry Point Security Gateways 234 The Check Point Solution for Multiple Entry Points 234 Disabling MEP 236 Configuring MEP 236 Configuring Preferred Backup Security Gateway 237 Disabling MEP 237 Userc.C and Product.ini Configuration Files 239 Introduction to Userc.C and Product.ini 239 Userc.C File Parameters 240 Product.ini Parameters 247 SSL Network Extender 250 Introduction to the SSL Network Extender 250 How the SSL Network Extender Works 251 Commonly Used Concepts 251 Special Considerations for the SSL Network Extender 252 Configuring the SSL Network Extender 253 SSL Network Extender User Experience 260 Troubleshooting SSL Network Extender 270 Resolving Connectivity Issues 272 The Need for Connectivity Resolution Features 272 Check Point Solution for Connectivity Issues 272 Overcoming NAT Related Issues 272 Overcoming Restricted Internet Access 277 Configuring Remote Access Connectivity 280 Appendix 285 VPN Command Line Interface 286 VPN Commands 286 SecureClient Commands 287 Desktop Policy Commands 288 VPN Shell 290 Configuring a Virtual Interface Using the VPN Shell 290 Index 293 Page 9 Chapter 1 The Check Point VPN Solution Virtual Private Networking technology leverages existing infrastructure (the Internet) as a way of building and enhancing existing connectivity in a secure manner. Based on standard Internet secure protocols, VPN implementation enables secure links between special types of network nodes: Check Point Security Gateways. Site to Site VPN ensures secure links between Security Gateways. Remote Access VPN ensures secure links between Security Gateways and remote access clients. Check Point's Security Gateway is an integrated software solution that provides connectivity to corporate networks, remote and mobile users, branch offices and business partners on a wide range of open platforms and security appliances. Check Point Security Gateways integrate access control, authentication, and encryption to guarantee the security of network connections over the public Internet. A typical deployment places a Check Point Security Gateway connecting the corporate network (from the Internet), and remote access software on the laptops of mobile users. Other remote sites are guarded by additional Check Point Security Gateways and communication between all components regulated by a strict security policy. In This Chapter VPN Components 9 Understanding the Terminology 9 Site to Site VPN 10 VPN Communities 10 Remote Access VPN 12 VPN Components VPN is composed of:  VPN endpoints, such as Security Gateways, clusters of Security Gateways, or remote client software (for mobile users), which negotiate the VPN links.  VPN trust entities, for example the Check Point Internal Certificate Authority. The ICA is part of the Check Point suite used for establishing trust for SIC connections between Security Gateways, authenticating administrators and third party servers. The ICA provides certificates for internal Security Gateways and remote access clients which negotiate the VPN link.  VPN Management tools. Security Management server and SmartDashboard. SmartDashboard is the SmartConsole used to access the Security Management server. The VPN Manager is part of SmartDashboard. SmartDashboard enables organizations to define and deploy Intranet, and remote Access VPNs. Understanding the Terminology A number of terms are used widely in Secure VPN implementation, namely:  VPN. A private network configured within a public network, such as the Internet  VPN Tunnel. An exclusive channel or encrypted link between Security Gateways. Site to Site VPN The Check Point VPN Solution Page 10  VPN Topology. The basic element of VPN is the link or encrypted tunnel. Links are created between Security Gateways. A collection of links is a topology. The topology shows the layout of the VPN. Two basic topologies found in VPN are Mesh and Star.  VPN Security Gateway. The endpoint for the encrypted connection, which can be any peer that supports the IPSec protocol framework. Security Gateways can be single standalone modules or arranged into clusters for "high availability" and "load sharing".  VPN Domain. A group that specifies the hosts or networks for which encryption of IP datagrams is performed. A VPN Security Gateway provides an entrance point to the VPN Domain.  Site to Site VPN. Refers to a VPN tunnel between Security Gateways.  Remote Access VPN. Refers to remote users accessing the network with client software such as SecuRemote/SecureClient or third party IPSec clients. The Check Point Security Gateway provides a Remote Access Service to the remote clients.  Encryption algorithm. A set of mathematically expressed processes for rendering information into a meaningless form, the mathematical transformations and conversions controlled by a special key. In VPN, various encryption algorithms such as 3DES and AES ensure that only the communicating peers are able to understand the message.  Integrity. Integrity checks (via hash functions) ensure that the message has not been intercepted and altered during transmission.  Trust. Public key infrastructure (PKI), certificates and certificate authorities are employed to establish trust between Security Gateways. (In the absence of PKI, Security Gateways employ a pre-shared secret.)  IKE & IPSec. Secure VPN protocols used to manage encryption keys, and exchange encrypted packets. IPSec is an encryption technology framework which supports several standards to provide authentication and encryption services of data on a private or public network. IKE (Internet Key Exchange) is a key management protocol standard. IKE enhances IPSec by providing additional features, flexibility, and ease of configuration. Site to Site VPN At the center of VPN is the encrypted tunnel (or VPN link) created using the IKE/IPSec protocols. The two parties are either Check Point Security Gateways or remote access clients. The peers negotiating a link first create a trust between them. This trust is established using certificate authorities, PKI or pre-shared secrets. Methods are exchanged and keys created. The encrypted tunnel is established and then maintained for multiple connections, exchanging key material to refresh the keys when needed. A single Security Gateway maintains multiple tunnels simultaneously with its VPN peers. Traffic in each tunnel is encrypted and authenticated between the VPN peers, ensuring integrity and privacy. Data is transferred in bulk via these virtual-physical links. VPN Communities There are two basic community types - Mesh and Star. A topology is the collection of enabled VPN links in a system of Security Gateways, their VPN domains, hosts located behind each Security Gateway and the remote clients external to them. [...]... page 13) VPN Communities Creating VPN tunnels between Security Gateways is made easier through the configuration of VPN communities A VPN community is a collection of VPN enabled gateways capable of communicating via VPN tunnels To understand VPN Communities, a number of terms need to be defined:  VPN Community member Refers to the Security Gateway that resides at one end of a VPN tunnel  VPN domain... Domain Based VPN (on page 55) Route Based VPN Traffic is routed within the VPN community based on the routing information, static or dynamic, configured on the Operating Systems of the Security Gateways For more information, see Route Based VPN (on page 60) Note - If both Domain Based VPN and Route Based VPN are configured, then Domain Based VPN will take precedence Excluded Services In the VPN Communities... controlling how VPN traffic is directed There are two methods for VPN routing:  Domain Based VPN  Route Based VPN Domain Based VPN This method routes VPN traffic based on the encryption domain behind each Security Gateway in the community In a star community, this allows satellite Security Gateways to communicate with each other through center Security Gateways Configuration for Domain Based VPN is performed... connections  VPN- A and VPN- B are new UI suites that can be used for easy interoperability with other vendors who also support these UI suites See RFC 4308 for more information  If you require algorithms other than those specified in VPN- A or VPN- B, select Custom and click Advanced to select properties for IKE Phase 1 and 2 2 From the VPN Community Properties > Advanced Settings > Advanced VPN Properties... Gateway The VPN domain can be the whole network that lies behind the Security Gateway or just a section of that network For example a Security Introduction to Site to Site VPN Page 25 The Need for Virtual Private Networks Gateway might protect the corporate LAN and the DMZ Only the corporate LAN needs to be defined as the VPN domain  VPN Site Community member plus VPN domain A typical VPN site would... branch office of a bank  VPN Community The collection of VPN tunnels/links and their attributes  Domain Based VPN Routing VPN traffic based on the encryption domain behind each Security Gateway in the community In a star community, satellite Security Gateways can communicate with each other through center Security Gateways  Route Based VPN Traffic is routed within the VPN community based on the... Gateway VPN Topologies The most basic topology consists of two Security Gateways capable of creating a VPN tunnel between them Security Management server's support of more complex topologies enables VPN communities to be created according to the particular needs of an organization Security Management server supports two main VPN topologies:  Meshed  Star Meshed VPN Community A Mesh is a VPN community... topologies:  Meshed  Star Meshed VPN Community A Mesh is a VPN community in which a VPN site can create a VPN tunnel with any other VPN site in the community: Figure 3-12 Check Point Security Gateways in a Mesh community Introduction to Site to Site VPN Page 27 The Need for Virtual Private Networks Star VPN Community A star is a VPN community consisting of central Security Gateways (or "hubs") and satellite... Washington build VPN tunnels with the London Security Gateways using DES Internally, the Washington Security Gateways build VPN tunnels using 3DES Introduction to Site to Site VPN Page 30 The Need for Virtual Private Networks Special Condition for VPN Security Gateways Individually, Security Gateways can appear in many VPN communities; however, two Security Gateways that can create a VPN link between... inside the VPN community On the Gateway Network Object  On the VPN Advanced page, select one of the options in the VPN Tunnel Sharing section There are several settings for controlling the number of VPN tunnels between peer gateways:    Use the community settings - The number of VPN tunnels created follows the settings configured on the community's Tunnel Management page Custom settings:  One VPN tunnel . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on VPN R75 Administration Guide) . Contents Important Information 3 The Check Point VPN Solution 9 VPN Components 9 Understanding the Terminology 9 Site to Site VPN 10 VPN Communities. Site-to-Site VPN 54 Domain Based VPN 55 Overview of Domain-based VPN 55 VPN Routing and Access Control 55 Configuring Domain Based VPN 56 Route Based VPN 60 Overview of Route-based VPN 60 VPN Tunnel. In This Chapter VPN Components 9 Understanding the Terminology 9 Site to Site VPN 10 VPN Communities 10 Remote Access VPN 12 VPN Components VPN is composed of:  VPN endpoints, such