Virtual Private Networks Administration Guide Version NGX R65 701675 March 18, 2007 © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS. Table of Contents 5 Contents Preface Who Should Use This Guide 20 Summary of Contents . 21 Section 1: Introduction to VPN Technology 21 Section 2: Site-to-Site VPN 21 Section 3: Remote Access VPN 23 Appendices 25 Related Documentation 26 More Information . 29 Feedback 30 Introduction to VPN Technology Chapter 1 Overview The Connectivity Challenge . 34 The Basic Check Point VPN Solution . 35 What is VPN . 35 Understanding the Terminology 37 Site to Site VPN . 38 VPN Communities . 38 Remote Access VPN 40 Chapter 2 IPSEC & IKE Overview . 42 Methods of Encryption and Integrity . 45 Phase I modes 46 Renegotiating IKE & IPSec Lifetimes 47 Perfect Forward Secrecy 47 IP Compression 48 Subnets and Security Associations . 49 IKE DOS Protection . 52 Understanding DoS Attacks . 52 IKE DoS Attacks . 52 Defense Against IKE DoS Attacks . 53 SmartDashboard IKE Dos Attack Protection Settings 54 Advanced IKE Dos Attack Protection Settings 55 Configuring Advanced IKE Properties . 57 On the VPN Community Network Object 57 On the Gateway Network Object . 57 6 Chapter 3 Public Key Infrastructure Need for Integration with Different PKI Solutions 60 Supporting a Wide Variety of PKI Solutions 61 PKI and Remote Access Users . 61 PKI Deployments and VPN 61 Trusting An External CA . 64 Enrolling a Managed Entity 65 Validation of a Certificate 66 Special Considerations for PKI 69 Using the Internal CA vs. Deploying a Third Party CA . 69 Distributed Key Management and Storage . 69 Configuration of PKI Operations 71 Trusting a CA – Step-By-Step . 71 Enrolling with a Certificate Authority . 74 Certificate Revocation (All CA Types) 78 Certificate Recovery and Renewal . 79 Adding Matching Criteria to the Validation Process . 80 CRL Cache Usage . 80 Modifying the CRL Pre-Fetch Cache . 81 Configuring CRL Grace Period 81 Configuring OCSP 82 Chapter 4 Introduction to Site to Site VPN The Need for Virtual Private Networks 84 Confidentiality 84 Authentication 84 Integrity . 84 The Check Point Solution for VPN . 85 How it Works 85 VPN Communities . 87 VPN Topologies 88 Authentication Between Community Members . 93 Dynamically Assigned IP Gateways . 94 Routing Traffic within a VPN Community 95 Access Control and VPN Communities 96 Excluded Services . 97 Special Considerations for Planning a VPN Topology . 98 Configuring Site to Site VPNs 99 Migrating from Traditional Mode to Simplified Mode 99 Configuring a Meshed Community Between Internally Managed Gateways 100 Configuring a Star VPN Community 101 Confirming a VPN Tunnel Successfully Opens 102 Configuring a VPN with External Gateways Using PKI 103 Configuring a VPN with External Gateways Using a Pre-Shared Secret . 107 How to Authorize Firewall Control Connections in VPN Communities . 110 Why Turning off FireWall Implied Rules Blocks Control Connections 110 Allowing Firewall Control Connections Inside a VPN . 111 Table of Contents 7 Discovering Which Services are Used for Control Connections . 111 Site-to-Site VPN Chapter 5 Domain Based VPN Overview . 116 VPN Routing and Access Control . 117 Configuring Domain Based VPN 118 Configuring VPN Routing for Gateways via SmartDashboard 118 Configuration via Editing the VPN Configuration File 120 Configuring the ‘Accept VPN Traffic Rule’ . 121 Configuring Multiple Hubs . 121 Configuring ROBO Gateways 124 Chapter 6 Route Based VPN Overview . 126 VPN Tunnel Interface (VTI) . 127 Numbered VTI 129 Unnumbered VTI 130 Using Dynamic Routing Protocols 131 Configuring Numbered VTIs 132 Enabling Route Based VPN 132 Numbered VTIs . 132 VTIs in a Clustered Environment 135 Configuring VTIs in a Clustered Environment 136 Enabling Dynamic Routing Protocols on VTIs 143 Configuring Anti-Spoofing on VTIs . 147 Configuring a Loopback Interface 149 Configuring Unnumbered VTIs 152 Routing Multicast Packets Through VPN Tunnels 156 Chapter 7 Tunnel Management Overview . 160 Permanent Tunnels . 160 VPN Tunnel Sharing 163 Configuring Tunnel Features . 164 Permanent Tunnels . 166 Advanced Permanent Tunnel Configuration . 169 Tracking Options . 170 Terminating Permanent Tunnels . 170 VPN Tunnel Sharing 170 Monitoring Tunnels . 171 8 Chapter 8 Route Injection Mechanism Overview . 174 Automatic RIM 175 Custom Scripts 177 tnlmon.conf File 179 Injecting Peer Gateway Interfaces 180 Configuring RIM 182 Configuring RIM in a Star Community: 182 Configuring RIM in a Meshed Community: . 183 Enabling the RIM_inject_peer_interfaces flag 184 Tracking Options . 184 Chapter 9 Wire Mode The Need for Wire Mode . 186 The Check Point Solution . 187 Wire Mode Scenarios 188 Wire Mode in a MEP Configuration . 188 Wire Mode with Route Based VPN 189 Wire Mode Between Two VPN Communities . 190 Special Considerations for Wire Mode 192 Configuring Wire Mode . 193 Enabling Wire Mode on a VPN Community 193 Enabling Wire Mode on a Specific Gateway . 193 Chapter 10 Directional VPN Enforcement The Need for Directional VPN . 196 The Check Point Solution . 197 Directional Enforcement within a Community 197 Directional Enforcement between Communities . 198 Configuring Directional VPN 200 Configuring Directional VPN Within a Community 200 Configuring Directional VPN Between Communities 201 Chapter 11 Link Selection Overview . 204 Using Link Selection 205 IP Selection by Remote Peer 205 Outgoing Route Selection 207 Using Route Based Probing . 208 Responding Traffic 209 Source IP Address Settings 209 Link Selection Scenarios 211 Gateway with a Single External Interface . 211 Gateway with a Dynamic IP Address (DAIP) . 212 Gateway with Several IP Addresses Used by Different Parties 212 Gateway With One External Interface and One Interface Behind a Static NAT Device 213 Table of Contents 9 On Demand Links (ODL) . 214 Link Selection and ISP Redundancy 215 Early Versions Compatibility Resolving Mechanism 218 Configuring Link Selection 219 Resolving Addresses via Main and Single IPs . 219 Resolving Addresses using DNS lookup . 220 Resolving Addresses via Probing . 220 Configuring Outgoing Route Selection . 221 Configuring For Responding Traffic . 221 Configuring Source IP Address Settings 222 Configuring On Demand links . 223 Configuring the Early Version Compatibility Resolving Mechanism . 224 Outgoing Link Tracking 224 Chapter 12 Multiple Entry Point VPNs Overview . 226 VPN High Availability Using MEP or Clustering 226 How It Works 227 Explicit MEP . 228 MEP Selection Methods 229 Implicit MEP . 236 Routing Return Packets 240 Special Considerations . 242 Configuring MEP 243 Configuring Explicit MEP . 243 Configuring Implicit MEP 244 Configuring IP Pool NAT 246 Chapter 13 Traditional Mode VPNs Introduction to Traditional Mode VPNs . 248 VPN Domains and Encryption Rules 249 Defining VPN Properties . 251 Internally and Externally Managed Gateways . 252 Considerations for VPN Creation 253 Choosing the Authentication Method . 253 Choosing the Certificate Authority . 253 Configuring Traditional Mode VPNs . 254 Editing a Traditional Mode Policy . 254 Configuring VPN Between Internal Gateways using ICA Certificates 255 VPN Between Internal Gateways Using Third Party CA Certificates . 256 Configuring VPN with Externally Managed Gateways Using Certificates 257 Configuring a VPN using a Pre-Shared Secret 259 10 Remote Access VPN Chapter 14 Introduction to Remote Access VPN Need for Remote Access VPN . 266 The Check Point Solution for Remote Access 267 Enhancing SecuRemote with SecureClient Extensions 268 Establishing a Connection Between a Remote User and a Gateway 269 Remote Access Community 270 Identifying Elements of the Network to the Remote Client . 270 Connection Mode 271 User Profiles 271 Access Control for Remote Access Community . 272 Client-Gateway Authentication Schemes . 272 Advanced Features 275 Alternatives to SecuRemote/SecureClient 275 VPN for Remote Access Considerations 276 Policy Definition for Remote Access . 276 User Certificate Creation Methods when Using the ICA . 276 Internal User Database vs. External User Database . 277 NT Group/RADIUS Class Authentication Feature 278 VPN for Remote Access Configuration 279 Establishing Remote Access VPN . 280 Creating the Gateway and Defining Gateway Properties . 282 Defining User and Authentication Methods in LDAP . 282 Defining User Properties and Authentication Methods 282 Initiating User Certificates in the ICA Management Tool . 282 Generating Certificates for Users in SmartDashboard 283 Initiating Certificates for Users in SmartDashboard 283 Configure Certificates Using Third Party PKI 284 Enabling Hybrid Mode and Methods of Authentication 285 Configuring Authentication for NT groups and RADIUS Classes . 286 Using a Pre-Shared Secret . 286 Defining an LDAP User Group 286 Defining a User Group . 287 Defining a VPN Community and its Participants . 287 Defining Access Control Rules 287 Installing the Policy 288 User Certificate Management . 288 Modifying Encryption Properties for Remote Access VPN 290 Working with RSA’S Hard and Soft Tokens 291 Chapter 15 Office Mode The Need for Remote Clients to be Part of the LAN . 296 Office Mode Solution . 297 Introducing Office Mode 297 How Office Mode Works . 298 Assigning IP Addresses 300 [...]... web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic Virtual Private Networks Administration Guide 26 Description This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure Related Documentation... Explains how to managing administrators and endpoint security with Integrity Advanced Server Integrity Advanced Server Gateway Integration Guide Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server This guide also contains information regarding deploying the unified SecureClient/Integrity client package Preface 27 Related Documentation... Challenge page 34 The Basic Check Point VPN Solution page 35 33 The Connectivity Challenge The Connectivity Challenge With the explosive growth in computer networks and network users, IT managers are faced with the task of consolidating existing networks, remote sites, and remote users into a single secure structure Branch offices require connectivity with other branch offices as well as the central... VPN Solution The Basic Check Point VPN Solution In This Section: What is VPN page 35 Understanding the Terminology page 37 Site to Site VPN page 38 VPN Communities page 38 Remote Access VPN page 40 Virtual Private Networking technology leverages existing infrastructure (the Internet) as a way of building and enhancing existing connectivity in a secure manner Based on standard Internet secure protocols,... software solution that provides secure connectivity to corporate networks, remote and mobile users, branch offices and business partners on a wide range of open platforms and security appliances Figure 1-1 shows the variety of applications and appliances suitable for VPN-1 Power, from hand-held PDAs and wireless laptops to mission critical networks and servers: Chapter 1 Overview 35 The Basic Check Point... central organization Remote users require enhanced connectivity features to cope with today’s changing networking environments New partnership deals mean business to business connections with external networks Typically, consolidation needs to take place using existing infrastructure For many, this means connectivity established via the Internet as opposed to dedicated leased lines Remote sites and... Client Encrypt Rules 652 Conversion of Auth+Encrypt Rules 652 How the Converter Handles Disabled Rules 653 After Running the Wizard 653 Appendix C VPN Shell Configuring a Virtual Interface Using the VPN Shell 656 Index 665 18 Preface P Preface In This Chapter Who Should Use This Guide page 20 Summary of Contents page 21 Related Documentation page 26 More... Directional VPN for Remote Access Enhancements to Remote Access Communities 501 Configuring Directional VPN with Remote Access Communities 503 Chapter 25 Remote Access Advanced Configuration Non -Private Client IP Addresses 506 Remote Access Connections 506 Solving Remote Access Issues 506 How to Prevent a Client Inside the Encryption Domain from Encrypting 507 The Problem . Virtual Private Networks Administration Guide Version NGX R65 701675 March 18, 2007. 82 Chapter 4 Introduction to Site to Site VPN The Need for Virtual Private Networks. .