Checkpoint NG VPN to Smoothwall

   2004-03-11      Other

Having a bit of a break from blogging has given me some time to test creating a VPN between Checkpoint NG R54 firewall and Smoothwall Firewall version 2.0 which essentially uses the no-longer in active developmentfreeswan VPN (though I am sure that it is going to still be used for a while to come) as a test to buy the corporate version of Smoothwall. A VPN between Freeswan and Checkpoint has been done many times before, but documentation is rather sparse so I intend to document some findings here..

Smoothwall’s web interface contains many of the parameters needed to configure freeswan but I do recommend using a terminal window to get to the main ipsec.conf configuration parameters held at /var/smoothwall/vpn or where ever you put your freeswan configuration parameters. This also enables you to read the logs that will be dumped in /var/log/secure.

Diving straight into how ipsec.conf was setup for on the smoothwall/linux box (I am trusting that if you wish to use the GUI on smoothwall you will be able to work out what parameter will go where)this is how I have got it setup:

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=yes
        uniqueids=yes
conn %default
        keyingtries=0
conn uklocal
        type=tunnel
        pfs=no
        left=192.168.0.1
        leftsubnet=10.10.10.0/24
        leftnexthop=%defaultroute
        right=192.168.1.1
//      rightsubnet=10.10.15.0/24
        rightnexthop=%defaultroute
        compress=no
        auto=start

As you can see the terminology used by freeswan is different from that from of other firewall vendors but can in this instance be explain as;

left The outside IP address of the Checkpoint NG – the remote firewall.

leftsubnet The network IP address and subnet behind the Checkpoint.

right The outside IP address of the Smoothwall/Freeswan box.

rightsubnet The inside network IP address and subnet behind the Smoothwall firewall.

The %defaultroute will be the default route going out as defined in networking. As you can see for now compression and PFS (perfect forward secracy) is turned off.

This along with a pre-shared secret that can be entered either in the Smoothwall interface or into the correct configuration files. Just for the record this is what mine look like

config

uklocal,192.168.0.1,10.10.10.0/24,192.168.1.1,10.10.15.0/24,mysecret,on,off

ipsec.secrets

192.168.0.1 192.168.1.1 : PSK "mysecret"

settings

192.168.0.1 192.168.1.1 : PSK "mysecret"

That is basically it for the Smoothwall/Freeswan configuration, so now we turn to the Checkpoint NG box. Hopefully you will already have a Checkpoint Network object created for your checkpoint firewall, with its main IP being the external IP address and another network object created for your network.

Create a new object that is of the type “Networks” with the network address and mask.

Create a new Network Object of the type “Interoperable Device”, name it and give it the outside IP address. In the Topology section input the IP addresses for the box along with the Names of the interfaces. Under VPN domain select the network object you created earlier. Under Traditional Mode configuration select 3DES, MD5, and preshared Secret. Edit the secrets, and define yours (plaintext, less than 20chars). Check “Support key exchange for subnets”

Make sure that the VPN properties for the checkpoint object is the same as that for the Smoothwall, MD5, 3DES, and that the secret is shared.

Within VPN manager create a new VPN community, I created a Meshed one, give it a name and then in participating gateways add the checkpoint Object and the Smoothwall object. VPN properties should be 3DES and MD5 for both Phases. In the advanced properties, Phase 1 Diffie-Hellman group should be set to Group2(1024bit) with a renegotiation time of 200 mins. For phase 2, I have the same with a time of 3600 seconds, and support site to site compression is turned off.

Now setup the security rules:

Smoothwall-Checkpoint VPNname Any Accept Log

Checkpoint-Smoothwall VPNname Any Accept Log

Remotenet-Localnet VPNname Any Accept Log

Localnet-Remotenet VPNname Any Accept Log

Setup address translation rules:

Remotenet-Localnet Any Orignal Orignal Orignal

Localnet-Remotenet Any Orignal Orignal Orignal

Try installing the policy, make sure that the VPN is on, on the smoothwall, you should be able to transmit packets going across. Good Luck!

comments powered by Disqus