Policy Based Site to Site VPN (AES 256) with Check Point AI
advertisement
Policy Based Site to Site VPN (AES 256) with Check Point NGX R61 (Simplified Mode VPN) Configuring Juniper via WebUI 1. Interfaces Network > Interfaces > Edit (for trust): Enter the following, and then click Apply: Zone Name: Trust Static IP IP Address / Netmask: 192.168.1.1 / 24 (Juniper Private Network) Interface Mode: ROUTE Network > Interfaces > Edit (for untrust): Enter the following, and then click Apply: Zone Name: Untrust Static IP IP Address / Netmask: 200.200.200.34/ 28 (Juniper Public Network) Interface Mode: ROUTE 2. Addresses Objects > Addresses > List > New: Enter the following and then click OK: Address Name: Juniper LAN IP Address/Domain Name: IP/Netmask (select): 192.168.1.0/24 Zone: Trust Objects > Addresses > List > New: Enter the following and then click OK: Address Name: Checkpoint_LAN IP Address/Domain Name: IP/Netmask (select): 192.168.2.0/24 Zone: Untrust (Optional) You will need to continue to add networks Objects > Addresses > List > New: Enter the following and then click OK: Address Name: Checkpoint_LAN VLAN4 IP Address/Domain Name: IP/Netmask (select): 172.16.4.0/22 Zone: Untrust 3. Proposals VPNs > AutoKey Advanced > P1 Proposal > New: Enter the following and then click OK: Name: Check Point PH1 Authentication Method: Preshare DH Group: Group 2 Encryption Algorithm: AES-CBC(256 Bits) Hash Algorithm: SHA-1 Lifetime: 1440 Min VPNs > AutoKey Advanced > P2 Proposal > New: Enter the following and then click OK: Name: Check Point PH2 Perfect Forward Secrecy: DH Group 2 Encapsulation Encryption (ESP) Encryption Algorithm: AES-CBC(256 Bits) Authentication Algorithm: SHA-1 Lifetime: 3600 Sec (make sure you select the seconds button) 4. VPN VPNs > AutoKey Advanced > Gateway > New: Enter the following and then click OK: Gateway Name: To R61 Checkpoint Security Level: Custom Remote Gateway Type: Static IP Address (select), IP Address/Hostname: 100.200.150.34 Preshared Key Preshared Key: abcd1234 Outgoing Interface: ethernet0/2 (Untrust) Advanced: Enter the following advanced settings, and then click RETURN to return to the basic Gateway configuration page: Security Level: Custom Phase 1 Proposal (For Custom Security Level): Check Point PH1 Mode (initiator): Main (ID Protection) VPNs > AutoKey IKE > New: Enter the following and then click OK: VPN Name: R61 Checkpoint VPN Security Level: Custom Remote Gateway: Predefined: (select): To R61 Checkpoint Advanced: Enter the following advanced settings, and then click RETURN to return to the basic AutoKey IKE configuration page: Security Level: Custom Phase 2 Proposal (For Custom Security Level): Check Point PH2 Replay Protection (select) Check VPN Monitor 5. 6. 7. 8. Route Network > Routing > Routing Entries > trust-vr > New: Enter the following, and then click OK: Network Address/Netmask: 192.168.2.0/24 Gateway: (select): Interface: ethernet0/0 (untrust) Gateway IP Address: 100.200.150.34 (Optional) You will need to add additional routes for the VPN networks. Route Network > Routing > Routing Entries > trust-vr > New: Enter the following, and then click OK: Network Address/Netmask: 172.16.4.0/22 Gateway: (select): Interface: untrust Gateway IP Address: 100.200.150.34 Policies Policies > (From: Trust, to: Untrust) New: Enter the following, and then click OK: Source Address: Address Book Entry: (select), Juniper LAN Destination Address: Address Book Entry: (select), Checkpoint _ LAN Service: ANY Action: Tunnel Tunnel VPN: R61 Checkpoint VPN Modify matching bidirectional VPN policy (select) Position at Top: (select) Logging (Optional) You will need to create additional policies for the different networks Policies Policies > (From: Trust, to: Untrust) New: Enter the following, and then click OK: Source Address: Address Book Entry: (select), Juniper LAN Destination Address: Address Book Entry: (select), Checkpoint _LAN VLAN4 Service: ANY Action: Tunnel Tunnel VPN: R61 Checkpoint VPN Modify matching bidirectional VPN policy (select) Position at Top: (select) Logging Configuring Check Point: - This assumes your interfaces and default gateway is already set. 1. Objects Right click on Network Objects > New > Network: Enter the following then click OK: Name: jn-192.168.1.0-juniper (Juniper Network) Network Address: 192.168.1.0 Net Mask: 255.255.255.0 Right click on Network Objects > New > Network: Enter the following then click OK: Name: cp-192.168.2.0 (Checkpoint Network) Network Address: 192.168.2.0 Net Mask: 255.255.255.0 (Optional) Add for each additional network which will access the Juniper LAN Right click on Network Objects > New > Network: Enter the following then click OK: Name: cp-172.16.4.0 Network Address: 172.16.4.0 Net Mask: 255.255.252.0 Right click on Network Objects > New > Interoperable Device: Enter the following then click OK: Name: jf-200.200.200.34-junpr (Juniper Firewall) IP Address: 200.200.200.34 Topology > Manually Defined (select) Choose > jn-192.168.1.0-juniper Our CheckPoint Firewalls have already been defined Edit the Check Point Gateway Object that will terminate the VPN: Enter the following then click OK: IP Address: 100.200.150.34 Under Products (select VPN) Topology > VPN Domain > Manually defined (select) Choose > cp-192.168.2.0 (If you have multiple networks behind the checkpoint create a group and use the group as the manually defined networks) 2. VPN Click on the VPN Manager tab > Right Click > New Community > Star: Enter the following then click OK: Name: junpr_checkpointR61 Center Gateways > Add (select): Check Point Gateway (cp-100.200.150.34 (Checkpoint Firewall)) Satellite Gateway >Add (select): Juniper NetScreen (jf-200.200.200.34-junpr (Juniper Firewall)) VPN Properties Phase 1 Perform key exchange encryption with: AES-256 Perform data integrity with: SHA1 Phase 2 Perform IPsec data encryption with: AES-256 Perform data integrity with: SHA1 Advanced Settings: Shared Secret (select) Use only Shared Secret for all External members Edit > Enter Shared Secret > abcd1234 Click OK Advanced VPN Properties: IKE (Phase1) DH Group: Group 2 (1024 bit) Renegotiate IKE 1440 min. IPsec (Phase 2) (select) Use Perfect Forward Secrecy DH Group 2 (1024 bit) Renegotoate IPsec security associations every 3600 seconds NAT (select) Disable NAT inside the VPN community 3. VPN Policy (Look at Policy rules 1, 2, and 4) Click on Main Security Tab > Then Click on Rule 1 > Source >Enter the following: Rule 1: Source: Juniper NetScreen LAN (jn-192.168.1.0-juniper) Destination: CheckPoint R61 LAN (cp-192.168.2.0 (Checkpoint Network)) VPN: Any Traffic Service: ANY Action: Accept Track: Log Install On: (Right Click > Add > Targets > Select Target) Choose: The Check Point Gateway that will terminate the VPN Rule 2: Source CheckPoint R61 LAN (cp-192.168.2.0 (Checkpoint Network)) Destination: Juniper NetScreen LAN (jn-192.168.1.0-juniper) VPN: Any Traffic Service: ANY Action: Accept Track: Log Install On: (Right Click > Add > Targets > Select Target) Choose: The Check Point Gateway that will terminate the VPN Rule 3: Source Interoperable Juniper Firewall jf-200.200.200.34-junpr Destination: Interoperable Juniper Firewall jf-200.200.200.34-junpr Source Checkpoint Firewall cp-200.200.200.34 Destination: Checkpoint Firewall cp-200.200.200.34 VPN: Any Traffic Service: ANY Action: Accept Track: Log Install On: (Right Click > Add > Targets > Select Target) Choose: The Check Point Gateway that will terminate the VPN 4. Test the VPN Check Point Log (example of successful PH1) Check Point Log (example of successful PH2) Check Point Log (HTTP session successfully traversed tunnel)
