Friday, February 23, 2018
IPSec VPN between Check Point and Cisco Router
IPSec VPN between Check Point and Cisco Router
Setting up a VPN between these two devices is a bit cryptic the first time you encounter it but once you have completed the task it just makes sense. This tutorial continues on from a previous post which describes how to setup a virtualized check point firewall.
The Cisco router is simulated using dynamips and the following parameters:
[[3725]]
image = C:labIOSc3725-adventerprisek9-mz.124-15.T14.bin
idlepc = 0x6026be14
ram = 160
disk0 = 32
[[ROUTER R1]]
model = 3725
#This is the vmnet1 deviceimage = C:labIOSc3725-adventerprisek9-mz.124-15.T14.bin
idlepc = 0x6026be14
ram = 160
disk0 = 32
[[ROUTER R1]]
model = 3725
FA0/0 = NIO_gen_eth:DeviceNPF_{A5C8EFBE-0743-4930-9373-4D2A4DBF800A}
The network diagram is
(Fa0/0) R1
+
|
External + InternalPluto ----- (eth1) CP R75 (eth2)----- Eris
(eth0)
+
|
SmartDashboard
Network block are allocated as shown below. The remote network is configured as a loopback interface on R1.
- management network - 10.202.70.0/24
- external network - 192.168.1.0/24
- internal network - 192.168.2.0/24
- remote network - 192.168.3.0/24
- pluto - 192.168.1.1
- eth1 - 192.168.1.2
- eth2 - 192.168.2.2
- eris - 192.168.2.1
- fa0/0 R1 - 192.168.1.10
- loop0 R1 - 192.168.3.1
Router R1 Configuration
Create the IKE policy and assume pre-shared keys
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 192.168.1.2
!
Create the IPSec transform set (ie the encryption parameters it will work with)
crypto ipsec transform-set mytransform esp-aes 256 esp-sha
Define the interesting traffic
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Now put it all together and apply it to an interface
crypto map mymap 1 ipsec-isakmp
set peer 192.168.1.2
set transform-set mytransform
match address 101
!
interface FastEthernet0/0
crypto map mymap
!
Checkpoint Configuration
Click on the IPSec VPN Tab. The first task is to define the remote end point. Click on the IPSec VPN Tab and in the tree on the left hand side right click on Interoperable Device and add a new device which well call CiscoRTR. In the IP address field put in 192.168.1.10.
Click on the toplogy of CiscoRTR and add the following:
- fa0/0: 192.168.1.10, netmask 255.255.255.0; topology: Leads to internet
- loop0: 192.168.3.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask
- Center gateways: the object representing the Check Point enforcement point
- Satellite gateways: the object representing the Cisco router - CiscoRTR
- Encryption:
- Encryption Method: IKEv1 Only
- Encryption Suite: Custom with the following properties
- IKE (Phase 1) Properties
- Perform key exchange encryption with: AES-256
- Perform data integrity with: SHA-1
- IPSec (Phase 2) Properties
- Perform IPSec data encryption with: AES-256
- Perform data integrity with: SHA-1
- Tunnel Management: VPN Tunnel sharing: One VPN tunnel per subnet pair
- Advanced settings
- VPN Routing: To center only
- Shared Secret: Use only Shared Secret for all external members, then add the shared secret to CiscoRTR
- Advanced VPN Properties:IKE (Phase 1): Use Diffie-Helman Group: Group 2
Name: InterestingVPNTrafffic
Source: 192.168.2.0 255.255.255.0
Destination: 192.168.3.0 255.255.255.0
VPN: MyVPN (ie the community defined above)
Service: Any
Action: Accept
Track: Log
Name: Encrypted Traffic
Source: Checkpoint Gateway
Destination: CiscoRTR
VPN: Any traffic
Service: IKE & IPSec
Action: Accept
Track: Log
Now apply this changes to the checkpoint and you should then be able to ping from Eris to the loopback of R1.