Virtual Private Networks
Administration Guide
Version NGX R65
701675 March 18, 2007
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point
Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement,
Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1,
FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless
Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,
SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,
SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-
1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web
Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router,
Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check
Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The
products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Table of Contents 5
Contents
Preface
Who Should Use This Guide.............................................................................. 20
Summary of Contents....................................................................................... 21
Section 1: Introduction to VPN Technology.................................................... 21
Section 2: Site-to-Site VPN.......................................................................... 21
Section 3: Remote Access VPN .................................................................... 23
Appendices ................................................................................................ 25
Related Documentation .................................................................................... 26
More Information ............................................................................................. 29
Feedback ........................................................................................................ 30
Introduction to VPN Technology
Chapter 1 Overview
The Connectivity Challenge............................................................................... 34
The Basic Check Point VPN Solution ................................................................. 35
What is VPN............................................................................................... 35
Understanding the Terminology.................................................................... 37
Site to Site VPN ......................................................................................... 38
VPN Communities....................................................................................... 38
Remote Access VPN.................................................................................... 40
Chapter 2 IPSEC & IKE
Overview ......................................................................................................... 42
Methods of Encryption and Integrity ............................................................. 45
Phase I modes............................................................................................ 46
Renegotiating IKE & IPSec Lifetimes ............................................................ 47
Perfect Forward Secrecy .............................................................................. 47
IP Compression .......................................................................................... 48
Subnets and Security Associations ............................................................... 49
IKE DOS Protection ......................................................................................... 52
Understanding DoS Attacks ......................................................................... 52
IKE DoS Attacks ......................................................................................... 52
Defense Against IKE DoS Attacks ................................................................. 53
SmartDashboard IKE Dos Attack Protection Settings ...................................... 54
Advanced IKE Dos Attack Protection Settings ................................................ 55
Configuring Advanced IKE Properties................................................................. 57
On the VPN Community Network Object........................................................ 57
On the Gateway Network Object ................................................................... 57
6
Chapter 3 Public Key Infrastructure
Need for Integration with Different PKI Solutions................................................ 60
Supporting a Wide Variety of PKI Solutions ........................................................ 61
PKI and Remote Access Users ..................................................................... 61
PKI Deployments and VPN .......................................................................... 61
Trusting An External CA............................................................................... 64
Enrolling a Managed Entity .......................................................................... 65
Validation of a Certificate ............................................................................ 66
Special Considerations for PKI .......................................................................... 69
Using the Internal CA vs. Deploying a Third Party CA ..................................... 69
Distributed Key Management and Storage ..................................................... 69
Configuration of PKI Operations ........................................................................ 71
Trusting a CA – Step-By-Step....................................................................... 71
Enrolling with a Certificate Authority............................................................. 74
Certificate Revocation (All CA Types) ............................................................ 78
Certificate Recovery and Renewal................................................................. 79
Adding Matching Criteria to the Validation Process......................................... 80
CRL Cache Usage ....................................................................................... 80
Modifying the CRL Pre-Fetch Cache ............................................................. 81
Configuring CRL Grace Period ...................................................................... 81
Configuring OCSP ............................................................................................ 82
Chapter 4 Introduction to
Site to Site VPN
The Need for Virtual Private Networks................................................................ 84
Confidentiality ............................................................................................ 84
Authentication............................................................................................ 84
Integrity..................................................................................................... 84
The Check Point Solution for VPN ..................................................................... 85
How it Works.............................................................................................. 85
VPN Communities....................................................................................... 87
VPN Topologies .......................................................................................... 88
Authentication Between Community Members ............................................... 93
Dynamically Assigned IP Gateways ............................................................... 94
Routing Traffic within a VPN Community ...................................................... 95
Access Control and VPN Communities .......................................................... 96
Excluded Services....................................................................................... 97
Special Considerations for Planning a VPN Topology ........................................... 98
Configuring Site to Site VPNs............................................................................ 99
Migrating from Traditional Mode to Simplified Mode ...................................... 99
Configuring a Meshed Community Between Internally Managed Gateways ...... 100
Configuring a Star VPN Community ............................................................ 101
Confirming a VPN Tunnel Successfully Opens.............................................. 102
Configuring a VPN with External Gateways Using PKI ........................................ 103
Configuring a VPN with External Gateways Using a Pre-Shared Secret................. 107
How to Authorize Firewall Control Connections in VPN Communities................... 110
Why Turning off FireWall Implied Rules Blocks Control Connections .............. 110
Allowing Firewall Control Connections Inside a VPN ..................................... 111
Table of Contents 7
Discovering Which Services are Used for Control Connections ....................... 111
Site-to-Site VPN
Chapter 5 Domain Based VPN
Overview ....................................................................................................... 116
VPN Routing and Access Control ..................................................................... 117
Configuring Domain Based VPN ...................................................................... 118
Configuring VPN Routing for Gateways via SmartDashboard .......................... 118
Configuration via Editing the VPN Configuration File .................................... 120
Configuring the ‘Accept VPN Traffic Rule’ ................................................... 121
Configuring Multiple Hubs ......................................................................... 121
Configuring ROBO Gateways ...................................................................... 124
Chapter 6 Route Based VPN
Overview ....................................................................................................... 126
VPN Tunnel Interface (VTI) ............................................................................. 127
Numbered VTI .......................................................................................... 129
Unnumbered VTI ...................................................................................... 130
Using Dynamic Routing Protocols.................................................................... 131
Configuring Numbered VTIs ............................................................................ 132
Enabling Route Based VPN........................................................................ 132
Numbered VTIs......................................................................................... 132
VTIs in a Clustered Environment...................................................................... 135
Configuring VTIs in a Clustered Environment .................................................... 136
Enabling Dynamic Routing Protocols on VTIs.................................................... 143
Configuring Anti-Spoofing on VTIs ................................................................... 147
Configuring a Loopback Interface .................................................................... 149
Configuring Unnumbered VTIs ........................................................................ 152
Routing Multicast Packets Through VPN Tunnels .............................................. 156
Chapter 7 Tunnel Management
Overview ....................................................................................................... 160
Permanent Tunnels ................................................................................... 160
VPN Tunnel Sharing.................................................................................. 163
Configuring Tunnel Features ........................................................................... 164
Permanent Tunnels ................................................................................... 166
Advanced Permanent Tunnel Configuration ................................................. 169
Tracking Options....................................................................................... 170
Terminating Permanent Tunnels................................................................. 170
VPN Tunnel Sharing.................................................................................. 170
Monitoring Tunnels ................................................................................... 171
8
Chapter 8 Route Injection Mechanism
Overview ....................................................................................................... 174
Automatic RIM .............................................................................................. 175
Custom Scripts.............................................................................................. 177
tnlmon.conf File ............................................................................................ 179
Injecting Peer Gateway Interfaces.................................................................... 180
Configuring RIM ............................................................................................ 182
Configuring RIM in a Star Community:........................................................ 182
Configuring RIM in a Meshed Community:................................................... 183
Enabling the RIM_inject_peer_interfaces flag .............................................. 184
Tracking Options....................................................................................... 184
Chapter 9 Wire Mode
The Need for Wire Mode................................................................................. 186
The Check Point Solution ............................................................................... 187
Wire Mode Scenarios...................................................................................... 188
Wire Mode in a MEP Configuration ............................................................. 188
Wire Mode with Route Based VPN .............................................................. 189
Wire Mode Between Two VPN Communities................................................. 190
Special Considerations for Wire Mode .............................................................. 192
Configuring Wire Mode ................................................................................... 193
Enabling Wire Mode on a VPN Community .................................................. 193
Enabling Wire Mode on a Specific Gateway ................................................. 193
Chapter 10 Directional VPN Enforcement
The Need for Directional VPN ......................................................................... 196
The Check Point Solution ............................................................................... 197
Directional Enforcement within a Community .............................................. 197
Directional Enforcement between Communities ........................................... 198
Configuring Directional VPN............................................................................ 200
Configuring Directional VPN Within a Community ........................................ 200
Configuring Directional VPN Between Communities...................................... 201
Chapter 11 Link Selection
Overview ....................................................................................................... 204
Using Link Selection...................................................................................... 205
IP Selection by Remote Peer...................................................................... 205
Outgoing Route Selection .......................................................................... 207
Using Route Based Probing ....................................................................... 208
Responding Traffic.................................................................................... 209
Source IP Address Settings........................................................................ 209
Link Selection Scenarios ................................................................................ 211
Gateway with a Single External Interface..................................................... 211
Gateway with a Dynamic IP Address (DAIP) ................................................. 212
Gateway with Several IP Addresses Used by Different Parties ........................ 212
Gateway With One External Interface and One Interface Behind a Static NAT Device
213
Table of Contents 9
On Demand Links (ODL)................................................................................. 214
Link Selection and ISP Redundancy ................................................................ 215
Early Versions Compatibility Resolving Mechanism............................................ 218
Configuring Link Selection.............................................................................. 219
Resolving Addresses via Main and Single IPs............................................... 219
Resolving Addresses using DNS lookup ....................................................... 220
Resolving Addresses via Probing................................................................. 220
Configuring Outgoing Route Selection ......................................................... 221
Configuring For Responding Traffic............................................................. 221
Configuring Source IP Address Settings ...................................................... 222
Configuring On Demand links..................................................................... 223
Configuring the Early Version Compatibility Resolving Mechanism ................. 224
Outgoing Link Tracking.............................................................................. 224
Chapter 12 Multiple Entry Point VPNs
Overview ....................................................................................................... 226
VPN High Availability Using MEP or Clustering ............................................ 226
How It Works............................................................................................ 227
Explicit MEP ................................................................................................. 228
MEP Selection Methods ............................................................................ 229
Implicit MEP................................................................................................. 236
Routing Return Packets.................................................................................. 240
Special Considerations ................................................................................... 242
Configuring MEP............................................................................................ 243
Configuring Explicit MEP........................................................................... 243
Configuring Implicit MEP .......................................................................... 244
Configuring IP Pool NAT............................................................................ 246
Chapter 13 Traditional Mode VPNs
Introduction to Traditional Mode VPNs............................................................. 248
VPN Domains and Encryption Rules ................................................................ 249
Defining VPN Properties ................................................................................. 251
Internally and Externally Managed Gateways..................................................... 252
Considerations for VPN Creation...................................................................... 253
Choosing the Authentication Method........................................................... 253
Choosing the Certificate Authority............................................................... 253
Configuring Traditional Mode VPNs ................................................................. 254
Editing a Traditional Mode Policy ............................................................... 254
Configuring VPN Between Internal Gateways using ICA Certificates................ 255
VPN Between Internal Gateways Using Third Party CA Certificates................. 256
Configuring VPN with Externally Managed Gateways Using Certificates .......... 257
Configuring a VPN using a Pre-Shared Secret .............................................. 259
10
Remote Access VPN
Chapter 14 Introduction to Remote Access VPN
Need for Remote Access VPN ......................................................................... 266
The Check Point Solution for Remote Access.................................................... 267
Enhancing SecuRemote with SecureClient Extensions .................................. 268
Establishing a Connection Between a Remote User and a Gateway ................ 269
Remote Access Community........................................................................ 270
Identifying Elements of the Network to the Remote Client............................. 270
Connection Mode...................................................................................... 271
User Profiles ............................................................................................ 271
Access Control for Remote Access Community............................................. 272
Client-Gateway Authentication Schemes ..................................................... 272
Advanced Features.................................................................................... 275
Alternatives to SecuRemote/SecureClient .................................................... 275
VPN for Remote Access Considerations ............................................................ 276
Policy Definition for Remote Access ........................................................... 276
User Certificate Creation Methods when Using the ICA ................................. 276
Internal User Database vs. External User Database....................................... 277
NT Group/RADIUS Class Authentication Feature .......................................... 278
VPN for Remote Access Configuration.............................................................. 279
Establishing Remote Access VPN ............................................................... 280
Creating the Gateway and Defining Gateway Properties................................. 282
Defining User and Authentication Methods in LDAP ..................................... 282
Defining User Properties and Authentication Methods .................................. 282
Initiating User Certificates in the ICA Management Tool ............................... 282
Generating Certificates for Users in SmartDashboard.................................... 283
Initiating Certificates for Users in SmartDashboard ...................................... 283
Configure Certificates Using Third Party PKI................................................ 284
Enabling Hybrid Mode and Methods of Authentication.................................. 285
Configuring Authentication for NT groups and RADIUS Classes ..................... 286
Using a Pre-Shared Secret ......................................................................... 286
Defining an LDAP User Group .................................................................... 286
Defining a User Group............................................................................... 287
Defining a VPN Community and its Participants........................................... 287
Defining Access Control Rules.................................................................... 287
Installing the Policy .................................................................................. 288
User Certificate Management ..................................................................... 288
Modifying Encryption Properties for Remote Access VPN .............................. 290
Working with RSA’S Hard and Soft Tokens .................................................. 291
Chapter 15 Office Mode
The Need for Remote Clients to be Part of the LAN........................................... 296
Office Mode Solution ..................................................................................... 297
Introducing Office Mode............................................................................ 297
How Office Mode Works............................................................................. 298
Assigning IP Addresses.............................................................................. 300
Table of Contents 11
IP Address Lease duration ......................................................................... 302
Using Name Resolution - WINS and DNS .................................................... 302
Anti Spoofing ........................................................................................... 303
Using Office Mode with Multiple External Interfaces .................................... 303
Office Mode Per Site ................................................................................. 304
Enabling IP Address per User.......................................................................... 306
The Problem............................................................................................. 306
The Solution............................................................................................. 306
Office Mode Considerations ............................................................................ 309
IP pool Versus DHCP................................................................................. 309
Routing Table Modifications ...................................................................... 309
Using the Multiple External Interfaces Feature............................................. 309
Configuring Office Mode ................................................................................. 310
Office Mode — IP Pool Configuration.......................................................... 310
Configuring IP Assignment Based on Source IP Address ............................... 313
Office Mode via ipassignment.conf File ....................................................... 314
Subnet masks and Office Mode Addresses................................................... 314
Checking the Syntax.................................................................................. 315
Office Mode — DHCP Configuration ........................................................... 316
Office Mode - Using a RADIUS Server......................................................... 317
Office Mode Configuration on SecureClient.................................................. 319
Office Mode per Site ................................................................................. 319
Chapter 16 SecuRemote/SecureClient
The Need for SecureClient.............................................................................. 322
The Check Point Solution ............................................................................... 323
How it Works ............................................................................................ 323
SCV Granularity for VPN Communities ............................................................. 324
Blocking Unverified SCV Connections .............................................................. 325
Selective Routing........................................................................................... 326
Desktop Security Policy.................................................................................. 329
When is a Policy Downloaded? ................................................................... 329
Policy Expiration and Renewal ................................................................... 329
Prepackaged Policy................................................................................... 329
Policy Server High Availability.................................................................... 329
Wireless Hot Spot/Hotel Registration........................................................... 330
Enable Logging.............................................................................................. 331
NAT Traversal Tunneling ................................................................................ 332
Idleness Detection ......................................................................................... 333
Switching Modes ........................................................................................... 334
HTML Based Help ......................................................................................... 335
Configuring SecureClient ................................................................................ 336
Configuring SCV Granularity for VPN Communities ....................................... 336
Configuring block_scv_client_connections ................................................... 336
Configuring Selective Routing .................................................................... 337
Configuring Desktop Security Policy Expiration Time .................................... 338
Configuring Hot Spot/Hotel Registration ...................................................... 339
Configuring Enable Logging ....................................................................... 340
12
Configuring NAT Traversal ......................................................................... 341
Enable/Disable Switching Modes ..................................................................... 343
Add HTML Help to Package............................................................................ 344
Configuring Idle Detection .............................................................................. 345
Configuring the idleness_detection Property ................................................ 345
Chapter 17 SecureClient Mobile
Overview of SecureClient Mobile ..................................................................... 348
Connectivity Features ..................................................................................... 349
Session Continuation and Timeout.............................................................. 349
Initiate Dialup .......................................................................................... 350
Always Connected..................................................................................... 350
Authentication Schemes............................................................................ 350
Support for Alternate Gateway.................................................................... 352
Gateway History........................................................................................ 352
Allow Clear Traffic During ActiveSync and When Disconnected...................... 352
Secure Configuration Verification (SCV) Traversal......................................... 353
Topology and Split Tunneling.......................................................................... 354
Hub Mode (VPN Routing for Remote Access).................................................... 355
Office Mode ............................................................................................. 355
Visitor Mode (SSL Tunnel) ......................................................................... 355
Security Policies and Client Decide ................................................................. 356
IP Firewall Policy........................................................................................... 357
Connectivity Policy......................................................................................... 358
General "GUI" Policy ...................................................................................... 359
Client Deployment, Repackaging and Upgrade.................................................. 360
Installing SecureClient Mobile ........................................................................ 361
SecureClient Mobile Gateway Side Installation............................................. 361
Module Support........................................................................................ 361
Downloading HFAs.................................................................................... 361
SmartCenter Server Support....................................................................... 362
Downloading SCM Management Patch ........................................................ 362
Management Patch Installation .................................................................. 362
Gateway Patch.......................................................................................... 363
Client Side Installation................................................................................... 364
Hardware and Software Requirements......................................................... 364
Check Point Certificates and Locked Devices............................................... 364
CAB Package............................................................................................ 365
MSI Package ............................................................................................ 366
Configuring SecureClient Mobile ..................................................................... 368
Configuring a Gateway to Support SecureClient Mobile ................................. 369
Configuring the Gateway as a Member of a Remote Access Community .......... 369
Load Sharing Cluster Support .................................................................... 371
Authentication Schemes............................................................................ 374
Configuring the Authentication Method ....................................................... 374
Re-authenticate Users............................................................................... 375
Configuring Encryption Methods................................................................. 375
Certificates .............................................................................................. 375
Table of Contents 13
Certificate Nickname................................................................................. 376
Management of Internal CA Certificates ...................................................... 376
Importing a Certificate .............................................................................. 376
Topology Update....................................................................................... 377
Security Policy ......................................................................................... 377
Route All Traffic (Hub Mode) ..................................................................... 378
Client Side Configuration................................................................................ 379
Connecting to a Site.................................................................................. 379
Configuring Display Settings ...................................................................... 379
Status Page.............................................................................................. 380
Advanced Configuration.................................................................................. 381
Configuring a Non-Centrally Managed Gateway ............................................ 392
Configuration in a Mixed SecureClient and SecureClient Mobile Environment. 393
Client Deployment Overview............................................................................ 395
Package Customization.............................................................................. 395
Adding a File to a CAB Package ................................................................. 396
Deleting a File from a CAB Package............................................................ 397
Exporting the Client Configuration .............................................................. 398
Defining the Client Installation Version ....................................................... 399
Creating a CAB Package ............................................................................ 399
Creating an MSI Package........................................................................... 400
Configuring the SAA Plugin........................................................................ 400
Troubleshooting............................................................................................. 402
Enabling Log Files .................................................................................... 402
Routing Table........................................................................................... 402
IP Configuration ....................................................................................... 402
Error Messages ......................................................................................... 402
Additional Resources................................................................................. 404
Chapter 18 Packaging SecureClient
Introduction: The Need to Simplify Remote Client Installations .......................... 406
The Check Point Solution - SecureClient Packaging Tool ................................... 407
Overview .................................................................................................. 407
How Does Packaging Tool Work? ................................................................ 408
The MSI Packaging Solution ...................................................................... 408
Creating a Preconfigured Package ................................................................... 409
Creating a New Package Profile .................................................................. 409
Generating a Package................................................................................ 410
Adding Scripts to a Package ...................................................................... 411
Configuring MSI Packaging............................................................................. 412
Add and Remove Files in Package .............................................................. 413
Installation Command Line Options ............................................................ 413
Split Installation ....................................................................................... 413
Debug...................................................................................................... 413
Zone Labs Integrity Client.......................................................................... 414
Chapter 19 Desktop Security
The Need for Desktop Security........................................................................ 416
14
Desktop Security Solution............................................................................... 417
Introducing Desktop Security ..................................................................... 417
The Desktop Security Policy....................................................................... 418
Policy Server ............................................................................................ 420
Policy Download ....................................................................................... 420
Logs and Alerts......................................................................................... 421
Desktop Security Considerations...................................................................... 422
Planning the Desktop Security Policy.......................................................... 422
Avoiding Double Authentication for Policy Server ......................................... 423
Configuring Desktop Security .......................................................................... 424
Server Side Configuration .......................................................................... 424
Client Side Configuration........................................................................... 425
Chapter 20 Layer Two Tunneling Protocol (L2TP) Clients
The Need for Supporting L2TP Clients............................................................. 428
Solution - Working with L2TP Clients............................................................... 429
Introduction to L2TP Clients ...................................................................... 429
Establishing a VPN between a Microsoft IPSec/L2TP Client and a Check Point
Gateway ................................................................................................ 430
Behavior of an L2TP Connection ................................................................ 431
VPN-1 Power Gateway Requirements for IPSec/L2TP ................................... 431
Authentication of Users and Client Machines............................................... 432
User Certificate Purposes .......................................................................... 435
Considerations for Choosing Microsoft IPSec/L2TP Clients................................. 436
Configuring Remote Access for Microsoft IPSec/L2TP Clients............................. 437
General Configuration Procedure ................................................................ 437
Configuring a Remote Access Environment.................................................. 438
Defining the Client Machines and their Certificates ...................................... 438
Configuring Office Mode and L2TP Support................................................. 438
Preparing the Client Machines ................................................................... 438
Placing the Client Certificate in the Machine Certificate Store....................... 439
Placing the User Certificate in the User Certificate Store .............................. 440
Setting up the Microsoft IPSec/L2TP Client Connection Profile ..................... 440
Configuring User Certificate Purposes ......................................................... 441
Making the L2TP Connection ..................................................................... 442
For More Information... ............................................................................. 443
Chapter 21 Secure Configuration Verification
The Need to Verify Remote Client’s Security Status........................................... 446
The Secure Configuration Verification Solution ................................................. 447
Introducing Secure Configuration Verification .............................................. 447
How does SCV work? ................................................................................. 448
SCV Checks.............................................................................................. 450
Considerations regarding SCV.......................................................................... 453
Planning the SCV Policy ............................................................................ 453
User Privileges ......................................................................................... 453
Using pre-NG Clients with SCV................................................................... 454
Configuring SCV ............................................................................................ 455
Table of Contents 15
Server Side Configuration .......................................................................... 455
Client Side Configuration........................................................................... 456
SCV Policy Syntax..................................................................................... 456
The local.scv Sets..................................................................................... 460
A Complete Example of a local.scv File ....................................................... 462
Common Attributes ................................................................................... 468
Chapter 22 VPN Routing - Remote Access
The Need for VPN Routing.............................................................................. 484
Check Point Solution for Greater Connectivity and Security ................................ 485
Hub Mode (VPN Routing for Remote Clients)............................................... 486
Configuring VPN Routing for Remote Access VPN ............................................. 490
Enabling Hub Mode for Remote Access clients ............................................ 490
Configuration of Client to Client Routing by Including the Office Mode Range of
Addresses in the VPN Domain of the Gateway ........................................... 491
Client to Client via Multiple Hubs Using Hub Mode ...................................... 491
Chapter 23 Link Selection for Remote Access Clients
Overview ....................................................................................................... 494
IP Selection by Remote Peer...................................................................... 494
Link Selection for Remote Access Scenarios..................................................... 496
Gateway with a Single External IP Address .................................................. 496
Gateway with Multiple External IP Addresses............................................... 497
Calculate IP Based on Network Topology..................................................... 498
Configuring Link Selection.............................................................................. 499
Configuring the Early Version Compatibility Resolving Mechanism ................. 500
Chapter 24 Using Directional VPN for Remote Access
Enhancements to Remote Access Communities ........................................... 501
Configuring Directional VPN with Remote Access Communities .......................... 503
Chapter 25 Remote Access Advanced Configuration
Non-Private Client IP Addresses ...................................................................... 506
Remote Access Connections ...................................................................... 506
Solving Remote Access Issues.................................................................... 506
How to Prevent a Client Inside the Encryption Domain from Encrypting............... 507
The Problem............................................................................................. 507
The Solution............................................................................................. 507
Authentication Timeout and Password Caching ................................................. 509
The Problem............................................................................................. 509
The Solution............................................................................................. 509
SecuRemote/SecureClient and Secure Domain Logon (SDL)............................... 510
The Problem............................................................................................. 510
The Solution............................................................................................. 510
Configuring SDL Timeout........................................................................... 512
Cached Information................................................................................... 512
Configuring Secure Domain Logon .............................................................. 513
16
Using Secure Domain Logon ...................................................................... 513
Back Connections (Server to Client)................................................................. 514
Sending Keep-Alive Packets to the Server ................................................... 514
Auto Topology Update (Connect Mode only)...................................................... 515
How to Work with non-Check Point Firewalls .................................................... 516
Early SecuRemote/SecureClients Versions ........................................................ 517
Resolving Internal Names with the SecuRemote DNS Server .............................. 518
The Problem............................................................................................. 518
The Solution............................................................................................. 518
Chapter 26 Multiple Entry Point for Remote Access VPNs
The Need for Multiple Entry Point Gateways ..................................................... 522
The Check Point Solution for Multiple Entry Points ........................................... 523
SecureClient Connect Profiles and MEP ...................................................... 523
Preferred Backup Gateway ......................................................................... 524
Visitor Mode and MEP............................................................................... 525
Routing Return Packets............................................................................. 525
Disabling MEP............................................................................................... 526
Configuring MEP ........................................................................................... 527
First to Respond ....................................................................................... 527
Primary-Backup........................................................................................ 528
Load Distribution ...................................................................................... 529
Configuring Return Packets ....................................................................... 529
Configuring Preferred Backup Gateway ............................................................ 530
Disabling MEP............................................................................................... 531
Chapter 27 Userc.C and Product.ini Configuration Files
Introduction to Userc.C and Product.ini ........................................................... 534
The Userc.C File....................................................................................... 534
The Product.ini file ................................................................................... 535
Userc.C File Parameters ................................................................................. 536
SecureClient ............................................................................................ 536
Encryption ............................................................................................... 539
Multiple Entry Point .............................................................................. 543
Encrypted Back Connections.................................................................... 544
Topology ............................................................................................... 544
NT Domain Support................................................................................ 545
Miscellaneous........................................................................................ 546
Product.ini Parameters ................................................................................ 549
Chapter 28 SSL Network Extender
Introduction to the SSL Network Extender........................................................ 554
How the SSL Network Extender Works ............................................................. 555
Commonly Used Concepts .............................................................................. 556
Remote Access VPN.................................................................................. 556
Remote Access Community........................................................................ 556
Office Mode ............................................................................................. 556
Table of Contents 17
Visitor Mode ............................................................................................. 557
Integrity Clientless Security ....................................................................... 557
Special Considerations for the SSL Network Extender........................................ 559
Pre-Requisites .......................................................................................... 559
Features................................................................................................... 560
Configuring the SSL Network Extender............................................................. 562
Configuring the Server............................................................................... 562
Configuring ICS Policies ............................................................................ 570
Load Sharing Cluster Support..................................................................... 572
Customizing the SSL Network Extender Portal ............................................. 573
Installation for Users without Administrator Privileges .................................. 577
SSL Network Extender User Experience ........................................................... 578
Configuring Microsoft Internet Explorer ....................................................... 578
About ActiveX Controls .............................................................................. 579
Downloading and Connecting the Client ...................................................... 579
Uninstall on Disconnect ............................................................................ 591
Using SSL Network Extender on Linux / Mac Operating Systems.................... 591
Removing an Imported Certificate............................................................... 596
Troubleshooting............................................................................................. 598
SSL Network Extender Issues..................................................................... 598
ICS Issues................................................................................................ 599
Chapter 29 Resolving Connectivity Issues
The Need for Connectivity Resolution Features ................................................. 602
Check Point Solution for Connectivity Issues .................................................... 603
Other Connectivity Issues .......................................................................... 603
Overcoming NAT Related Issues ...................................................................... 604
During IKE phase I ................................................................................... 605
During IKE phase II .................................................................................. 605
During IPSec............................................................................................ 607
NAT and Load Sharing Clusters .................................................................. 609
Overcoming Restricted Internet Access ............................................................ 611
Visitor Mode ............................................................................................. 611
Configuring Remote Access Connectivity .......................................................... 615
Configuring IKE Over TCP.......................................................................... 615
Configuring Small IKE phase II Proposals.................................................... 616
Configuring NAT Traversal (UDP Encapsulation) .......................................... 616
Configuring Visitor Mode............................................................................ 618
Configuring Remote Clients to Work with Proxy Servers................................. 619
Chapter 30 Clientless VPN
The Need for Clientless VPN ........................................................................... 624
The Check Point Solution for Clientless VPN .................................................... 625
How it Works ............................................................................................ 625
Special considerations for Clientless VPN......................................................... 628
Certificate Presented by the Gateway .......................................................... 628
Number of Security Servers to Run ............................................................. 628
Level of Encryption ................................................................................... 629
18
Configuring Clientless VPN ............................................................................. 630
Configuring the Gateway............................................................................ 630
Configuring the Client ............................................................................... 633
Appendices
Appendix A VPN Command Line Interface
VPN Commands............................................................................................. 638
SecureClient Commands................................................................................. 640
Desktop Policy Commands.............................................................................. 642
Appendix B Converting a Traditional Policy to a Community Based Policy
Introduction to Converting to Simplified VPN Mode........................................... 644
How Traditional VPN Mode Differs from a Simplified VPN Mode......................... 645
How an Encrypt Rule Works in Traditional Mode ............................................... 646
Principles of the Conversion to Simplified Mode ............................................... 648
Placing the Gateways into the Communities ..................................................... 649
Conversion of Encrypt Rule ............................................................................. 650
When the Converted Rule Base is too Restrictive.......................................... 651
Conversion of Client Encrypt Rules ............................................................. 652
Conversion of Auth+Encrypt Rules.............................................................. 652
How the Converter Handles Disabled Rules ................................................. 653
After Running the Wizard........................................................................... 653
Appendix C VPN Shell
Configuring a Virtual Interface Using the VPN Shell .......................................... 656
Index..........................................................................................................
665
19
Preface
P
Preface
In This Chapter
Who Should Use This Guide page 20
Summary of Contents page 21
Related Documentation page 26
More Information page 29
Feedback page 30
Who Should Use This Guide
20
Who Should Use This Guide
This guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
• System administration.
• The underlying operating system.
• Internet protocols (IP, TCP, UDP etc.).
Summary of Contents
Preface21
Summary of Contents
This guide describes the VPN components of VPN-1 Power. It contains the
following sections and chapters:
Section 1: Introduction to VPN Technology
This section describes the basic components of a VPN and provides the background
for the technology that comprises the VPN infrastructure.
Section 2: Site-to-Site VPN
This section explains how to ensure secure communication between gateway
modules.
Chapter Description
Chapter 1, “Overview” Provides an overview of Check Point’s solution
for VPN.
Chapter 2, “IPSEC & IKE” Description of encryption modes used to
transport packets securely using VPN tunnels.
Chapter 3, “Public Key
Infrastructure”
Public Key Infrastructure is a system of
certificate authorities that verify and
authenticate the validity of each party
exchanging information.
Chapter Description
Chapter 4, “Introduction to
Site to Site VPN”
An introduction to the basics of VPN’s between
gateways and VPN communities.
Chapter 5, “Domain Based
VPN”
Domain Based VPN is a method of controlling
how VPN traffic is routed between gateway
modules and remote access clients within a
community.
Chapter 6, “Route Based
VPN”
Route Based VPN is a method of controlling how
VPN traffic is routed between gateways using
VPN Tunnel Interfaces.
Chapter 7, “Tunnel
Management”
Tunnel Management descibes the various
aspects of VPN sharing and Permanent Tunnels.
Section 2: Site-to-Site VPN
22
Chapter 8, “Route Injection
Mechanism”
Route Injection Mechanism (RIM) enables a
VPN-1 Power gateway to use dynamic
routing protocols to propagate the encryption
domain of a VPN-1 Power peer gateway to
the internal network and then initiate back
connections.
Chapter 9, “Wire Mode” Describes how Wire Mode improves connectivity
by allowing existing connections to
fail over successfully by bypassing firewall
enforcement.
Chapter 10, “Directional VPN
Enforcement”
Explains how to control the direction of VPN
traffic between gateways.
Chapter 11, “Link Selection” Explanation of how the Link Selection feature is
used to determine which interface is used for
incoming and outgoing VPN traffic as well as the
best possible path between gateway modules.
Chapter 12, “Multiple Entry
Point VPNs”
Description of how the Multiple Entry Point
(MEP) feature provides a high availability and
load sharing solution for VPN connections
between peer gateways.
Chapter 13, “Traditional
Mode VPNs”
Explanation of Traditional Mode VPNs and how
to configure.
Chapter Description
Section 3: Remote Access VPN
Preface23
Section 3: Remote Access VPN
This section explains how to ensure secure communication between gateway
modules and remote access clients.
Chapter Description
Chapter 14, “Introduction to
Remote Access VPN”
Introduction to VPN connections between
gateways and remote users.
Chapter 15, “Office Mode” Office Mode enables a VPN-1 Power gateway to
assign a remote client an IP address.
Chapter 16,
“SecuRemote/SecureClient”
SecuRemote/SecureClient is a method that
allows you to connect to your organization in a
secure manner, while at the same time
protecting your machine from attacks that
originate on the Internet.
Chapter 17, “SecureClient
Mobile”
SecureClient Mobile is a client for mobile
devices that includes a VPN and a firewall.
SecureClient Mobile's VPN is based on SSL
(HTTPS) tunneling and enables handheld
devices to securely access resources behind
Check Point gateways.
Chapter 18, “Packaging
SecureClient”
Using one of the two available packaging tools,
enables the administrator to create
pre-configured SecureClient and SecuRemote
packages. Users can then install the package
without being required to specify configuration
details, ensuring that users cannot inadvertently
misconfigure their SecureClient and SecuRemote
software.
Chapter 19, “Desktop
Security”
Description of how SecureClient protects remote
clients by enforcing a Desktop Security Policy on
the remote client.
Chapter 20, “Layer Two
Tunneling Protocol (L2TP)
Clients”
Check Point VPN-1 Power gateways can create
VPNs with a number of third party IPSec
clients. This chapter focuses on the Microsoft
IPSec/L2TP client.
Section 3: Remote Access VPN
24
Chapter 21, “Secure
Configuration Verification”
Secure Configuration Verification (SCV) enables
the administrator to monitor the configuration of
remote computers, to confirm that the
configuration complies with the organization’s
Security Policy, and to block connectivity for
machines that do not comply.
Chapter 22, “VPN Routing -
Remote Access”
Understanding how VPN Routing provides a way
of controlling how VPN traffic is directed.
between gateway modules and remote access
clients.
Chapter 23, “Link Selection
for Remote Access Clients”
Explanation of how the Link Selection feature is
used to determine which interface is used for
incoming and outgoing VPN traffic as well as the
best possible path between gateway modules
and remote access clients.
Chapter 24, “Using
Directional VPN for Remote
Access”
Explains how to control the direction of VPN
traffic between gateways and remote access
clients.
Chapter 25, “Remote Access
Advanced Configuration”
Understanding more complex remote access
scenarios.
Chapter 26, “Multiple Entry
Point for Remote Access
VPNs”
Description of how the Multiple Entry Point
(MEP) feature provides a high availability and
load sharing solution for VPN connections
between peer gateways and remote access
clients.
Chapter 27, “Userc.C and
Product.ini Configuration
Files”
How to edit the Userc.c and Product.ini files to
customize SecuRemote/SecureClient.
Chapter 28, “SSL Network
Extender”
Contains an introduction of the SSL Network
Extender and the advantages it has for remote
access clients.
Chapter 29, “Resolving
Connectivity Issues”
Provides information of some of the challenges
remote access clients face when connecting and
various Check Point solutions.
Chapter 30, “Clientless VPN” Explanation of how Clientless VPN provides
secure SSL-based communication
between clients when VPN technology is not
available.
Chapter Description
Appendices
Preface25
Appendices
This guide contains the following appendices:
Appendix Description
Chapter A, “VPN Command
Line Interface”
A list of CLI command lines related to VPN.
Chapter B, “Converting a
Traditional Policy to a
Community Based Policy”
Backround to both traditoinal and simplified
modes as well as instructions for converting
policies.
Chapter C, “VPN Shell” Provides all the commands and arguments used
for VTI’s using the VPN Shell.