Appliance and a Fortinet FortiGate Security Appliance
Note: This document assumes the reader is familiar with the basic network installation of a Check Point Embedded NG appliance and a Fortinet FortiGate security appliance. Overview This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG security appliance and a Fortinet FortiGate security appliance. In particular, it describes the configuration of the following sample network:
Figure 1: Site-to-Site VPN with Check Point Embedded NG and Fortinet FortiGate Security Appliances This sample network uses the parameters shown in the table below; however, you can change any of these parameters as desired, so long as they are the same on both appliances. 2 Table 1: Site-to-Site VPN Configuration Parameters Par amet er Val ue Encryption 3DES Integrity SHA1 Authentication Pre-shared Key (Shared Secret) Diffie-Hellman (DH) Group 2 Perfect Forward Secrecy (PFS) Disabled Phase-1 key lifetime 24 hours (86400 seconds) Phase-2 key lifetime 1 hour (3600 seconds)
Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version. Configuring the FortiGate Security Appliance To configure the FortiGate security appliance for Site-to-Site VPN 1. Configure the encryption domain. The encryption domain represents the networks to and from which you want to encrypt. These are the networks behind the VPN gateways. Do the following: a. Create an object for the Embedded NG VPN gateways internal network. See Creating an Object for the Embedded NG VPN Gateways Internal Network, page 3. b. Create an object for the FortiGate VPN gateways internal network. See Creating an Object for the FortiGate VPN Gateways Internal Network, page 4. 2. Configure the IPSEC parameters, by doing the following: a. Configure a Phase-1 profile. See Configuring a Phase-1 Profile, page 5. b. Configure a Phase-2 profile. See Configuring a Phase-2 Profile, page 6. 3 3. Configure VPN rules, by doing the following: a. Configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway network. See Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN Gateway Network, page 8. b. Configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway network. See Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN Gateway Network, page 9. Configuring the Encryption Domain Creating an Object for the Embedded NG VPN Gateways Internal Network To create an object for the Embedded NG VPN gateways internal network 1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Address. The Address page appears. 3. Click Create New. The New Address page appears.
4 4. In the Address Name field, type a name for the Embedded NG VPN gateway internal network object. For example: CP_Internal. 5. In the IP Range/Subnet field, type the IP address and subnet mask of the Embedded NG VPN gateways internal network. For example: 192.168.100.0/24. 6. Click OK. Creating an Object for the FortiGate VPN Gateways Internal Network To create an object for the FortiGate VPN gateways internal network 1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Address. The Address page appears. 3. Click Create New. The New Address page appears.
4. In the Address Name field, type a name for the FortiGate VPN gateway internal network object. For example: FG_Internal. 5. In the IP Range/Subnet field, type the IP address and subnet mask of the FortiGate VPN gateways internal network. For example: 192.168.1.0/255.255.255.0. 5 6. Click OK. Configuring IPSEC Parameters Configuring a Phase-1 Profile To configure a Phase-1 profile 1. In the main menu, click VPN. The VPN submenu opens. 2. In the VPN submenu, click IPSEC. The Phase 1 page appears. 3. Click Create New. The New VPN Gateway page appears. 4. Click Advanced. Additional fields appear.
5. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 6. Click OK. 6 Table 2: Phase-1 Profile Fields In t hi s f i el d Do t hi s In t he sampl e net wor k Gateway Name Type a name for the gateway. Site2Site Remote Gateway Type the remote gateways static IP address. IP address Type the Embedded NG VPN gateways IP address. 212.150.8.85 Authentication Method Select the authentication method to use. Preshared Key Pre-shared Key Type the pre-shared key.
Use the same pre-shared key as configured on the Embedded NG VPN gateway. For example: Secret123 Encryption Select the type of encryption to use to secure the VPN connection. 3DES Authentication Select the authentication algorithm to use. SHA1 DH Group Select the Diffie-Hellman group to use. 2 Keylife Type the Phase-1 key lifetime in seconds. 86400 This parameter must match the Phase-1 keylife on the Embedded NG appliance VPN gateway. Configuring a Phase-2 Profile To configure a Phase-2 profile 1. In the main menu, click VPN. The VPN submenu opens. 2. In the VPN submenu, click IPSEC. The Phase 1 page appears. 3. Click on the Phase 2 tab. The Phase 2 page appears. 4. Click Create New. The New VPN Tunnel page appears. 7 5. Click Advanced. Additional fields appear.
6. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 7. Click OK. Table 3: IPSEC Phase-2 Profile Fields In t hi s f i el d Do t hi s In t he sampl e net wor k Tunnel Name Enter a name for the tunnel. Check Point Remote Gateway Select the Phase-1 profile you created for this tunnel. Site2Site 1-Encryption Select the type of encryption to use to secure the VPN connection. 3DES Authentication Select the authentication algorithm to use. SHA1 Enable perfect forward secrecy (PFS) Specify whether to use PFS. Clear this option. Keylife Use the fields provided to specify the Phase-2 keylife in seconds. 3600 This parameter must match the Phase-2 keylife on the Embedded NG appliance VPN gateway. 8 Configuring VPN Rules Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN Gateway Network To configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway network 1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Policy. The Policy page appears. 3. Click Create New. The New Policy page appears.
4. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 5. Click OK. 9 Table 4: Encrypt Rule from the FortiGate Network to the Embedded NG Network Fields In t hi s f i el d Do t hi s In t he sampl e net wor k Interface/Zone In the Source drop-down list, select Internal. In the Destination drop-down list, select External.
Address Name In the Source drop-down list, select the internal FortiGate VPN gateway address object from which you want traffic to be encrypted. In the Destination drop-down list, select the internal Embedded NG VPN gateway address object to which you want traffic to be encrypted. FG_Internal
CP_External Action Select ENCRYPT. VPN Tunnel Select the Phase-2 profile you created. CheckPoint Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN Gateway Network To configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway network 1. In the main menu, click Firewall. The Firewall submenu opens. 2. In the Firewall submenu, click Policy. The Policy page appears. 3. Click Create New. 10 The New Policy page appears.
4. Fill in the fields as described in the table below. Do not change the default settings of fields that are not listed in the table. 5. Click OK. Table 5: Encrypt Rule from the Embedded NG Network to the FortiGate Network Fields In t hi s f i el d Do t hi s In t he sampl e net wor k Interface/Zone In the Source drop-down list, select Internal. In the Destination drop-down list, select External.
Address Name In the Source drop-down list, select the Embedded NG VPN gateway address object from which you want traffic to be encrypted. In the Destination drop-down list, select the internal FortiGate VPN gateway address object to which you want traffic to be encrypted. CP_Internal
FG_External Action Select ENCRYPT. VPN Tunnel Select the Phase-2 profile you created. CheckPoint 11 Configuring the Embedded NG Security Appliance To configure the Embedded NG security appliance for Site-to-Site VPN 1. Add the FortiGate security appliance as a Site-to-Site gateway. See Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway, page 11. 2. Configure IPSEC parameters to match those you configured on the FortiGate appliance. Do the following: a. Modify IKE Phase-1 encryption parameters. See Modifying IKE Phase-1 Encryption Parameters, page 16. b. Modify IKE Phase-2 encryption parameters. See Modifying IKE Phase-2 Encryption Parameters , page 17. c. Modify the IKE Phase-1 key lifetime. See Modifying the IKE Phase-1 Key Lifetime , page 17. d. Modify the IKE Phase-2 key lifetime. See Modifying the IKE Phase-2 Key Lifetime , page 18. Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway To add the FortiGate appliance as a Site-to-Site VPN gateway 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears.
2. Click New Site. 12 The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.
5. In the VPN Gateway field, type the IP address of the FortiGate VPN gateway. 6. Select Bypass NAT. This setting enables the FortiGate VPN gateway to bypass NAT when connecting to the Embedded NG VPN gateway internal network. 7. Select Bypass the firewall. This setting enables the FortiGate VPN gateway to bypass the firewall and access the Embedded NG VPN gateways internal network without restriction over the VPN tunnel only. 13 8. Click Next. The VPN Network Configuration dialog box appears.
9. Select Specify Configuration. 10. Click Next. A second VPN Network Configuration dialog box appears.
11. In the Destination network fields, type up to three destination network addresses at the FortiGate VPN gateway. 12. In the Subnet mask fields, select the subnet masks for the destination network addresses. 14 13. Click Next. The Authentication Method dialog box appears.
14. Select Shared Secret. 15. Click Next.
The Authentication dialog box appears.
16. In the Use Shared Secret field, type the shared secret to use for secure communications with the FortiGate VPN gateway. This should be the pre-shared key you configured on the FortiGate VPN gateway in Configuring a Phase-1 Profile, page 5. 15 17. Click Next. The Connect dialog box appears.
18. If you configured the FortiGate appliance as described in Configuring the FortiGate Security Appliance, page 2, select the Try to Connect to the VPN Gateway check box to try to connect to it. This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 19. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears.
20. Type a name for the VPN site. You may choose any name. For example: FortiGate. 16
Note: Do not select Keep this site alive. 21. Click Next. The VPN Site Created screen appears.
22. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list. Configuring IPSEC Parameters Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliances command line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax, refer to the Check Point Embedded NG CLI Reference Guide. Modifying IKE Phase-1 Encryption Parameters To modify IKE Phase-1 encryption parameters Use the following command syntax: set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run the command: set vpn si t es 2 phase1i keal gs 3des/ sha1 17 Modifying IKE Phase-2 Encryption Parameters To modify IKE Phase-2 encryption parameters Use the following command syntax: set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1] where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run the command: set vpn si t es 2 phase2i keal gs 3des/ sha1 Modifying the IKE Phase-1 Key Lifetime To modify the IKE Phase-1 key lifetime Use the following command syntax: set vpn sites number phase1exptime seconds where: number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-1 key lifetime in seconds. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run the command: set vpn si t es 2 phase1expt i me 86400 18 Modifying the IKE Phase-2 Key Lifetime To modify IKE Phase-2 key lifetime Use the following command syntax: set vpn sites number phase2exptime seconds where: number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal. seconds is the length of the IKE Phase-2 key lifetime in seconds. For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the command: set vpn si t es 2 phase2expt i me 3600