Hello everyone! Its time for another blog post from
John <at> Spikefish Solutions. The last blog post contained a bit of silliness. Let me be Frank, that isn't going to stop. This write up will be a bit more technical. I ran across the need for a Hub and Spoke mode VPN with Check Point. I hit a few problems and had to get some advice from the local Check Point Diamond rep.
This guy was super knowledgeable and is a joy to work with. To protect his identity, we'll call him XML Smith.
That aside, let's make something clear. This write up is intended to be a very detailed write up on how to set up a Hub and Spoke VPN with a Check Point Firewall, which is located in Miami, FL, as the center gateway. This basically shows how Check Point Firewalls can act as a IPSec Proxy. What do I mean by IPSec Proxy?
==
What this write up is about:
The Firewalls on the outsides (Firewall A and Firewall C) don't know the remote networks don't exist on the Center Check Point Firewall. If you look closely you'll see Firewall A and Firewall C's encryption domains are not in Firewall B's encryption domain and yet we have Firewall A making a VPN to Firewall B and Firewall B making a VPN to Firewall C. What is really happening is there are 2 VPNs, but the Firewall A and Firewall C only know of a single VPN.
Something else interesting to point out is the Satellite gateways are Interoperability Devices (interop). In this demo they will be pfsense firewalls. I used this because I didn't have access to cisco devices and didn't feel like going GNS3 route. I also didn't want to use Check Point gateways to prove there was no black magic involved here.
Ok wait a sec..before moving on. The Check Point Diamond rep's name... I'm not a fan of XML. XML is a markup language that is hard for both humans and machines to parse. Let's call him JSON Smith instead. .. phew.. ok. That sounds much better. JSON Smith in Check Point Diamond is a great guy to have in your corner. Diamond is completely worth it, espically when you call them up and say come out here and upgrade P1 for me. :D
RIGHT! So let's talk lab overview. Engage network diagram (insert scifi sound here)!
Click to enlarge ( I hope ).
|
Network Overview |
All clients: OpenBSD 5.9 (.100 address) - Default route is pointing to .1 btw
Interop Firewall A: Pfsense 2.3.1 - Release
Check Point Firewall B: Check Point R77.30 - Single Firewall + Management
Interop Firewall C: Pfsense 2.3.1 - Release
I should also point out all Firewalls have static routes for all networks listed.
I Created 5 Vlans for this (VL100 - VL 104). I used vlans off a single virtual switch for this lab. Also no devices are trunking.
The Orange cloud represents what would be the internet. The reason I'm pointing this out is it shows how you can even have a firewall on the internal network for this design.
Debugs:
All debugs have been started before passing traffic so that you can see everything.
This is all from the Check Point Firewall B in the Center of Miami.
- TCPDUMP on eth0, eth1, eth2.
- Firewall Monitor output
- ike.elg - vpn debug ikeon
- Export of all Tracker events during the passing of traffic.
Traffic for the vpn includes ping and SSH between VL100 and VL102 and a SSH attempt between VL100 and VL104.
Note: to view the ike.elg you need to download infoview from Check Point. If you don't have access call your local Check Point SE. I'm sure they'll be more then happy to get you a copy... or call Phoneboy, but make sure its like 3am in whatever timezone he is in. He loves that!
Backups:
But wait, that isn't all! I also took backups of everything! This means you can setup this in a lab and quickly restore the backups if you want! Be warned the Checkpoint Firewall in Miami Beach (ok virtual Miami Beach) backup is 128Meg. Backup links and debug files will be located at end of post so scroll all the way down if that's what you're looking for.
Also, if you are restoring the checkpoint backup you will most likely need to install an eval as the license will have expired. You'll need a central all in one eval pointing to IP 192.168.20.10. Again call your local Checkpoint SE and they will be happy to help with this if you don't have access to usercenter to generate your own eval keys.
One last quick note, the key to this config is the contents of encryption domain A and C cannot be located in encryption domain B. This is really the main configuration item to the setup and a little odd from a normal domain based VPN setup on Check point Firewall.
So let's start with the policy shall we? Here we can see ping and ssh is allowed bidirectionally from VL100 to VL102. We can also see ping is allow bidirectionally between VL100 and VL104 (this is the hub and spoke part). Nothing else is allowed. Clients are all running stock OpenBSD 5.9 and I didn't feel like setting up any other services beside SSH.
Next lets walk through the settings of Check Point Firewall B, which is our Hub and Star of our VPN. This is what you would see after double clicking Check Point Firewall B (Which is a Check Point Firewall if I didn't make that clear. I hear Check Point in Miami is a good deal also).
Here is the Topology view
Next is the IPSec VPN tab
Link Selection under that.
This is what is under the Setup button.
VPN Advanced
Firewall B encryption domain
====
Firewall A!
Firewall A Topology
Firewall A encryption domain
====
Firewall C - General
Firewall C topology
Firewall C encryption domain.
====
And here is the IPSec VPN tab configuration!
Center gateway and Satellite - Yes, the Check Point Firewall in Miami. Yes I know that's getting annoying, at least there aren't ads (cough cough yet)!
Encryption ( encryption + hashing).
And then under the Advanced tab - VPN Routing! This is where magic happens assuming you setup the encryption domains correctly. Everything else is default on the VPN Community.
Ok so that's about it for the Check Point VPN Hub and Spoke configuration examples. Everything else is default. If you want to see the other windows let me know and I'll add them, but I get the feeling there are a lot of screen shots in here already.
Lets look at logs. Notice the bounces? Those are the VPN Routing Icons that tell you magic is happening!
Debugs:
eth0.cap
eth1.cap
eth2.cap
ike.elg
Firewall_Monitor.txt
Tracker-export.txt
Backups:
backup-FirewallA.localdomain-20160624013059.xml
backup-FirewallC.localdomain-20160624013128.xml
backup_FirewallB_23_Jun_2016_18_26.tgz
Note: I haven't tried restoring any of these so please let me know if there are problems.
all logins are as follows.
User: admin
Password: vpn123
No one who worked at checkpoint can use any other login for a lib install.