Figure 1 depicts a configuration in which a SecuRemote PC (ClientA) communicates sensitive and private information to networks and individual sever (zadibal) that is protected by Check Point VPN-1/FireWall-1 Gateway (Kashmir).

Figure 1 – Network Schematics

This tutorial consists of following configuration:

Check Point VPN-1/FireWall-1 Gateway (Kashmir) that has following modules installed:

· Management Module

· Policy Server

· VPN/FireWall Module

· A remote SecureClient PC (ClientA)

· A remote user Bob

· Server protected by VPN-1/FireWall-1 (zadibal)

IP Addressing Scheme

Check Point VPN-1/FireWall-1 Gateway (Kashmir)

· External Interface IP: 172.16.1.2/24

· Internal Interface IP: 10.10.1.2/24

· Default Gateway (Router) of the Check Point VPN-1/FireWall-1 (Kashmir): 172.16.1.1

· Server protected by VPN-1/FireWall-1 (zadibal): 10.10.1.2/24

· SecuRemote client PC (ClientA): 172.16.8.2/24

Introduction

This tutorial assumes that you have basic knowledge of Check Point Firewall and have already installed Check Point VPN-1/FireWall-1 FP3. We will also assume that this is a fresh install of Firewall and has no rules or object configured. At end of this tutorial you should be able to configure the Check Point VPN-1 Firewall-1 to allow remote VPN client to access the protected resources behind the firewall.

Configuring Checkpoint VPN-1/FireWall-1 Gateway

Log on to the SmartDashBoard FP3 and once you are authenticated successfully, SmartDashBoard should look like as shown below in Figure 2 without any rules and objects except the default Check Point Gateway Object

Figure 2 - SmartDashBoard

From the Menu in SmartDashBoard add a default Drop rule, which should look like as show in Figure 3

Figure 3 – Drop Rule

Creating a Network Object

From the Objects Tree in SmartDashBoard right click on Networks Object and create New Network. Type in the descriptive name of your local network, which is protected by your firewall and enter in the IP range of internal network. In our case it will be 10.10.1.0/255.255.255.0. The new Networks property window should look like following (Figure 4).

Figure 4 – Network Properties

Configuring a user for remote access

From the Objects Tree in the SmartDashBoard right click on Users, which should bring up User Properties window. Enter in the name of the user under General Tab. In our case we name the user bob. Figure 5

Figure 5 – User Properties Window

Click on Authentication Tab and from the drop down menu select VPN-1 & FiresWall-1 Password. Click on Enter Password button and enter in your password. We will use “abc123” without quotes for the purposes of this tutorial. See Figure 6

Figure 6 – User Properties Tab (Authentication)

DO NOT use such passwords in the real world unless you want to network to be compromised.

From the user properties windows now lets configure encryption properties. Click on Encryption tab, check the IKE box and click Edit, which should bring IKE Phase 2 properties window. This window will have two tabs, Authentication and Encryption. Under Authentication Tab check Password (Pre-Shared Secret) window and enter in the password for IKE Phase 2. To keep this tutorial simple, we will use same password “abc123” without quotes. Also, leave the Public Key box checked as shown below in Figure 7

Figure 7 – IKE Phase 2 Properties (Authentication)

Please read IPSEC and ISAKMP RFC’s for details on how IKE works. Phase 1 is usually used for exchanging keys over insecure mechanism using DH and Phase 2 is generally used to exchange secret passwords. It might not be a bad idea to use different password for phase 2 in the real world scenario.

Under Encryption Tab, select Defined below and choose 3DES and MD5 and click Ok. See Figure 8

Figure 8 – IKE Phase 2 Properties (Encryption)

Now click Certificates tab in User Properties window and Certificate state should read, as following “There is no certificate for this object.”

Click on “Generate and Save” button to create a certificate for this object. After the certificate is successfully created, the Certificates tab should look like as shown in Figure 9

Figure 9 – User Properties (Certificates)

Since we have not created groups yet, we will exit out of user Properties window and right click on Groups from the Objects Tree in SmartDashBoard to create a new group called “Sales” and user “bob” to that group. See figure 10

Now, if you edit user bob; under Groups tab in User Properties window, he should be in the group “Sales”

Figure 10 – Creating Group

Configuring the Firewall Object

We will now configure Remote Access Community, which will also create an automatic VPN rule allowing remote user bob to access the local network protected by Check Point Firewall.

Let’s first configure the Firewall-1 object (Kashmir). Right click or double click on Kashmir from the Object Tree in SmartDashBoard. This will bring up the Check Point Gateway properties window. Click on General Properties and ensure VPN-1 Pro and SecureClient Policy Server are checked. See Figure 11

Figure 11 – Check Point Gateway Property

Click on Topology and define the interfaces (Figure 12). Select external (leads to External Interface) for IP 172.16.1.2. For internal interface select Internal (Leads to the local Network) and select Specific and choose LocalNetwork Object, which we created above. Click OK.

Figure 12 – Check Point Gateway Property (Topology)

Adding a Certificate

Click on VPN Tab and click on Add, which will bring up a dialogue prompting you to automatically install the certificate. Click OK.

A dialogue saying that certificate was successfully generated will follow certificate generation dialogue box. See Figure 13

Figure 13 - Check Point Gateway Property (VPN)

Once this operation is successful, you will be presented with Traditional mode IKE Properties window. Check Pre-Shared secret and Exportable for SecuRemote/SecureClient check boxes as shown in Figure 14. Click OK. If this is not the first time you are configuring this proerpty or you have already created the certificate, you may click on Traditional Mode Configuration button to configure these properties.

Figure 14 - Check Point Gateway Property (IKE Properties)

You may choose to modify advanced property by clicking on Advanced button and select multiple DH groups and allow Aggressive mode (two pair exchange instead of three pair and usually considered insecure). We leave these properties unchecked for the purpose of this tutorial.

Select VPN Tab and add RemoteAccess community, which was pre-defined when we installed the firewall. You should now see “RemoteAccess” under the modules participating in VPN communities and default cert should also be installed. See Figure 15

We could have defined another community as well prior to this step and add the firewall object to that community.

Figure 15 - Check Point Gateway Property (VPN)

Click on Remote Access in the main Check Point Gateway window and select “Sales” the group we created earlier by choosing Offer office mode to the group radio button and select LocalNetwork (one created above) by choosing Manual (Use IP Pool). See Figure 16

Figure 16 - Check Point Gateway Property (Remote Access)

Click on Authentication in the main Check Point Gateway window and check VPN-1 & Firewall-1 Password check box and select “Sales” (group created above) under Policy Server à Users. See Figure 17

Figure 17 - Check Point Gateway Property (Authentication)

Configuring Remote Access Community

· Clicking on VPN Manager tab in the SmartDashBoard will allow us to configure the Remote Access Community. Double Click on Remote Access Community Object under this tab, which will bring up the window shown below (Figure 11)

· In General Properties window type in any descriptive name and click OK.

· In Participating Gateways add VPN-1/FireWall-1 (Kashmir)

· In Participating User groups add “Sales” See Figure 18 and Figure 19

Figure 18 – Remote Access Community Properties (Adding Participating Gateway)

Figure 19 - Remote Access Community Properties (Adding Participating Users/Groups)

Configuring Desktop Security Policy

Click on Desktop Security –Standard tab in SmartDashBoard and add following two rules. These will allow users (bob) in a group (sales) to access the local network protected by Check Point VPN-1/FireWall-1 (kashmir) gateway. Your rules should like as shown in Figure 20

Figure 20 – Desktop Security Rules

Configuring SecuRemote client

We assume SecureRemote is already installed. Go to programs menu and click on SecuRemote. In the SecuRemote menu, click on Sites--> Create New. See Figure 21

Figure 21 – Creating New Site (SecuRemote)

Type in any Nickname for your Gateway and enter in the IP address of the Firewall's external interface. Figure 22.

Click OK

Figure 22 - Creating New Site (SecuRemote)

You will be prompted with VPN-1 SecuRemote Authentication Window. Here you can either use User name and password we created above on the Gateway or use the certificate. In this tutorial we will use the password.

Enter in the user name "bob" and password "abc123" and click OK. See Figure 23

Figure 23 – SecuRemote Authentication

Once you enter the username and password, you will be prompted to verify the certificate. See Figure 24

Figure 24 – Verifying Certificate (SecuRemote)

Click OK, you should get user authentication success message.

Testing VPN connection

You should be able to access all resources behind the firewall based on the policies for SecuRemote on the VPN-1/Firewall-1 Gateway.

Since we configured all parameters, I should be able to access the Zadibal (server behind kashmir) which is 10.10.3.2 from my remote PC 172.16.8.2 (ClientA). Firewall will take care of all NATing and encryption for you. This is the beauty of Check Point VPN-1/FireWall-1 NG FP3 VPN.

Table of Contents