Check Point vSEC – Azure Openswan

(21 Jun 2016)

In this test case a Check Point vSEC virtual machine was installed from Azure Marketplace and a site-to-site VPN connection created to an Openswan VPN gateway in another Azure virtual network. The installed Check Point package was “Check Point vSEC – BYOL” (the other alternative is the pay-as-you-go package “Check Point vSEC NGTP – PAYG”). The Check Point and Openswan gateways were running in a Linux virtual machine. The gateways were authenticated by a pre-shared key (PSK).

 

The following configuration settings and VPN versions were used:

Check Point:

  • Check Point Security Gateway R77.30.8016064 (Kernel: 2.6.18-92cpx86_64)
  • Configuration created with Check Point Smart Dashboard R77.30 in a Windows workstation
  • Virtual network 10.0.0.0/24 (protected network)
  • One network adapter
  • Local ip address 10.0.0.4, NATed public ip address x.x.x.x

Openswan:

  • Linux Openswan U2.6.38/K3.19.0-56-generic (netkey)
  • Ubuntu 14.04 virtual machine
  • Virtual network 10.4.1.0/24 (protected network)
  • One network adapter
  • Local ip address 10.4.1.4, NATed public ip address y.y.y.y

CheckPoint-Openswan

Installing and setting up Check Point vSEC

  1. Install Check Point vSEC – BYOL package from Azure Marketplace and define the following settings in the installation wizard
    • Username and password for connecting to the virtual machine
    • Virtual network subnet: 10.0.0.0/24
    • Create a new public ip address for the virtual machine (x.x.x.x)
    • Create a new Network Security Group
  2. In the new Azure Portal, select the newly created Network Security Group > Inbound Security Rules and add a rule allowing the Openswan VPN gateway to access the Check Point gateway:
    • Source: CIDR block
    • Source IP address range: y.y.y.y (Openswan public IP address)
    • Protocol: Any
    • Source port range: *
    • Destination: Any
    • Destination port range: *
  3. Connect with web browser to the Check Point gateway at address https://x.x.x.x and run the First Time Configuration Wizard
  4. After the wizard has completed, download and install the SmartConsole for managing the Security Gateway
  5. Start SmartDashboard for configuring the firewall and VPN settings
  6. Select Network Objects > Check Point > (your security gateway)
  7. In the list of Network Security features select: IPSec VPN
  8. In the Topology > VPN Domain setting define: 10.0.0.0/24
  9. In IPSec VPN menu select: The Security Gateway participates in the following VPN Communities = MyIntranet
  10. Select Network Objects > Nodes > Others > Interoperable device and create the Openswan network object
  11. In General Properties > IPv4 Address give the address y.y.y.y (Openswan public IP address)
  12. In Topology > General give: Network Address = 10.4.1.0 and Net Mask =  255.255.255.0
  13. In IPSec VPN menu select: The Security Gateway participates in the following VPN Communities = MyIntranet
  14. Open the IPSec VPN tab and select MyIntranet
  15. In General menu select: Accept all encrypted traffic
  16. In Encryption menu select: Encryption Method = IKEv1 for IPv4, IKEv2 for IPv6 and Encyption Suite = VPN A (3DES, SHA-1, Diffie-Hellman Group 2)
  17. In Advanced Settings > Shared Secret select: Use only Shared Secret for external members
  18. Define the shared secret (match with the PSK given in the Openswan ipsec.secrets configuration file)
  19. A default VPN rule gets now automatically added in the firewall rules. If any additional rules are needed, add them in the Firewall menu
  20. Select Install Policy to install the policy to the Security Gateway

In addition to the above steps, the Azure routing table needs to be modified to route the packets from the local network to the remote site via the Check Point Security Gateway (route 10.4.1.0/24 going via gateway 10.0.0.4). The route table was modified as instructed in the Technet blog Step-by-Step: User-Defined Routing in the Cloud with Azure Resource Manager and Azure PowerShell 1.0 Preview

Setting up of Openswan VPN gateway in Azure

  1. In Azure create Virtual Network with address space 10.4.1.0/24
  2. Add Ubuntu 14.04 Virtual Machine in the Virtual Network
  3. Assign Instance public IP address for the Ubuntu Virtual Machine in the new Azure Portal by selecting (virtual machine) > IP Addresses > Instance IP Address =ON (the assigned address y.y.y.y will be used as the remote IP address in the Check Point configuration)
  4. In Azure Endpoints menu of the Ubuntu server, enable all traffic from the Check Point Security Gateway (IP address x.x.x.x)
  5. Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same Virtual Network.
  6. Install Openswan VPN gateway with command (if not already installed): sudo apt-get install openswan
  7. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  8. Restart the VPN service: sudo service ipsec restart
In addition to the above steps, the route settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway.

Sample IPSEC.CONF for Azure Openswan

config setup
protostack=netkey
virtual_private=%v4:10.4.1.0/24
oe=off
nat_traversal=yes

 

conn checkpointpsk
authby=secret
left=10.4.1.4
leftid=y.y.y.y
leftsubnet=10.4.1.0/24
right=x.x.x.x
rightid=10.0.0.11
rightsubnet=10.0.0.0/24
auto=start
pfs=no

Sample IPSEC.SECRETS for Azure Openswan

: PSK “abcd1234”