Differences

This shows you the differences between two versions of the page.

--- eduardo:checkpoint:ipsec [2010/07/21 07:17] – eduardo
+++ eduardo:checkpoint:ipsec [2024/02/23 08:20] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+====== IPSec ======
+===== General =====
+{{ipsec-ike1.png|}}
+----
+{{ipsec-ike2.png|}}
+----
+{{ipsec-transf.png|}}
+===== Configuration =====
+==== Center Gateway ====
+  * Assign encryption domain behind the center gateway.
+    * These are IP addresses behind the local center gateway that will be encrypted
+    * Traffic is only encrypted between the addresses in the encryption domain of the center and satellite gateway.
+  * The center gateway is usually the local checkpoint firewall cluster
+{{ipsec-conf1.png|}}
+==== Satellite Gateway ====
+  * The satellite gateway is the other end of the IPSec tunnels connecting with the Center Gateway
+  * Create new satellite gateway
+    * If not checkpoint, create new **interoperable devices**
+    * If checkpoint, create new **Checkpoint > Externally Managed VPN Gateway**
+  * Configure Name and IP
+{{ipsec-conf2.png|}}
+  * If the satellite gateway is using a different source IP address than what we have configured, add it under the topology
+    * Otherwise the local center gateway will reject the IKE with the following message:
+<code>
+IKE: Main Mode local machine configured not to respond to unknown IP addresses (i.e. not exportable for SR, and/or not included in the RemoteAccess community, and/or no DAIP's defined)
+IKE: Main Mode Sent Notification to Peer: invalid id information
+</code>
+<note important>In R65, the default is to use the Main IP of the center gateway cluster as the source. In R55, the default is to used the IP address of the exiting interface</note>
+  * Assign encryption domain to the Satellite gateway
+    * Traffic is only encrypted between the addresses in the encryption domain of the satellite and center gateway.
+{{ipsec-conf3.png|}}
+==== VPN Community ====
+  * Create **Star Community** to configure IPSec parameters
+  * Add **Center Gateway** which is usually the local checkpoint firewall
+{{ipsec-conf4.png|}}
+  * Add **Satellite Gateway** which is remote end of the IPSec termination
+{{ipsec-conf5.png|}}
+  * Configure IKE and IPSec parameters
+{{ipsec-conf6.png|}}
+  * Configure preshared secret
+{{ipsec-conf7.png|}}
+  * Configure the Diffie Hellman parameters
+{{ipsec-conf8.png|}}
+==== Policy ====
+  * Assign VPN community as target for policy
+{{ipsec-conf9.png|}}
+{{ipsec-conf10.png|}}
+===== Debug =====
+  * To Clear the All the IKE and IPSec SA
+  * SSH to the VPN-1 firewall
+  * Need to be in expert mode in R55
+<code>
+[vpn-1-fw]# vpn tu
+**********     Select Option     **********
+(1)             List all IKE SAs
+(2)             List all IPsec SAs
+(3)             List all IKE SAs for a given peer (GW) or user (Client)
+(4)             List all IPsec SAs for a given peer (GW) or user (Client)
+(5)             Delete all IPsec SAs for a given peer (GW)
+(6)             Delete all IPsec SAs for a given User (Client)
+(7)             Delete all IPsec+IKE SAs for a given peer (GW)
+(8)             Delete all IPsec+IKE SAs for a given User (Client)
+(9)             Delete all IPsec SAs for ALL peers and users
+(0)             Delete all IPsec+IKE SAs for ALL peers and users
+(Q)             Quit
+*******************************************
+</code>
+  * To monitor status of VPN tunnel
+  * Use SmartView Monitor and select **Tunnels on Gateway**
+    * Only work from R65 onward
+{{ipsec-conf11.png|}}