Topology.

2

 Checkpoint Firewall:

  • External IP – 3.3.3.20
  • Internal IP – 1.1.1.20
  • Next Hope – 3.3.3.50

Remote Vyatta:

  • External IP – 7.7.7.10
  • Internal IP – 10.10.10.20
  • Next Hope – 7.7.7.20
  1. Checkpoint side configuration

Object Configuration:

Double gateway object  -> check box ‘IPsec VPN’

3

Go to Topology ->  Get ->  click ‘Get Interface with Topology’

4

Check box ‘Manually defined’ -> click 3 dot -> new -> network Object -> Define the CheckPoint encryption domain i.e.. 1.1.1.0/24.

5

Go to ‘Link Selection’ -> check ‘Selected address from topology table’ -> select the External IP address participating for the VPN.

For example.  Here the participating IP is 3.3.3.20

6

To create an Inter-operable device go to ‘File’ -> Manage -> Network objects -> click on ‘Inter-operable device’

7

8

Open the inter-operable Gateway object -> provide a name for the remote peer and the external IP address participating in the VPN community.

9

Check box ‘Manually defined’ -> click 3 dot -> new -> network Object -> Define the Vyatta encryption domain i.e.. 10.10.10.0/24

10

11

To Create VPN community go to vpn community -> right click ‘Site-to-Site’ -> New Site-to-Site -> Meshed

12

Go to ‘General’ and provide a name for the VPN community

13

Go to ‘Participating Gateways’ and add the relevant Gateways participating in the VPN community.

14

Go to ‘Encryption Domain’ select the ‘AES-256 , SHA-1’ for PHASE 1 and ‘AES-256, SHA1’ for PHASE 2.

15

Go to shared secret -> Enable ‘Use only Shared secret for all External Members’ ->  provide the secret key ie eg q1w2e3

Note: The same secret key should be provided while configuring vyatta.

16

Go to Advanced VPN Properties -> check ‘Perfect forward secrecy with Group 2’ -> also check box ‘Disable Nat inside VPN community’.

Note: Perfect forward secrecy with group 2 is the default configuration in vyatta.

17

Policy

Double click on vpn ‘any traffic’ -> Only connection Encrypted in Specific VPN community -> Add -> select the community eg checkvyatta

18

Add the Encryption domains as shown below.

19

Push the Policy.

20

  1. Vyatta configuration

How to setup vyatta

  1. For the installation of vyatta type below commands

~$ install system

  1. Once installation done check the available NIC card.

~$ show interfaces

3. Proceed with Interface configuration by entering the configuration terminal i.e..

~$ configure

# set interface ethernet eth0 address 7.7.7.10/24

# set interface ethernet eth1 address 10.10.10.20/24

  1. Provide the Default gateway

# set protocol static route 0.0.0.0./0 next-hop 7.7.7.20

21

  1. The VPN configuration is as follows.

Defining the interface that is participating in the VPN community

# set vpn ipsec ipsec-interfaces interface eth0

  1. Phase 1

# set vpn ipsec ike-group IKE-1W proposal 1

# set vpn ipsec ike-group IKE-1W proposal 1 encryption aes256

# set vpn ipsec ike-group IKE-1W proposal 1 hash sha1

# set vpn ipsec ike-group IKE-1W lifetime 86400

  1. Phase 2

# set vpn ipsec esp-group ESP-1W proposal 1

# set vpn ipsec esp-group ESP-1W proposal 1 encryption aes256

# set vpn ipsec esp-group ESP-1W proposal 1 hash sha1

# set vpn ipsec esp-group ESP-1W lifetime 3600

  1. Configuring Pre shared

# set vpn ipsec site-to-site peer 3.3.3.20 authentication mode pre-shared-secret

# edit vpn ipsec site-to-site peer 3.3.3.20

# set authentication pre-shared-secret q1w2e3

# set default-esp-group ESP-1W

# set ike-group IKE-1W

  1. Configuring Encryption Domains.

# set local-address 7.7.7.10

# set tunnel 1 local prefix 10.10.10.0/24

# set tunnel 1 remote prefix 1.1.1.0/24

#top

# commit

# save config

note: to exit from the configure Terminal run the below command.

# exit

22

23

Checking whether the tunnels are up on both side.

On CheckPoint run the below command

# vpn tu

press 3 -> enter the peer IP to check ike SA

press 4 -> enter the peer IP  to check the ipsec SA

51

53

On Vyatta run the below command (not in configuration terminal)

~$ show vpn ike sa

~$ show vpn ipsec sa

54Author: Amith Gururaj Rao

Latest posts by QOS Technology (see all)

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz