|
Check Point settings:
Define Network Objects for the Network/subnets that you will
be creating the VPN between the " encryption domains
".
This needs to be done for both sides of the VPN.
Create or modify existing Workstation Network Objects for
each VPN gateway to add VPN configuration parameters.
Click on the VPN tab to modify VPN definition
Modify Encryption Domain by clicking on " Other "
and adding Network Object for this gateway's encryption domain.
Edit Encryption Scheme by clicking on " IKE " checkbox
and <Edit>. Select 3DES (or DES depending on your license),
SHA1 and MD5, and Pre-Shared Secret. De-select " Supports
Aggressive Mode ".
Edit other gateway VPN definitions (either create new Workstation,
or edit if it already exists).
Click on the VPN tab to modify VPN definition.
Modify Encryption Domain by clicking on " Other "
and adding Network Object for this gateway's encryption domain.
Edit Encryption Scheme by clicking on " IKE " checkbox
and <Edit>.Select 3DES (or DES depending on your license)
, SHA1 and MD5, and Pre-Shared Secret. De-select DES and MD5.
Click on Edit Secrets to create Pre-Shared Secret.
Highlight remote peer and click " Edit ". Enter
secret and click " Set "
The Pre-Shared Secret between these two hosts will now be
set (from Check Point FW-1 gateway perspective). You will
still need to set the Pre-Shared Secret on the Vigor2200 VPN
Gateway configuration.
Configuring Firewall Rules to Allow IPSec encryption.
Define firewall policies to enable IPSec encryption between
encryption domains. You will need to define rules between
encryption domain networks and select action to Encrypt. You
can control what services are allowed as well as timeframes.
In this case, we are allowing all services between encryption
domains.
Double click on Encrypt Action to define/edit IPSec rules.
Click on IKE and "Edit" to edit IPSec rules. Select
ESP, 3DES (or DES) , SHA1.
On " Allowed Peer Gateway " rop-down select the
Vigor_Gateway.
Repeat this process for other IPSec/encrypt rules.
Modify Security Association Timeframe. The defaults for the
timeframes to renegotiate the IKE Security Associations between
Check Point VPN-1 and Vigor Gateways are different. These
parameters either need to be disabled or modified to match.
It is recommended for security purposes to keep these enabled
and to match the timeframes. In this example, we will modify
the Check Point definition to match the Vigor default. From
the Check Point Policy Editor, select the Encryption tab of
the Policy / Properties Setup. Change the IKE Security Association
time to 480 minutes (8 hours) to match the Nokia default.
The IPSec timeframes default match (3600 seconds, or 1 hour)
This completes the Check Point VPN gateway definitions. There
will be other firewall changes to allow miscellaneous connections
for remote management of the Nokia VPN Gateway. |
|
|
Page last modified : 13 October 2008 |