IPSec VPN between Cisco ASA and Check Point NGX
From The sin within
Contents |
Goals
To establish a VPN connection between a Cisco ASA and a Check Point NGX firewall.
Prerequisites
- Very good understanding of IPSec protocol
- Good knowledge of Check Point NGX
- Good knowledge of Cisco ASA CLI command set
Configuration
Network setup
- Cisco ASA
- external interface (outside): 1.2.3.4/255.255.255.252
- internal interface (inside): 10.20.40.1/255.255.255.0
- Check Point NGX
- external interface (eth0): 5.6.7.8/255.255.255.252
- internal interface (eth1): 10.40.20.1/255.255.255.0
Therefore, the VPN will be between 10.20.40.0/24 and 10.40.20.0/24
Cisco ASA setup
names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 1.2.3.4 255.255.255.252 ! interface GigabitEthnet0/1 nameif inside security level 80 ip address 10.20.40.1 255.255.255.0 !
After setting up the interfaces, an access list that permits traffic between the two encryption domains must be setup
access-list vpn_1 extended permit ip 10.20.40.0 255.255.255.0 10.40.20.0 255.255.255.0
In the ASA, a route pointing to the IPSec tunnel endpoint for the remote network is necessary
route outside 10.40.20.0 255.255.255.0 5.6.7.8 1
Now, an IPSec phase-2 cryptographic transform set needs to be defined:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
This above defined transform set is necessary so that the firewalls can negociate what cryptographic algorithm will be used for phase-1, strating with the strongest.
To define how long the phase-2 security association life time lives, you have to define it like below:
crypto ipsec security-association lifetime seconds 3600
Now, we need to define what traffic need to be encrypted, and to which peer
crypto map outside_map 30 match address vpn_1 crypto map outside_map 30 set peer 5.6.7.8 crypto map outside_map 30 set transform-set ESP-AES-128-SHA crypto map outside_map interface outside isakmp identity address isakmp enable outside
The ISAKMP policy below sets how should the phase-1 key exchange be encrypted (protocol, and lifetime)
isakmp policy 120 authentication pre-share isakmp policy 120 encryption aes-256 isakmp policy 120 hash sha isakmp policy 120 group 2 isakmp policy 120 lifetime 86400
Now, a tunnel group must be formed in order to set the type of the IPSec tunnel, which in our case is LAN-2-LAN
tunnel-group 5.6.7.8 type ipsec-l2l tunnel-group 5.6.7.8 ipsec-attributes pre-shared-key *
Note: due to security reasons, when you do a show run on the ASA, instead of the actual preshared secret, a * will be displayed
This is about it on the Cisco ASA side.
Check Point NGX setup
In Check Point, first you need to define a new Interoperable Device which we'll call Cisco-ASA and in the IP address field, you'll enter the IP address of the external interface of Cisco ASA, in this case being 1.2.3.4
Next, you edit the toplogy of the device and enter:
- eth0: 1.2.3.4, netmask 255.255.255.255; topology: Leads to internet
- eth1: 10.20.40.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask
Next, you need to create a new VPN community, type Star, with the following settings:
- Center gateways: the object representing the Check Point enforcement point
- Satellite gateways: the object representing the Cisco ASA device
- VPN Properties:
- IKE (Phase 1) Properties
- Perform key exchange encryption with: AES-256
- Perform data integrity with: SHA-1
- IPSec (Phase 2) Properties
- Perform IPSec data encryption with: AES-128
- Perform data integrity with: SHA-1
- IKE (Phase 1) Properties
- Tunnel properties:
- VPN Tunnel sharing: One VPN tunnel per subnet pair
- Advanced settings
- SharedSecret
- Use only SharedSecret for all external members
- Advanced VPN Properties:
- IKE (Phase 1):
- Use Diffie-Helman Group: Group 2
- NAT: Disable NAT inside VPN community
- IKE (Phase 1):
- SharedSecret
That's it with the Check Point, after editing the properties, save the settings and do a Policy Install
Configuration verification
Cisco-ASA# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 30, local addr: 1.2.3.4
access-list vpn_1 permit ip 10.20.40.0 255.255.255.0 10.40.20.0 255.255.255.0
local ident (addr/mask/prot/port): (10.20.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.40.20.0/255.255.255.0/0/0)
current_peer: 5.6.7.8
#pkts encaps: 7458223, #pkts encrypt: 7458223, #pkts digest: 7458223
#pkts decaps: 13172556, #pkts decrypt: 13172554, #pkts verify: 13172554
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7458226, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.2.3.4, remote crypto endpt.: 5.6.7.8
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 7F40EF30
inbound esp sas:
spi: 0x9C2D9F3B (2620235579)
transform: esp-aes esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3163567/2697)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7F40EF30 (2134961968)
transform: esp-aes esp-sha-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4253889/2685)
IV size: 8 bytes
replay detection support: Y
Cisco-ASA# sh crypto isakmp sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 5.6.7.8
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 67527
Notes
This configuration was done between:
- Check Point NGX R61
- Cisco Adaptive Security Appliance Software Version 7.0(4)
