HOW-TO GUIDELINES Setting up a VPN between a

Version 2.0
HOW-TO GUIDELINES
Setting up a VPN between a
StoneGate™ cluster and a Cisco PIX®
firewall
TECHN10 - 6/3/03
Introduction
This document highlights a tested method to configure a VPN tunnel between a Cisco PIX®
firewall (PIX) and a StoneGate High Availability Firewall and VPN. To proceed with the
configuration guidelines, you need to have a running StoneGate Management application with
configured StoneGate firewall engines.
This document is not a tutorial on either StoneGate or PIX firewall implementation. Only those
elements pertaining to the actual encryption of a VPN tunnel between the two firewalls will be
addressed. For example, explanations on configuring NAT statements and access lists on the
PIX firewall will not be explained in detail even though they are necessary parts of the VPN
tunnel. It is assumed that the reader has sufficient prior knowledge of PIX firewalls to create
those elements.
This document includes a full working configuration taken directly from a PIX firewall that
includes all the elements required to build a VPN tunnel between StoneGate and PIX. The
reader could simply change a few parameters (IP addresses, passwords, etc.), and copy and paste
the configuration into a PIX firewall to get a working configuration. The VPN parameters used
in this example configuration are not the only ones that can work. It is important to remember
that changes at one end of the VPN tunnel need to also be matched by changes at the other end.
Network Environment
The example network setting depicted in Figure 1.1 illustrates the network environment you are
going to configure.
FIGURE 1.1
Network Environment
There are two different firewalls:
StoneGate firewall cluster. The engine is a Compaq Deskpro EN with D-Link 570 quad card.
The engine version is 2.0.7 build 902. The management version is 2.0.7 build 6036. The
StoneGate firewall cluster connects the following networks:
• the external network 192.168.5.0/24; external IP address 192.168.5.1
TECN10 - 6/3/03
Introduction
2
• the internal network 192.168.10.0/24; internal IP address 192.168.10.1
Cisco PIX firewall running on Cisco PIX 515 firewall HW and PIX 6.2(1) SW. The PDM is
version 2.1(1). The Cisco PIX firewall connects the following networks:
• the external network 172.16.20.0/24; external IP address 172.16.20.24
• the internal network 10.20.20.0.24; internal IP address 10.20.20.1
Getting Started
Before creating the VPN it is assumed that both PIX and StoneGate are operating so that traffic
can be carried over them (routing, interfaces, etc.). No other steps need to be done beforehand.
TECN10 - 6/3/03
Introduction
3
Configuring the VPN
VPN Parameters
First, you will configure the VPN settings in StoneGate. Then, you will configure the VPN
settings in Cisco PIX. Cisco PIX can be configured using the command line interface or a GUI
wizard. Both methods are shown in this document, but only one method should be used.
The following IPsec parameters will be used to create the VPN tunnel between StoneGate and
Cisco PIX:
• IKE Phase 1:
• DES for Cipher Algorithm for Key Exchange
• MD5 for Message Digest Algorithm for Key Exchange
• Pre-Shared Key for Authentication method
• 1 for Diffie-Hellman Group for IKE
• 1440 for IKE SA Lifetime in Minutes (listed as 86400 seconds in PIX)
• IKE Phase 2:
• ESP for IPsec Type
• DES for Cipher Algorithm
• MD5 for Message Digest Algorithm
• 60 minutes or 4608000 KB for IPsec Tunnel Lifetime
VPN settings at the StoneGate end
When configuring the VPN settings at the StoneGate end the following steps need to be
performed:
1. Configure Internal Security Gateway
2. Configure External Security Gateway
3. Configure the Encryption Domains
4. Create a VPN Element
5. Create a VPN Rule Base
Below you will find each of these steps explained in more detail.
▼ To configure the VPN settings in StoneGate follow these instructions:
Create an Internal Security Gateway
1. In the StoneGate Control Panel, open the VPN Manager by clicking on its icon.
TECN10 - 6/3/03
Configuring the VPN
4
Internal Security Gateway - General Tab
2. Create a new Internal Security Gateway element by selecting its icon on the toolbar. In the
General tab, name the gateway (e.g. SG) and select your local firewall from the options
provided. The VPN Client NAT Pool will be left blank. The default SGW Settings in the
other tab needn’t be changed.
TECN10 - 6/3/03
Configuring the VPN
5
ILLUSTRATION 1.1 Internal Security Gateway - End-Points Tab
3. Switch to the End-Points Tab and then name the end points. Select your firewall’s
external IP address, and click Add to insert the name and IP address of the end point in
the text box. (In our example, 192.168.5.1.)
4. Click OK.
TECN10 - 6/3/03
Configuring the VPN
6
Create an External Security Gateway
1. You need to define the other end of the VPN next. Therefore, you must create also your
partner’s security gateway as an element. In the VPN Manager, click the External Security
Gateway icon to open the External Security Gateway Properties dialog box.
ILLUSTRATION 1.2 External Security Gateway - General Tab
2. In the General tab, name the external gateway (e.g., PIX). Select Cisco PIX as the Gateway
Type.
TECN10 - 6/3/03
Configuring the VPN
7
ILLUSTRATION 1.3 External Security Gateway - End-Points Tab
3. Switch to the End-Points tab, click the radio button Static IP.
4. In the End-Point Data section give the end point a name (e.g., PIXoutside) and its
external IP address (172.16.20.24).
5. Click the Add button to insert the name and IP address of the end-point in the text box.
6. Click OK.
Configuring the Encryption Domains
You need to assign sites to both defined security gateways.
TECN10 - 6/3/03
Configuring the VPN
8
ILLUSTRATION 1.4 VPN Manager - Gateway and Sites Tab
1. In the VPN Manager, select the Gateways and Sites tab. Ensure that you have the
Repository View on the left panel.
2. Drag and drop your internal network (192.168.10.0/24) from the left onto your internal
security gateway on the right panel.
Now, you will repeat the previous step for the external security gateway:
1. Drag and drop your partner’s internal network (10.20.20.0/24) from the left onto the
external security gateway on the right panel.
2. When finished, your VPN Manager should resemble Illustration 1.4
Creating a VPN Element
After defining the security gateways functioning as end-points of the VPN, you can create the
actual VPN element.
TECN10 - 6/3/03
Configuring the VPN
9
ILLUSTRATION 1.5 VPN Manager - VPNs Tab
1.
2.
3.
4.
In the VPN Manager, click the VPN icon.
In the displayed dialog box, specify the name of the VPN (e.g., NG to SG). Click OK.
Switch to the VPNs tab to see the newly created VPN element.
In the VPNs window, drag and drop both gateway elements from the left panel onto the
VPN element you created on the right panel.
5. Set the properties of the VPN by selecting the VPN you just created. Right-click on it and
select Properties from the contextual menu. The VPN Editor window will open.
6. In the VPN Editor window, click on the IKE Proposal button located in the Logical
Tunnels panel on the left.
TECN10 - 6/3/03
Configuring the VPN
10
ILLUSTRATION 1.6 IKE Phase 1 - IKE Phase 1 Tab
7. The IKE Phase 1 window will open.
• Select the IKE Phase 1 tab.
TECN10 - 6/3/03
Configuring the VPN
11
• Select the DES radio button for Cipher Algorithm for Key Exchange.
• Click the MD5 radio button for Message Digest Algorithm for Key Exchange.
• Select the Pre-shared Key radio button for Authentication Method.
• Set the Diffie-Hellman Group for IKE to the value of 1.
• Enter 1440 for the IKE SA Lifetime in Minutes.
• Then select Main as the IKE Negotiation Mode.
8. Switch to the Pre-Shared Key tab.
ILLUSTRATION 1.7 IKE - Pre-Share Key Tab
9. Type in the same pre-shared key used previously with PIX VPN configuration. (In our
example, abc123.) The Certificate Authorities tab needn’t be changed.
10. Click OK to return to the VPN Editor dialog box.
11. Click on Policy box in the Connections Between Site End-Points panel. The Connection
Encryption Policy dialog box appears.
TECN10 - 6/3/03
Configuring the VPN
12
ILLUSTRATION 1.8 Connection Encryption Policy
12. Select Override VPN Policy Settings For this Connection.
• Then select the radio button Net under Security Association Granularity.
• Click the Use IKE radio button under IPsec Mode.
• Ensure that Don’t Verify ESP Padding, Keep IPsec Tunnels Alive, and Use PFS check
boxes are unselected.
13. Click on IPsec Proposals to define the IKE phase-2 settings.
TECN10 - 6/3/03
Configuring the VPN
13
ILLUSTRATION 1.9 IPsec Proposals
14. Select the ESP radio button under IPsec Type.
• Select the DES radio button under Cipher Algorithm.
• Click the MD5 radio button under the Message Digest Algorithm.
• Enter 60 min., and 4608000 KB under IPsec Tunnel Lifetime text boxes.
15. Click on the Add button to add this IPsec proposal. In Ipsec Proposals view make sure
that just added proposal is first one on IPsec Proposals list.
16. Click OK twice, closing the IPsec Proposals box and the Connections Between Site EndPoints box. You are now back in the VPN Editor.
TECN10 - 6/3/03
Configuring the VPN
14
ILLUSTRATION 1.10 VPN Editor
17. On the right side of the VPN Editor you will see the Mode heading in the Connections
Between Site End-Points panel. The entry should be a greyed-out Disabled icon. Click on
the entry and select the blue Normal icon. Close the VPN Editor and the VPN Manager.
Create a VPN Rule Base
After you have configured the VPN between the two gateways, you need to create access rules
to allow VPN traffic to be handled by StoneGate. From the Control Panel open the Security
Policy Manager to design the rules.
ILLUSTRATION 1.11 Security Policy Manager
1. Create a new policy by clicking the New icon on the tool bar.
2. In the opened dialog box, set the type as Normal, name the rule base as VPN_SG_PIX, and
select default as the new template.
TECN10 - 6/3/03
Configuring the VPN
15
3. Once your new rule base opens, click on the green line saying Access rule: insert point,
and right-click Add Rule.
4. You will now allow for VPN traffic from StoneGate to PIX. For the new rule, fill in the
cells as follows:
• Source: drag and drop the StoneGate internal network (192.168.10.0/24) here.
• Destination: drag and drop the PIX internal network (10.20.20.0/24) here.
• Service: ANY.
• Action: select Enforce VPN and then SG-PIX.
• Options: if wanted, set the Log Level under the Logging tab as Transient or whichever
log setting you desire.
ILLUSTRATION 1.12 Log Level
5. This time you will be allowing VPN traffic from PIX to StoneGate. Create a new rule
under the one you just created by right-clicking on its row and selecting Add Rule After.
Essentially, you will be recreating the previous rule, but reversing the Source and
Destination fields.
6. Fill in the cells as follows:
• Source: drag and drop the PIX internal network (10.20.20.0/24) here.
• Destination: drag and drop the StoneGate internal network (10.20.20.0/24) here.
• Service: ANY.
• Action: select Enforce VPN and then SG-PIX.
• Options: if wanted, set the Log Level under the Logging tab as Transient or whichever
log setting you desire.
7. Save and install the policy by clicking the Save and Install icon.
TECN10 - 6/3/03
Configuring the VPN
16
VPN settings at the CISCO PIX end using the command
line
The Command Line Interface (CLI) is the original configuration method for PIX devices and is
included here for reference. This can be accessed through several methods, including Telnet,
Secure Shell (SSH), or through a console port session.
▼ To configure the VPN tunnel in Cisco PIX end using the command line
1. Define the access list and NAT statements. This line creates/modifies an access list called
VPN that runs between the two networks listed and expressly permits traffic between
them.
pix(config)# access-list vpn permit ip 10.20.20.0 255.255.255.0
192.168.10.0 255.255.255.0
2. Deny all other traffic from network 10.20.20.0 to any other point.
pix(config)# access-list vpn deny ip 10.20.20.0 255.255.255.0 any
3. Specify that NAT is not to be performed for traffic covered in the VPN access list.
pix(config)# nat (inside) 0 access-list vpn
4. Use the following command to define StoneGate’s end of the tunnel.
pix(config)# crypto map PIX_SG 10 set peer 192.168.5.1
5. Enable IKE on the outside interface
pix(config)# crypto map PIX_SG 10 set peer 192.168.5.1
6. Set the pre-shared key (in this case, abc123) for communications with the peer
(StoneGate).
pix(config)# isakmp key abc123 address 192.168.5.1 netmask
255.255.255.0
7. Set the security association granularity on PIX.
pix(config)# isakmp identity address
8. The pre-shared key will be used in authentication.
pix(config)# isakmp policy 10 authentication pre-share
9. Define the IKE settings for Phase 1 to be same as defined in StoneGate end.
pix(config)#
pix(config)#
pix(config)#
pix(config)#
isakmp
isakmp
isakmp
isakmp
policy
policy
policy
policy
10
10
10
10
encryption des
hash md5
group 1
lifetime 86400
TECN10 - 6/3/03
Configuring the VPN
17
10. Configure the IPsec Proposal settings for Phase 2 to activate the settings from the
previous three steps for the VPN defined in step 4. Set both the Cipher Algorithm and
the Message Digest Algorithm for ESP.
pix(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
11. The following line will activate the IKE settings defined above in step 9.
pix(config)# crypto map PIX_SG 10 ipsec-isakmp
12. The encryption domains of the firewalls are set to be the ones defined in the VPN accesslist from step 1.
pix(config)# crypto map PIX_SG 10 match address vpn
13. The IKE Phase 2 settings from step 8 are activated for this tunnel.
pix(config)# crypto map PIX_SG 10 set transform-set myset
14. Set both the minutes and kilobyte value for the IPsec Tunnel Lifetime on PIX.
pix(config)# crypto map PIX_SG 10 set security-association lifetime
seconds 3600 kilobytes 4608000
15. Activate the tunnel on the external interface.
pix(config)# crypto map PIX_SG interface outside
16. Implicitly allow any packet that comes from IPsec tunnel.
pix(config)# sysopt connection permit-ipsec
VPN settings at the CISCO PIX end using PDM
In PIX, instead of using the command line interface the VPN tunnel between StoneGate and
PIX can also be configured by using the PIX Device Manager (PDM) graphical user interface.
PDM software can be installed on PIX, after which the firewall can be accessed using HTTPS.
In PDM the VPNs can be setup in the VPN section or by using the VPN Wizard.
TECN10 - 6/3/03
Configuring the VPN
18
▼ To configure the VPN tunnel in Cisco PIX end using PDM
ILLUSTRATION 1.13 Cisco PIX Device Manager (PDM)
1. From the Cisco PIX Device Manager go to the Wizards menu and open the VPN Wizard.
TECN10 - 6/3/03
Configuring the VPN
19
ILLUSTRATION 1.14 VPN Wizard
2. From the first window of the VPN Wizard select the Site to Site VPN radio button.
Enable the VPN on the outside interface that leads to StoneGate.
TECN10 - 6/3/03
Configuring the VPN
20
ILLUSTRATION 1.15 VPN Wizard - Remote Site Peer
3. Specify the remote peer (the StoneGate firewall) by entering its IP address and defining
the authentication method. Enter the same Pre-shared key as used when configuring the
StoneGate end. (In our example, abc123.)
TECN10 - 6/3/03
Configuring the VPN
21
ILLUSTRATION 1.16 VPN Wizard - IKE Policy
4. For IKE negotiation select the used encryption (DES), and authentication (MD5)
algorithms, and Diffie-Hellman group (1). The values should be same as when configuring
the StoneGate end.
TECN10 - 6/3/03
Configuring the VPN
22
ILLUSTRATION 1.17 VPN Wizard - Transform Set
5. For IPsec select used encryption (DES), and authentication algorithms (MD5). Values
should be same as those used to configure the StoneGate end.
TECN10 - 6/3/03
Configuring the VPN
23
ILLUSTRATION 1.18 VPN Wizard - IPsec Traffic Selector
6. Define the local network (e.g., inside) protected by PIX. Use PIX’s local network IP
Address (10.20.20.0) and mask (255.255.255.0). To move this information to the
Selected box press the right-hand arrow pointing to the box.
TECN10 - 6/3/03
Configuring the VPN
24
ILLUSTRATION 1.19 VPN Wizard - IPsec Traffic Selector (Continue)
7. Define the remote site’s internal network (outside) protected by StoneGate. Use
StoneGate’s local network IP Address (192.168.10.0) and mask (255.255.255.0).
Press the right-hand arrow to move this information to the Selected box.
8. To complete the VPN Wizard and apply the configuration to PIX select the Finish
button.
TECN10 - 6/3/03
Configuring the VPN
25
ILLUSTRATION 1.20 VPN System Options
9. From the Cisco PIX Device Manager select the VPN tab, then select VPN System
Options from the left-hand panel. In the right-hand panel select Bypass access check for
IPSec and L2TP traffic. This will permit IPsec inbound sessions without interference.
PIX configuration used
Below is a full Cisco PIX configuration taken with show running configuration (can also be
shortened to sh run) command while traffic was flowing through the VPN tunnel. This
configuration was generated with the command line interface. This can be accessed through
several methods, including Telnet, Secure Shell (SSH), or through a console port session.
pix(config)# sh run
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
hostname pix
domain-name stonesoft.com
TECN10 - 6/3/03
Configuring the VPN
26
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list vpn permit ip 10.20.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn deny ip 10.20.20.0 255.255.255.0 any
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.16.20.24 255.255.255.0
ip address inside 10.20.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 172.16.20.11-172.16.20.20
global (outside) 1 172.16.20.10
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.20.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip
0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
TECN10 - 6/3/03
Configuring the VPN
27
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map PIX_SG 10 ipsec-isakmp
crypto map PIX_SG 10 match address vpn
crypto map PIX_SG 10 set peer 192.168.5.1
crypto map PIX_SG 10 set transform-set myset
crypto map PIX_SG 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map PIX_SG interface outside
isakmp enable outside
isakmp key ******** address 192.168.5.1 netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.20.20.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b91242fd64b5e52eecbf30371a9a5329
: end
Crypto map and transform set on PIX
The following shows the active crypto map and transform set details on PIX while traffic was
flowing through the VPN tunnel:
pix(config)# show crypto map interface outside
Crypto Map: "PIX_SG" interfaces: { outside }
Crypto Map "PIX_SG" 10 ipsec-isakmp
Peer = 192.168.5.1
access-list vpn; 2 elements
access-list vpn permit ip 10.20.20.0 255.255.255.0 192.168.10.0 255.255.255.0
(hitcnt=311)
access-list vpn deny ip 10.20.20.0 255.255.255.0 any (hitcnt=0)
Current peer: 192.168.5.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ myset, }
pix(config)# show crypto ipsec transform-set
Transform set myset: { esp-des esp-md5-hmac
will negotiate = { Tunnel, },
}
TECN10 - 6/3/03
Configuring the VPN
28
Trademarks and Patents
Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link
technology, multi-link VPN, and the StoneGate clustering technology - as well as other technologies included in StoneGate-are
protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are
property of their respective owners.
Copyright and Disclaimer
Copyright © 2000–2003 Stonesoft Corporation. All rights reserved.
These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and
conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and
its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this
document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft
Corporation.
The Stonesoft Secure Application Partnership Program is a validation service offered by Stonesoft to allow end users to make an
informed decision when choosing hardware for their StoneGate High Availability Firewall and VPN solutions.
Under Stonesoft’s Secure Application Partnership Program, certification is granted based on tests performed under specific operating
conditions in a controlled environment. The details of these tests are available from Stonesoft upon request. Stonesoft does not
guarantee the accuracy, adequacy or completeness of its certification testing of third party hardware products and shall not be liable if
the testing results and/or determinations are incaccurate, inadequate or incomplete. End users are solely responsible for determining
on their own whether a given third party hardware configuration is suitable for their needs.
BY CERTIFYING THIRD PARTY HARDWARE PRODUCTS, STONESOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO TESTING RESULTS, INFORMATION CONTAINED IN THESE MATERIALS, OR ANY INFORMATION
OR DATA PROVIDED IN RELATION TO THE SECURE APPLICATION PARTNERSHIP PROGRAM. IN ADDITION,
STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE OR USE WITH RESPECT INFORMATION CONTAINED IN THESE MATERIALS.
IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL
DAMAGES. INCLUDING, BUT NO LIMITED TO. LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM
International Headquarters
Stonesoft Corp.
Itälahdenkatu 22a
FIN-00210 Helsinki, Finland
+358-9-4767 11 tel.
+358-9-4767 1234 fax.
[email protected]
Business ID: 0837548-0
VAT number: FI08375480
w w w. s t o n e s o f t. c o m
Americas Headquarters
Stonesoft Inc.
115 Perimeter Center Place
South Terraces, Suite 1000
Atlanta, GA 30346
770 668-1125 tel.
770 668-1131 fax.
[email protected]
Asia Pacific Headquarters
Stonesoft Corp.
90 Cecil Street #11-01
069531 Singapore
+65 63251390 tel.
+65 63251399 fax.
[email protected]