******************************
WORKING RELEASES:
Release | strongSwan Version |
Fedora 31 | 5.7.2/K5.3.11-300.fc31 |
Mint 18.3 | 5.3.5/K4.10.0-38 |
openSUSE 15.1 | 5.6.0/K4.12.14-lp151.28.32 |
openSUSE Tumbleweed | 5.6.4 |
******************************
Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS).
This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.
----------------------
Attention:
- You might adjust the MTU settings manually because this is not done by strongSwan
- right=%defaultroute does not work for me, I need to enter my Client IP Address
- if possible use Libreswan, it works better and easier to configure
----------------------
Gateway / SmartCenter
The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.
R80.30 Jumbo Take 76 - Standalone Firewall VPN Object: home-fw VPN Certificate: defaultCert Encryption Domain: 192.168.0.0/24 |
1)
Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname (usually defaultCert)
Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password>
Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456
A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.
2)
In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12
Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example.
openSUSE
1) Install and configure strongSwan using yast
# sudo yast
2) Now it is time to convert the P12 to PEM files and place them in the correct folder
1) Convert User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys
2) Extract private Key from User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes
3) Convert Firewall Certificate
# openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys
4) copy PEM files to /etc/ipsec.d
# sudo cp soeren.pem /etc/ipsec.d/certs
# sudo cp home-fw.pem /etc/ipsec.d/certs
# sudo cp soeren.key.pem /etc/ipsec.d/private
3) enable and start strongSwan.
# systemctl enable strongswan
# systemctl start strongswan
# systemctl status strongswan # only status information
4) Edit the main configuration file /etc/ipsec.conf
# sudo vi /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# charondebug=1
# Add connections here.
conn home
# Right side is stronSwan - RoadWarrior
right=172.20.10.13 # Client IP Address or try %defaultroute
rightcert=soeren.pem # Certificate filename of the user - from /etc/ipsec.d/certs
# Left side is Check Point
left=46.89.4.xxx # put here your Gateway IP Address
leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any
leftcert=home-fw.pem # Certificate filename of the FW - from /etc/ipsec.d/certs
leftid=192.168.0.1 # Check Point responds with the Main IP Address from the FW Object
# config
type=tunnel
keyingtries=3
authby=rsasig
ike=aes256-sha1-modp1024 # check if IKE P1 parameters are allowed under Global Prop. - RA
esp=aes128-sha1 # check if IKE P2 parameters are allowed
ikelifetime=8h # IKE Lifetime 8h for IKE Phase P1 IMPORTANT
lifetime=1h # SA Lifetime 1h for IKE Phase P2 IMPORTANT
keyexchange=ikev1 # use IKEv1
auto=add
******************************
Attention:
You need to change "leftid=xxx.xxx.xxx.xxx" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard.
If the IP Address is not correct, the Logfile will show an error like this:
received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate" IDir '192.168.0.1' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate' deleting IKE_SA home[1] between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[%any] sending DELETE for IKE_SA home[1] generating INFORMATIONAL_V1 request 2100344439 [ HASH D ] sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (92 bytes) establishing connection 'home' failed |
The meaning of the error: leftid must be "192.168.0.1" in this example
******************************
5) Edit /etc/ipsec.secrets and add the private Key from your User
# sudo vi /etc/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA /etc/ipsec.d/private/soeren.key.pem
6) restart strongSwan
# sudo ipsec restart
7) Initiate the connection
# sudo ipsec up home
8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf
# sudo ipsec restart
# sudo ipsec up home
9) Troubleshooting command
# sudo ipsec statusall
10) Logfile from working setup
soeren@linux-4suj:~> sudo ipsec up home
initiating Main Mode IKE_SA home[2] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (244 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (432 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ]
received cert request for unknown ca 'O=home-fw..22erwk'
ignoring certificate request without data
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful
sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren"
generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (988 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (940 bytes)
parsed ID_PROT response 0 [ ID CERT SIG V ]
received DPD vendor ID
received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate"
issuer is "O=home-fw..22erwk"
using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate"
authentication of '192.168.0.1' with RSA_EMSA_PKCS1_NULL successful
IKE_SA home[2] established between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[192.168.0.1]
scheduling reauthentication in 28150s
maximum IKE_SA lifetime 28690s
generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (204 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (172 bytes)
parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ]
CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS 172.20.10.13/32 === 192.168.0.0/24
generating QUICK_MODE request 2852597160 [ HASH ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (60 bytes)
connection 'home' established successfully
*Note openSUSE*
- perform a reboot if there is no output by running the "ipsec" commands.
- after a reboot run "# sudo ipsec restart", otherwise an error show up like described below
For example:
soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 172.20.10.11
no private key found for '192.168.0.1'
configuration uses unsupported authentication
tried to checkin and delete nonexisting IKE_SA
establishing connection 'home' failed
soeren@linux-guki:~> sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.6.0 IPsec [starter]...
soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.11[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.11[500] (124 bytes)
then it works...
MTU SIZE
Find out the Interface Name and actual MTU size
soeren@linux-4suj:/etc> ip link show | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
Establish the VPN connection and find out the max MTU size
soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 192.168.0.20
PING 192.168.0.20 (192.168.0.20) 1500(1528) bytes of data.
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422
In this example the max MTU size is: 1394 (+28 = 1422)
soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394
Re-establish the VPN connection.
# sudo ipsec restart
# sudo ipesc up home