Solved: Re: C2S - strongSwan (Roadwarrior) and R80.30 - wo...

Soeren_Rothe · ‎2019-11-15

******************************
WORKING RELEASES:

Release	strongSwan Version
Fedora 31	5.7.2/K5.3.11-300.fc31
Mint 18.3	5.3.5/K4.10.0-38
openSUSE 15.1	5.6.0/K4.12.14-lp151.28.32
openSUSE Tumbleweed	5.6.4

******************************

Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS).

This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.

----------------------
Attention:
- You might adjust the MTU settings manually because this is not done by strongSwan
- right=%defaultroute does not work for me, I need to enter my Client IP Address
- if possible use Libreswan, it works better and easier to configure
----------------------

Gateway / SmartCenter

The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.

R80.30 Jumbo Take 76 - Standalone

Firewall VPN Object: home-fw
VPN Certificate: defaultCert
Encryption Domain: 192.168.0.0/24

1)
Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname (usually defaultCert)

Bildschirmfoto 2019-11-16 um 11.07.27.png

Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password>

Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456

A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.

2)
In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12

Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example.

Bildschirmfoto 2019-11-16 um 11.22.13.png

openSUSE

1) Install and configure strongSwan using yast

# sudo yast

2) Now it is time to convert the P12 to PEM files and place them in the correct folder

1) Convert User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys

2) Extract private Key from User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes

3) Convert Firewall Certificate
# openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys

4) copy PEM files to /etc/ipsec.d
# sudo cp soeren.pem /etc/ipsec.d/certs
# sudo cp home-fw.pem /etc/ipsec.d/certs
# sudo cp soeren.key.pem /etc/ipsec.d/private

3) enable and start strongSwan.

# systemctl enable strongswan
# systemctl start strongswan
# systemctl status strongswan # only status information

4) Edit the main configuration file /etc/ipsec.conf

# sudo vi /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
       # strictcrlpolicy=yes
       # uniqueids = no
       # charondebug=1

# Add connections here.

conn home
     # Right side is stronSwan - RoadWarrior
     right=172.20.10.13        # Client IP Address or try %defaultroute
     rightcert=soeren.pem      # Certificate filename of the user - from /etc/ipsec.d/certs
     # Left side is Check Point
     left=46.89.4.xxx          # put here your Gateway IP Address
     leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any
     leftcert=home-fw.pem      # Certificate filename of the FW - from /etc/ipsec.d/certs
     leftid=192.168.0.1        # Check Point responds with the Main IP Address from the FW Object
     # config
     type=tunnel
     keyingtries=3
     authby=rsasig
     ike=aes256-sha1-modp1024  # check if IKE P1 parameters are allowed under Global Prop. - RA
     esp=aes128-sha1           # check if IKE P2 parameters are allowed
     ikelifetime=8h            # IKE Lifetime 8h for IKE Phase P1  IMPORTANT
     lifetime=1h               # SA Lifetime 1h for IKE Phase P2 IMPORTANT
     keyexchange=ikev1         # use IKEv1
     auto=add

******************************
Attention:
You need to change "leftid=xxx.xxx.xxx.xxx" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard.
If the IP Address is not correct, the Logfile will show an error like this:

received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
IDir '192.168.0.1' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate'
deleting IKE_SA home[1] between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[%any]
sending DELETE for IKE_SA home[1]
generating INFORMATIONAL_V1 request 2100344439 [ HASH D ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (92 bytes)
establishing connection 'home' failed

The meaning of the error: leftid must be "192.168.0.1" in this example

******************************

5) Edit /etc/ipsec.secrets and add the private Key from your User

# sudo vi /etc/ipsec.secrets

#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA /etc/ipsec.d/private/soeren.key.pem

6) restart strongSwan

# sudo ipsec restart

7) Initiate the connection

# sudo ipsec up home

8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf

# sudo ipsec restart
# sudo ipsec up home

9) Troubleshooting command

# sudo ipsec statusall

10) Logfile from working setup

soeren@linux-4suj:~> sudo ipsec up home
initiating Main Mode IKE_SA home[2] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (244 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (432 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ]
received cert request for unknown ca 'O=home-fw..22erwk'
ignoring certificate request without data
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful
sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren"
generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (988 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (940 bytes)
parsed ID_PROT response 0 [ ID CERT SIG V ]
received DPD vendor ID
received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate"
issuer is "O=home-fw..22erwk"
using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate"
authentication of '192.168.0.1' with RSA_EMSA_PKCS1_NULL successful
IKE_SA home[2] established between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[192.168.0.1]
scheduling reauthentication in 28150s
maximum IKE_SA lifetime 28690s
generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (204 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (172 bytes)
parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ]
CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS 172.20.10.13/32 === 192.168.0.0/24
generating QUICK_MODE request 2852597160 [ HASH ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (60 bytes)
connection 'home' established successfully

*Note openSUSE*
- perform a reboot if there is no output by running the "ipsec" commands.
- after a reboot run "# sudo ipsec restart", otherwise an error show up like described below

For example:

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 172.20.10.11
no private key found for '192.168.0.1'
configuration uses unsupported authentication
tried to checkin and delete nonexisting IKE_SA
establishing connection 'home' failed

soeren@linux-guki:~> sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.6.0 IPsec [starter]...

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.11[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.11[500] (124 bytes)

then it works...

MTU SIZE

Find out the Interface Name and actual MTU size

soeren@linux-4suj:/etc> ip link show | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

Establish the VPN connection and find out the max MTU size

soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 192.168.0.20  
PING 192.168.0.20 (192.168.0.20) 1500(1528) bytes of data.
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422

In this example the max MTU size is: 1394 (+28 = 1422)

soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394

Re-establish the VPN connection.

# sudo ipsec restart
# sudo ipesc up home

Soeren_Rothe · ‎2022-02-27

Hi Sal,

please use the object name of your Check Point Remote Access Gateway instead. Then it should work.

I used the firewall object name "home-fw" in my tests.

View solution in original post

Vincenzo_Casell · ‎2019-11-18

On Linux Arch which is preferable? This or LibreSwan
https://community.checkpoint.com/t5/Remote-Access-Solutions/C2S-Libreswan-3-23-Roadwarrior-and-R80-3...

?

Soeren_Rothe · ‎2019-11-19

Fedora 31 works quite well too.

Version:
[soeren@localhost ~]$ strongswan --version
Linux strongSwan U5.7.2/K5.3.11-300.fc31.x86_64

Binary Name:
[soeren@localhost ~]$ which strongswan
/usr/sbin/strongswan

Configuration Files:
/etc/strongswan

Alexander_Wilke · ‎2020-02-13

Hi,

is it neccessary to have this (sk165014) hotfix installed on the RA-VPN Gateway to get it working?

I tried without the GW hotfix and it did not work for me using this tutorial (strongswan 5.6.2 ubuntu 18.04) AND it did not work using the checkpoint strongswan configuration guide for R80.30 (which says we need a special hotfix on the gateway. Unfortunately the hotfix I have is only for GA and not JHFA Take 140).

Personally I am only interested in the performance comparison of Windows and Linux VPN client. I want to verify that the Endpoint Security Client for Windows is crap when doing performance tests.

We already complained about bad performance with checkpoint professional services onsite, checkpoint sales and checkpoint support: 6-0001756442.

To show some facts:

Upload and download of one big file (1000 MB)

No difference between https (upload to google drive), noch difference with CIFS (server in our datacenter) and FTP (server in our datacenter)

Connection between VPN client and VPN Gateway is via LAN and 1 Gbit/s.

Endpoint Security with VPN, Firewall, Compliance Blade, Application Control:

E82.20: upload 95 Mbit/s, download 50 Mbit/s (https, cifs, ftp)

Endpoint Mobile (unmanaged, without firewall, without compliance, without anything) VPN only:

E82.20: upload 150 Mbit/s, download 100 Mbit/s

Appliance: 16000T (1 VPN client connected)

Client (Notebook) and GW have AES-NI

AES128-SHA256 DH 2048 bit

MSS clamping 1360 and VPN adapter MTU on client 1360.

So if you have the chance connecting strongswan to a VPN Gateway please share upload/download speeds if possible.

Regards

Alexander Wilke

Soeren_Rothe · ‎2020-02-13

Hello Alex,

the hotfix from sk165014 is only for IKEv2 Support in Strongswan and it is not needed, if you use IKEv1. I recommend Libreswan, it is much easier to configure.

Regarding Strongswan IKEv1, please post the log file from the linux client, then I can check what is wrong here.

Haris_Chaudhry · ‎2020-06-06

Firstly thanks for the brilliant guide.

I have a few question:

1. What type of changes would I need to make for the ipsec.conf files to turn this into a site-site VPN (with nat-traversal). I would like to access subnets behind the strongswan device. I am currently sitting behind the checkpoint device.

2. Is NAT-T supported on ikev1 ? or is that checkpoint priority ?

3. The strongswan side is with a dynamic IP address. I have generated the certificates and verified that bit works (i think). Is there any other changes I need to make to cater for dynamic Ip address, I have already defined the DAIP interoperable device in smart console.

I am finding the strongswan side of the configuration especially challenging.

Soeren_Rothe · ‎2020-06-07

The Site-to-Site configuration is different on StrongSWAN, which I did not test in my lab. I know it works, but I never configured it.

Pito · ‎2021-06-09

Thanks for your post.

Can you tell me if it is possible to use a user login / password (ldap or AD), for the authentication phase instead of a certificate per user?

PhoneBoy · ‎2021-06-13

Believe you can do password authentication as well.
Note we have formal support for this with R81 gateways.

Soeren_Rothe · ‎2021-06-14

R81 with Username / Password works very nice, see the R81 Admin Guide.

1)
Please don't forget to copy over the Internal Root CA from the Management to the StrongSWAN Client, without the Root CA, the Client won't connect.

2)
If you have OTP Password, you can use the following simple script, because the Network Manager does not work with this Kind of authentication.

./vpn_start.sh "username"

#!/bin/bash
#
# VPN Start Script
# v0.1
#
#################################################################################
#
# Logging
#
mkdir -p logs
exec 3>&1
exec >logs/home_vpn.log 2> >(tee >(cat >&3))
#
#################################################################################
#
# Variables
#
username=$1
BLUE='\033[1;34m'
GREEN='\033[1;32m'
NC='\033[0m' # No Color
#
#################################################################################
#
# Check Input Argument
#
if [ -f $1 ] || [ $# -eq 0 ] || [ $# -gt 1 ]
  then
    	echo -e "${BLUE}Initiate VPN Connection to Home - v0.1\n" >&3
	echo -e "${GREEN}---------------------------------------------" >&3
 	echo -e "usage: ./start_vpn.sh <username>" >&3
	echo -e "---------------------------------------------\n${NC}" >&3
    exit
fi
#
#################################################################################
#
# Start VPN
#sudo ipsec start
sudo ipsec stroke user-creds home $username
sudo ipsec up home
#
sleep 2
sudo ipsec status >&3
#
#################################################################################

Pito · ‎2021-06-14

Thank you for your feedback. (thx for your script)

I manage to make a connection, the dns is correctly updated, and all the routes are integrated in the routing table 220.
But all the traffic is dropped by the checkpoint (R81), the IA rules are not used, nor the firewall rules (old method). It must be a bad configuration at the gateway level, the strongswan configuration seems to be correct.

If you have an idea I'm interested 🙂

Soeren_Rothe · ‎2021-06-15

I can see that the Access Role rules are used when using the official Strongswan solution for R81 from Check Point.

Pito · ‎2021-06-15

Thanks for your feedback. We finally found a solution.
The problem was located in the verification of the client by the gateway. 😐

In Global Propertises > Remote Access > Secure Configuration : uncheck the box "Appply Secure configuration on Simplified mode Firewall Policy"
EnforceDesktopConfig: Changed from 'Enable' to 'Disable'

With this modification we can use strongswan with the eap-gtc method. Everything is operational 😀

Sal_Previtera · ‎2022-02-27

I am running into issues with exporting the certificate, either the defautCert or the 3rd party certificate...

what is missing in these instructions on how to create the VPN object "Firewall VPN Object: home-fw".....

does it have to exist in the firewall database before being able to export the certificate?

I have tried creating a firewall object before hand...but same error.

Because I am getting the following error on R81.30 HFA30....

export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456
export_p12: failed to export

I understand that when we create instruction, we assume the reader (but most of time is not) has the same type of knowledge as we as us as writers...

Thanks...

Soeren_Rothe · ‎2022-02-27

Hi Sal,

please use the object name of your Check Point Remote Access Gateway instead. Then it should work.

I used the firewall object name "home-fw" in my tests.

Sal_Previtera · ‎2022-02-28

Thank you so much,,,,using my "Check Point Remote Access Gateway" , it worked.

Sal_Previtera · ‎2022-02-27

Let me add before someone point back to "sk114984" , I am using the "NICKNAME" of the certificate, still giving out the same error...Thanks

utey85 · ‎2025-01-14

I followed this guide but still have an issue:

initiating Main Mode IKE_SA compv[3] to 62.110.8.254
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.178.25[500] to 62.110.8.254[500] (240 bytes)
received packet: from 62.110.8.254[500] to 192.168.178.25[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.178.25[500] to 62.110.8.254[500] (244 bytes)
received packet: from 62.110.8.254[500] to 192.168.178.25[500] (273 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
received cert request for unknown ca 'O=Pavia-MGMT..vg7kfp'
ignoring certificate request without data
local host is behind NAT, sending keep alives
authentication of 'O=Pavia-MGMT..vg7kfp, OU=users, CN=protti_vpn' (myself) successful
sending end entity cert "O=Pavia-MGMT..vg7kfp, OU=users, CN=protti_vpn"
generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ]
splitting IKE message (1276 bytes) into 2 fragments
generating ID_PROT request 0 [ FRAG(1) ]
generating ID_PROT request 0 [ FRAG(2/2) ]
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (1248 bytes)
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (100 bytes)
received packet: from 62.110.8.254[4500] to 192.168.178.25[4500] (220 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
ignoring unprotected INFORMATIONAL from 62.110.8.254
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 0 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (1248 bytes)
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (100 bytes)
sending retransmit 2 of request message ID 0, seq 3
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (1248 bytes)
sending packet: from 192.168.178.25[4500] to 62.110.8.254[4500] (100 bytes)

Someone can help me?

PhoneBoy · ‎2025-01-14

This guide was from back before we had formally announced support for this.
The correct guide is in the Product Documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

Are you a member of CheckMates?

C2S - strongSwan (Roadwarrior) and R80.30 - working