Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

C2S - strongSwan (Roadwarrior) and R80.30 - working

******************************
WORKING RELEASES:

ReleasestrongSwan Version
Fedora 315.7.2/K5.3.11-300.fc31      
Mint 18.35.3.5/K4.10.0-38
openSUSE 15.15.6.0/K4.12.14-lp151.28.32
openSUSE Tumbleweed5.6.4


******************************


Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). 

This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.

----------------------
Attention:
- You might adjust the MTU settings manually because this is not done by strongSwan
- right=%defaultroute does not work for me, I need to enter my Client IP Address
- if possible use Libreswan, it works better and easier to configure
----------------------


Gateway / SmartCenter
 

The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.

R80.30 Jumbo Take 76 - Standalone 

Firewall VPN Object: home-fw
VPN Certificate: defaultCert
Encryption Domain: 192.168.0.0/24 


1)
Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert)

Bildschirmfoto 2019-11-16 um 11.07.27.png

 

Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password>

Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456

 

A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.


2)
In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12

Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example.

Bildschirmfoto 2019-11-16 um 11.22.13.png

 

openSUSE

1) Install and configure strongSwan using yast

 

 

# sudo yast

 

Bildschirmfoto 2019-11-16 um 11.28.34.png

2) Now it is time to convert the P12 to PEM files and place them in the correct folder

 

1) Convert User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys

2) Extract private Key from User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes

3) Convert Firewall Certificate
# openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys

4) copy PEM files to /etc/ipsec.d
# sudo cp soeren.pem /etc/ipsec.d/certs
# sudo cp home-fw.pem /etc/ipsec.d/certs
# sudo cp soeren.key.pem /etc/ipsec.d/private

 

3) enable and start strongSwan. 

 

# systemctl enable strongswan
# systemctl start strongswan
# systemctl status strongswan # only status information

 

4) Edit the main configuration file /etc/ipsec.conf

 

# sudo vi /etc/ipsec.conf

 

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
       # strictcrlpolicy=yes
       # uniqueids = no
       # charondebug=1

# Add connections here.

conn home
     # Right side is stronSwan - RoadWarrior
     right=172.20.10.13        # Client IP Address or try %defaultroute
     rightcert=soeren.pem      # Certificate filename of the user - from /etc/ipsec.d/certs
     # Left side is Check Point
     left=46.89.4.xxx          # put here your Gateway IP Address
     leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any
     leftcert=home-fw.pem      # Certificate filename of the FW - from /etc/ipsec.d/certs
     leftid=192.168.0.1        # Check Point responds with the Main IP Address from the FW Object
     # config
     type=tunnel
     keyingtries=3
     authby=rsasig
     ike=aes256-sha1-modp1024  # check if IKE P1 parameters are allowed under Global Prop. - RA
     esp=aes128-sha1           # check if IKE P2 parameters are allowed
     ikelifetime=8h            # IKE Lifetime 8h for IKE Phase P1  IMPORTANT
     lifetime=1h               # SA Lifetime 1h for IKE Phase P2 IMPORTANT
     keyexchange=ikev1         # use IKEv1
     auto=add

 

******************************
Attention:
You need to change "leftid=xxx.xxx.xxx.xxx" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard. 
If the IP Address is not correct, the Logfile will show an error like this:

received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
IDir '192.168.0.1' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate'
deleting IKE_SA home[1] between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[%any]
sending DELETE for IKE_SA home[1]
generating INFORMATIONAL_V1 request 2100344439 [ HASH D ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (92 bytes)
establishing connection 'home' failed


The meaning of the error: leftid must be "192.168.0.1" in this example

******************************

5) Edit /etc/ipsec.secrets and add the private Key from your User

 

# sudo vi /etc/ipsec.secrets

 

 

#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA /etc/ipsec.d/private/soeren.key.pem

 

6) restart strongSwan

 

# sudo ipsec restart

 

7) Initiate the connection

 

# sudo ipsec up home

 

8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf

 

# sudo ipsec restart
# sudo ipsec up home

 

9) Troubleshooting command

 

# sudo ipsec statusall

 

10) Logfile from working setup

 

soeren@linux-4suj:~> sudo ipsec up home
initiating Main Mode IKE_SA home[2] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (244 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (432 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ]
received cert request for unknown ca 'O=home-fw..22erwk'
ignoring certificate request without data
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful
sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren"
generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (988 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (940 bytes)
parsed ID_PROT response 0 [ ID CERT SIG V ]
received DPD vendor ID
received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate"
issuer is "O=home-fw..22erwk"
using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate"
authentication of '192.168.0.1' with RSA_EMSA_PKCS1_NULL successful
IKE_SA home[2] established between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[192.168.0.1]
scheduling reauthentication in 28150s
maximum IKE_SA lifetime 28690s
generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (204 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (172 bytes)
parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ]
CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS 172.20.10.13/32 === 192.168.0.0/24
generating QUICK_MODE request 2852597160 [ HASH ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (60 bytes)
connection 'home' established successfully

 

*Note openSUSE*
- perform a reboot if there is no output by running the "ipsec" commands.
- after a reboot run "# sudo ipsec restart", otherwise an error show up like described below

For example:

 

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 172.20.10.11
no private key found for '192.168.0.1'
configuration uses unsupported authentication
tried to checkin and delete nonexisting IKE_SA
establishing connection 'home' failed

soeren@linux-guki:~> sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.6.0 IPsec [starter]...

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.11[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.11[500] (124 bytes)

then it works... 

 

 

 

MTU SIZE

Find out the Interface Name and actual MTU size

 

soeren@linux-4suj:/etc> ip link show | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

 

Establish the VPN connection and find out the max MTU size

 

soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 192.168.0.20  
PING 192.168.0.20 (192.168.0.20) 1500(1528) bytes of data.
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422

 

In this example the max MTU size is: 1394 (+28 = 1422)

 

soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394

 

Re-establish the VPN connection.

 

# sudo ipsec restart
# sudo ipesc up home

 

6 Replies
Highlighted

0 Kudos
Highlighted
Contributor

Fedora 31 works quite well too. 

Version:
[soeren@localhost ~]$ strongswan --version
Linux strongSwan U5.7.2/K5.3.11-300.fc31.x86_64

Binary Name:
[soeren@localhost ~]$ which strongswan
/usr/sbin/strongswan

Configuration Files:
/etc/strongswan

0 Kudos
Highlighted
Contributor

Hi,

 

is it neccessary to have this (sk165014) hotfix installed on the RA-VPN Gateway to get it working?

I tried without the GW hotfix and it did not work for me using this tutorial (strongswan 5.6.2 ubuntu 18.04) AND it did not work using the checkpoint strongswan configuration guide for R80.30 (which says we need a special hotfix on the gateway. Unfortunately the hotfix I have is only for GA and not JHFA Take 140).

 

Personally I am only interested in the performance comparison of Windows and Linux VPN client. I want to verify that the Endpoint Security Client for Windows is crap when doing performance tests.

 

We already complained about bad performance with checkpoint professional services onsite, checkpoint sales and checkpoint support: 6-0001756442.

 

To show some facts:

Upload and download of one big file (1000 MB)

No difference between https (upload to google drive), noch difference with CIFS (server in our datacenter) and FTP (server in our datacenter)

Connection between VPN client and VPN Gateway is via LAN and 1 Gbit/s.

 

Endpoint Security with VPN, Firewall, Compliance Blade, Application Control:

E82.20: upload 95 Mbit/s, download 50 Mbit/s (https, cifs, ftp)

 

Endpoint Mobile (unmanaged, without firewall, without compliance, without anything) VPN only:

E82.20: upload 150 Mbit/s, download 100 Mbit/s

 

Appliance: 16000T (1 VPN client connected)

Client (Notebook) and GW have AES-NI

AES128-SHA256 DH 2048 bit

MSS clamping 1360 and VPN adapter MTU on client 1360.

 

 

So if you have the chance connecting strongswan to a VPN Gateway please share upload/download speeds if possible.

 

Regards

Alexander Wilke

 

0 Kudos
Highlighted
Contributor

Hello Alex,

the hotfix from sk165014 is only for IKEv2 Support in Strongswan and it is not needed, if you use IKEv1. I recommend Libreswan, it is much easier to configure. 

Regarding Strongswan IKEv1, please post the log file from the linux client, then I can check what is wrong here. 

 

0 Kudos
Highlighted
Employee+
Employee+

Firstly thanks for the brilliant guide.

I have a few question:

1. What type of changes would I need to make for the ipsec.conf files to turn this into a site-site VPN (with nat-traversal). I would like to access subnets behind the strongswan device. I am currently sitting behind the checkpoint device.

2. Is NAT-T supported on ikev1 ? or is that checkpoint priority ?

3. The strongswan side is with a dynamic IP address. I have generated the certificates and verified that bit works (i think). Is there any other changes I need to make to cater for dynamic Ip address, I have already defined the DAIP interoperable device in smart console.

 

I am finding the strongswan side of the configuration especially challenging.

0 Kudos
Highlighted
Contributor

The Site-to-Site configuration is different on StrongSWAN, which I did not test in my lab. I know it works, but I never configured it. 

0 Kudos