Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Soeren_Rothe
Collaborator

C2S - strongSwan (Roadwarrior) and R80.30 - working

******************************
WORKING RELEASES:

ReleasestrongSwan Version
Fedora 315.7.2/K5.3.11-300.fc31      
Mint 18.35.3.5/K4.10.0-38
openSUSE 15.15.6.0/K4.12.14-lp151.28.32
openSUSE Tumbleweed5.6.4


******************************


Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). 

This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.

----------------------
Attention:
- You might adjust the MTU settings manually because this is not done by strongSwan
- right=%defaultroute does not work for me, I need to enter my Client IP Address
- if possible use Libreswan, it works better and easier to configure
----------------------


Gateway / SmartCenter
 

The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.

R80.30 Jumbo Take 76 - Standalone 

Firewall VPN Object: home-fw
VPN Certificate: defaultCert
Encryption Domain: 192.168.0.0/24 


1)
Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert)

Bildschirmfoto 2019-11-16 um 11.07.27.png

 

Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password>

Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456

 

A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.


2)
In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12

Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example.

Bildschirmfoto 2019-11-16 um 11.22.13.png

 

openSUSE

1) Install and configure strongSwan using yast

 

 

# sudo yast

 

Bildschirmfoto 2019-11-16 um 11.28.34.png

2) Now it is time to convert the P12 to PEM files and place them in the correct folder

 

1) Convert User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys

2) Extract private Key from User Certificate
# openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes

3) Convert Firewall Certificate
# openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys

4) copy PEM files to /etc/ipsec.d
# sudo cp soeren.pem /etc/ipsec.d/certs
# sudo cp home-fw.pem /etc/ipsec.d/certs
# sudo cp soeren.key.pem /etc/ipsec.d/private

 

3) enable and start strongSwan. 

 

# systemctl enable strongswan
# systemctl start strongswan
# systemctl status strongswan # only status information

 

4) Edit the main configuration file /etc/ipsec.conf

 

# sudo vi /etc/ipsec.conf

 

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
       # strictcrlpolicy=yes
       # uniqueids = no
       # charondebug=1

# Add connections here.

conn home
     # Right side is stronSwan - RoadWarrior
     right=172.20.10.13        # Client IP Address or try %defaultroute
     rightcert=soeren.pem      # Certificate filename of the user - from /etc/ipsec.d/certs
     # Left side is Check Point
     left=46.89.4.xxx          # put here your Gateway IP Address
     leftsubnet=192.168.0.0/24 # put here your company's network range or 0.0.0.0/0 for any
     leftcert=home-fw.pem      # Certificate filename of the FW - from /etc/ipsec.d/certs
     leftid=192.168.0.1        # Check Point responds with the Main IP Address from the FW Object
     # config
     type=tunnel
     keyingtries=3
     authby=rsasig
     ike=aes256-sha1-modp1024  # check if IKE P1 parameters are allowed under Global Prop. - RA
     esp=aes128-sha1           # check if IKE P2 parameters are allowed
     ikelifetime=8h            # IKE Lifetime 8h for IKE Phase P1  IMPORTANT
     lifetime=1h               # SA Lifetime 1h for IKE Phase P2 IMPORTANT
     keyexchange=ikev1         # use IKEv1
     auto=add

 

******************************
Attention:
You need to change "leftid=xxx.xxx.xxx.xxx" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard. 
If the IP Address is not correct, the Logfile will show an error like this:

received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
IDir '192.168.0.1' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate'
deleting IKE_SA home[1] between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[%any]
sending DELETE for IKE_SA home[1]
generating INFORMATIONAL_V1 request 2100344439 [ HASH D ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (92 bytes)
establishing connection 'home' failed


The meaning of the error: leftid must be "192.168.0.1" in this example

******************************

5) Edit /etc/ipsec.secrets and add the private Key from your User

 

# sudo vi /etc/ipsec.secrets

 

 

#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: RSA /etc/ipsec.d/private/soeren.key.pem

 

6) restart strongSwan

 

# sudo ipsec restart

 

7) Initiate the connection

 

# sudo ipsec up home

 

8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf

 

# sudo ipsec restart
# sudo ipsec up home

 

9) Troubleshooting command

 

# sudo ipsec statusall

 

10) Logfile from working setup

 

soeren@linux-4suj:~> sudo ipsec up home
initiating Main Mode IKE_SA home[2] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.13[500] to 46.89.4.xxx[500] (244 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.13[500] (432 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ]
received cert request for unknown ca 'O=home-fw..22erwk'
ignoring certificate request without data
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful
sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren"
generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (988 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (940 bytes)
parsed ID_PROT response 0 [ ID CERT SIG V ]
received DPD vendor ID
received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate"
issuer is "O=home-fw..22erwk"
using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate"
authentication of '192.168.0.1' with RSA_EMSA_PKCS1_NULL successful
IKE_SA home[2] established between 172.20.10.13[O=home-fw..22erwk, OU=users, CN=soeren]...46.89.4.xxx[192.168.0.1]
scheduling reauthentication in 28150s
maximum IKE_SA lifetime 28690s
generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (204 bytes)
received packet: from 46.89.4.xxx[4500] to 172.20.10.13[4500] (172 bytes)
parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ]
CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS 172.20.10.13/32 === 192.168.0.0/24
generating QUICK_MODE request 2852597160 [ HASH ]
sending packet: from 172.20.10.13[4500] to 46.89.4.xxx[4500] (60 bytes)
connection 'home' established successfully

 

*Note openSUSE*
- perform a reboot if there is no output by running the "ipsec" commands.
- after a reboot run "# sudo ipsec restart", otherwise an error show up like described below

For example:

 

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 172.20.10.11
no private key found for '192.168.0.1'
configuration uses unsupported authentication
tried to checkin and delete nonexisting IKE_SA
establishing connection 'home' failed

soeren@linux-guki:~> sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.6.0 IPsec [starter]...

soeren@linux-guki:~> sudo ipsec up home
initiating Main Mode IKE_SA home[1] to 46.89.4.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.11[500] to 46.89.4.xxx[500] (240 bytes)
received packet: from 46.89.4.xxx[500] to 172.20.10.11[500] (124 bytes)

then it works... 

 

 

 

MTU SIZE

Find out the Interface Name and actual MTU size

 

soeren@linux-4suj:/etc> ip link show | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

 

Establish the VPN connection and find out the max MTU size

 

soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 192.168.0.20  
PING 192.168.0.20 (192.168.0.20) 1500(1528) bytes of data.
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422
ping: local error: message too long, mtu=1422

 

In this example the max MTU size is: 1394 (+28 = 1422)

 

soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394

 

Re-establish the VPN connection.

 

# sudo ipsec restart
# sudo ipesc up home

 

(1)
Who rated this post