Configuring a SecuRemote VPN

Local Gateway Object

From the Check Point Gateway Properties window on your local gateway (the gateway through which SecuRemote connections will pass), in this case ExternalFW, ensure that VPN-1 Pro is checked in the Check Point Products section. This will enable the VPN functionality on the gateway so that SecuRemote clients are able to access nonroutable networks behind the SecuRemote server (gateway) once they are authenticated and a VPN tunnel is established.

Next, you must define your VPN domain, which in this case defines the networks your SecuRemote clients will have access to once they have been authenticated. Set this as usual in the Topology tab of the Check Point Gateway Properties window on your local gateway. For SecuRemote, when using Traditional-mode VPN policies, you need to check Exportable for SecuRemote in the Traditional Mode IKE properties window (refer back to Figure 10.2). This choice enables clients to download the networks to which they will have access after being authenticated. When Simplified-mode VPN policies are used, you need only add the gateway to the RemoteAccess VPN community. Within the Global Properties Remote Access section are many options that can be used to fine-tune your configuration, as shown in Figure 10.14.

Figure 10.14: Remote Access Window from Policy Global Properties

Two configurations should be enabled to ensure that users have the highest likelihood of connecting:

• The first is in the Global Properties Remote Access VPN “ Basic page. The setting Gateways support IKE over TCP enables IKE negotiations to be conducted over TCP when necessary. This is important due to the fact that some NAT devices do not correctly translate IKE packets (which are conducted over UDP).

• The second, which is enabled by default, is on the Remote Access page of the gateway s Properties. The setting Support NAT traversal mechanism (UDP Encapsulation) is enabled by default and provides the ability for clients to function behind NAT devices that do not NAT IPSec traffic correctly. This is mainly because IPSec functions over its own IP protocol (IP Protocol 50), which many devices do not NAT correctly because it is less common than TCP, UDP, and ICMP.

Finally, you must choose the authentication methods your gateway will support. For these exercises, choose VPN-1 & FireWall-1 Password on the Authentication tab of the Check Point Gateway Properties window on your local gateway. If you neglect to check off the appropriate authentication scheme here, your users will all get Authentication scheme not supported errors when they attempt to log in.

User Encryption Properties

Assume for this section that you have a preexisting set of users that you want to configure for client encryption. If you have no users defined, refer to Chapter 6 to create a few users before continuing.

Start by opening the Users window by choosing Users from the Manage menu in the SmartDashboard GUI. Select an existing user and click Edit . The User Properties window appears. Select the Encryption tab; you are presented with only one option, IKE . (Previously, FWZ was also an option here, but it has been decommissioned.) Select IKE and click Edit . Using IKE, the user s authentication parameters are defined in the Authentication tab and Encryption properties are defined in the Encryption tab. If you use Simplified-mode policies, the Encryption properties are defined globally in the Remote Access page rather than the Encryption tab.

IKE Authentication

Within the IPSec specification, there are only two methods to authenticate an IPSec tunnel: Pre-Shared Secret and Public Key. These options are shown in Figure 10.15.

Figure 10.15: IKE Phase 2 Properties

Because these two options do not provide the flexibility that most companies require, Check Point developed a method to utilize the Public Key option to authenticate users for other authentication methods. This method is called Hybrid Mode Authentication. Hybrid Mode Authentication is enabled by default and is in the Remote Access VPN “ Basic page in Policy Global Properties . Using Hybrid mode, users can be authenticated using any of the other available mechanisms within the Authentication tab of User Properties in addition to the built-in digital certificates, external CAs, and LDAP.

Client Encryption Rules

Your client encryption rule in Traditional mode will look as follows (see Figure 10.16):

• Source AllUsers@Any

• Destination LAN

• Service Any

• Action Client Encrypt

• Track Log

  
  Figure 10.16: SecuRemote Client Encrypt Rule

In both Simplified and Traditional modes, the Source column must specify a group of users and a location; the location can be Any, or it can be a specific allowable source network. Destination should be the VPN domain defined for those users on the local gateway object or at least a host inside the VPN domain to which users can connect.

Your client encryption rule in Simplified mode will look as follows (see Figure 10.17):

• Source AllUsers@Any

• Destination LAN

• VPN RemoteAccess

• Service Any

• Action Accept

• Track Log

  
  Figure 10.17: SecuRemote Client Encrypt Rule

Once the rule is in place in Traditional mode, you can edit the Client Encrypt properties by double-clicking the Client Encrypt icon (see Figure 10.18). If the source column of your Rule Base conflicts with allowed sources in the User Properties setup, the Client Encrypt properties will specify how to resolve the conflict. You can specify that the intersection of the allowed user sources and the Rule Base determine when to allow access or to ignore the user database altogether.

Figure 10.18: Client Encrypt Properties