Route Based VPN Deployment with

Cisco VPN Devices

December 24, 2006

In This Document:

Overview page 1
System and Installation Requirements page 2
Configuring VPN Tunnel page 2
Configuring VPN on a Cisco Router page 5
Testing a VPN tunnel establishment page 6
Configuring VPN Tunnel Interface (VTI) on VPN-1 module page 6
Configuring Tunnel Interface on Cisco router page 7
GRE over IPsec Configuration page 8
Testing VPN Connectivity Using VTIs page 9
Configuring Route Based VPN - Using Static Routes page 9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) page 10
Configuration Verification and Connectivity Test page 12
Check that OSPF Adjacency is Established page 13
Final Connectivity Test page 13

Overview
This document describes a proper way of how to configure Route Based VPN between
VPN-1 modules and interoperable Cisco devices that support IPsec, GRE and OSPF
protocols. The document provides a step by step configuration flow, based on an
example scenario of Check Point VPN-1 module and Cisco router (IOS 12.X - C2800
series).
The main aspects covered in this example are:
• Establishing VPN (IPsec) tunnel between a VPN-1 module and an interoperable
Cisco device (supporting GRE over IPsec) using a Simplified Policy.
• Creating a VPN Tunnel interface on a VPN-1 module (VTI).

Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved 1
 System and Installation Requirements

• Creating tunnel interfaces on Cisco devices.

• Allow and configure GRE over IPsec support on VPN-1 and Cisco devices.
• Configure OSPF and establishing adjacency for VPN-1 and Cisco devices.
• Define Route Based VPN and provide connectivity.

System and Installation Requirements

The following components should be installed and configured:
• SPLAT Pro installed machines with a proper license.
• Check Point VPN-1 installed with internal and external interfaces defined.
• Cisco router.
• Clear text connectivity should be allowed and tested.
Figure 1

Configuring VPN Tunnel

1. Enable VPN-1 module on all gateway objects.
2. In SmartDashboard, create an empty group.
3. In the Topology page of each gateway, define the VPN Domain as the empty
encryption domain created in step 2.

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 2
 Configuring VPN Tunnel

Figure 2

4. Create an Interoperable device and configure it according to the Cisco router

information (i.e., name IP addresses, etc.):
Figure 3

5. On the Topology page of the Cisco device, click Add and enter the tunnel IP address
information. This IP address is used in the Rule Base for security purposes and not
related to connectivity.

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 3
 Configuring VPN Tunnel

Figure 4

6. Create a meshed community. In the Participating Gateways page, add the VPN-1
module(s) and Cisco object.
Configure the required encryption methods and IKE authentication for the
community.
Note - In this example, define IKE authentication based on pre-shared secrets, however VPN-1 has
full support of IKE PKI based on RSA digital signatures (certificates) with Interoperable devices.

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 4
 Configuring VPN on a Cisco Router

Figure 5

Figure 6

7. Create a rule in the security Rule Base which allows ICMP and OSPF services. Keep
in mind that the VPN column should remain as Any Traffic. Additionally, there is no
need to define Source and Destination. In this example, the focus is on the VPN
dynamic routing, and not on creating a proper security Rule Base.

Table 1 Sample Rule

Source Destination VPN Service Action Track

Any Any Any Traffic icmp accept Log
ospf
Note - VPN access control (VPN column), in Route Based VPN configurations, must be defined by
"Directional VPN" only. Regular settings won't function and drop corresponding traffic. (For more
information refer to the Directional VPN Enforcement chapter in the VPN User Guide).
8. Install the policy on the VPN-1 module.

Configuring VPN on a Cisco Router

Table 2 details the configuration for the Cisco device to establish basic VPN
connectivity with the VPN-1 module:

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 5
 Testing a VPN tunnel establishment

Table 2
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 123456 address 192.168.65.50
crypto isakmp peer address 192.168.65.50
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set testset esp-3des esp-sha-hmac
crypto map testmap 73 ipsec-isakmp
set peer 192.168.65.50
set transform-set testset
match address 141
interface FastEthernet0/0
ip address 10.10.120.10 255.255.255.0
speed 100
full-duplex
crypto map testmap
access-list 141 permit ip host 10.10.120.10 host 194.29.43.63
access-list 141 permit ip host 194.29.43.63 host 10.10.120.10

Testing a VPN tunnel establishment

Check that a basic VPN tunnel is successfully established between the VPN-1 module
and the Cisco device by performing an ICMP (ping) connectivity test.
Using the SPLAT Pro command prompt on the VPN-1 module, ping an external
interface of the Cisco device. The same should be done in the other direction. Ping an
external interface of the VPN-1 module from the Cisco device.
In SmartView Tracker, check that IKE key exchanges were completed without errors and
failures and the ICMP traffic is encrypted and decrypted by the VPN-1 module.
Check that proper logs are received by SmartTracker.

Configuring VPN Tunnel Interface (VTI) on

VPN-1 module
For the detailed description of how to configure VTI using VPN SHELL command line
interface, refer to the Route Based VPN chapter and VPN Shell appendix in the VPN
User Guide.
Using the VPN Shell, create a VTI attached to a Cisco interoperable device object, with
local IP 22.22.22.1 and remote IP 22.22.22.2:

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 6
 Configuring Tunnel Interface on Cisco router

Table 3
vpn shell i a n 22.22.22.1 22.22.22.2 cisco
Interface 'vt-cisco' was added successfully to the system
[admin@gw_a ~]$ vpn shell i s d vt-cisco
vt-cisco Type:numbered MTU:1500
inet addr:22.22.22.1 P-t-P:22.22.22.2
Mask:255.255.255.255
Peer:cisco Peer ID:10.10.120.10 Status:attached

Confirm that the VTI was fetched and properly configured in the Topology page of the
VPN-1 module.
When this is confirmed, install the policy.
Figure 7

Configuring Tunnel Interface on Cisco router

Create and configure a tunnel interface on the Cisco device with the settings in
Table 4:
Table 4
interface Tunnel0
ip address 22.22.22.2 255.255.255.0
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source FastEthernet0/0
tunnel destination 192.168.65.50

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 7
 GRE over IPsec Configuration

GRE over IPsec Configuration

In SmartDashboard,
1. Navigate to the VPN > VPN Advanced page of the interoperable object (Cisco device).
Figure 8

2. Select Custom settings > One VPN tunnel per Gateway pair.
3. In the drop down menu, select GRE on IPsec.
4. Install policy.
5. On the Cisco device, GRE encapsulation should be enabled by default. To confirm
this, see Table 5.
Table 5
Cisco# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 22.22.22.2/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.10.120.10 (FastEthernet0/0), destination
194.29.43.63
Tunnel protocol/transport GRE/IP, key disabled, sequencing
disabled

6. Edit a current access-list on the Cisco device, which allows GRE traffic between two
IPsec endpoints as shown in Table 6.
Table 6
access-list 141 permit gre host 10.10.120.10 host 192.168.65.50
access-list 141 permit gre host 192.168.65.50 host 10.10.120.10

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 8
 Testing VPN Connectivity Using VTIs

Testing VPN Connectivity Using VTIs

To confirm connectivity between the VPN-1 module and the Cisco device, proceed as
follows:
1. On the VPN-1 module, ping the IP address of the Cisco device (22.22.22.2) from
the command line.
2. On the Cisco device, ping the address of the VPN-1 module (22.22.22.1).
Before proceeding to the next step:
• Check that pinging was successful when initiated from both sides.
• Check that proper logs of IKE successful negotiation and Encrypt/Decrypt are
received within ICMP connection.
• See Encrypt/Decrypt log information and check that GRE is used.

Configuring Route Based VPN - Using Static

Routes
To provide Route based VPN connectivity between the VPN-1 module and Cisco device,
define static routes in the operating system, where a dedicated interface device should
be a chosen VTI.
Create a following static routes:
• On the VPN-1 module: route add -net 30.1.1.0 netmask 255.255.255.0
dev vt-cisco
• On the Cisco device: ip route 10.65.50.0 255.255.255.0 tunnel 0
Confirm that the static routes are defined in the operating system routing tables on the
VPN-1 module:
[admin@gw_a ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
224.0.0.2 * 255.255.255.255 UHD 0 0 0 lo
22.22.22.2 * 255.255.255.255 UH 0 0 0 vt-cisco
22.22.22.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
1.1.1.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
localhost.local * 255.255.255.255 UH 0 0 0 lo
30.1.1.0 * 255.255.255.0 U 0 0 0 vt-cisco
192.168.65.0 * 255.255.255.0 U 0 0 0 eth0
10.65.50.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 - 255.0.0.0 !D 0 - 0 -
default 192.168.65.1 0.0.0.0 UG 0 0 0 eth0

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 9
 Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)

Confirm that the static routes are defined in the operating system routing tables on the
Cisco device:
show ip route
Gateway of last resort is 10.10.120.1 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Tunnel0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.120.0/24 is directly connected, FastEthernet0/0
S 10.65.50.0/24 is directly connected, Tunnel0
30.0.0.0/24 is subnetted, 1 subnets
C 30.1.1.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.10.120.1

Perform cross "ping" from one of the hosts allocated in internal networks behind the
VPN-1 module and the Cisco device. For example, if the host IP address behind VPN-1
is 10.65.50.2, and host's IP behind Cisco is 30.1.1.2 - then establish a ping session
from both hosts:
VPN-1-host: ping 30.1.1.2 ; Cisco-host: ping 10.65.50.2
ICMP traffic to and from the VPN-1 gateways should be encrypted and decrypted
properly and the correct logs should be received by SmartView Tracker.

Configuring Route Based VPN - Using Dynamic

Routing Protocols (OSPF)
If static routes have been configured, which represent internal networks of both VPN
peers, these routes are removed before beginning OSPF configuration.
1. On the VPN-1 module, verify that the operating system is equipped with SPLAT Pro
license, which supports Advanced routing suite (dynamic routing daemon).
2. From the SPLAT Pro command prompt run one of the following commands to enter
into the GateD CLI shell:
router or cligated
Follow the commands in Table 7 to configure OSPF on the VPN-1 module.

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 10
 Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)

Table 7
[admin@gw_a ~]$ router
localhost.localdomain>ena
localhost.localdomain#conf t
localhost.localdomain(config)#router ospf 1
localhost.localdomain(config-router-ospf)#router-id 192.168.65.50
localhost.localdomain(config-router-ospf)#network 22.22.22.2
0.0.0.0 area 0.0.0.0
localhost.localdomain(config-router-ospf)#redistribute kernel
localhost.localdomain(config-router-ospf)#end
Review the settings:
localhost.localdomain#show running-config
Building configuration...
router ospf 1
router-id 192.168.65.50
network 22.22.22.2 0.0.0.0 area 0.0.0.0
redistribute kernel
exit
Check that VTI is OSPF related interface:
localhost.localdomain#show ip route ospf
Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF
D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel
A - Aggregate
localhost.localdomain#show ip ospf interface
vt-cisco is up
Internet Address 22.22.22.1, Area 0.0.0.0
Network Type Point-To-Point, Cost: 10
Transmit Delay is 1 sec, State Pt2Pt, Priority 1
No Designated Router on this network
No Backup Designated Router on this network
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 0
localhost.localdomain#
Note - We have chosen redistribution policy - "kernel", to advertise kernel routes allocated in SPLAT
Pro OS routing table. There are different policies supported by GateD dynamic routing daemon (for
example, bgp, direct, ospf, rip, and static). Refer to additional documents, describing how to use all
redistribute policy options.
3. Create a kernel (static) route in SPLAT Pro OS routing table which is considered as
a VPN encryption domain and advertised via VTI towards the Cisco device.
Table 8 illustrates how to redistribute specific range located behind a VPN-1 gateway:

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 11
 Configuration Verification and Connectivity Test

Table 8
[admin@gw_a ~]$ route add -net 10.65.50.0 netmask 255.255.255.128 gw 10.65.50.1
[admin@gw_a ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
224.0.0.2 * 255.255.255.255 UHD 0 0 0 lo
22.22.22.2 * 255.255.255.255 UH 0 0 0 vt-cisco
22.22.22.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
224.0.0.6 * 255.255.255.255 UHD 0 0 0 lo
224.0.0.5 * 255.255.255.255 UHD 0 0 0 lo
1.1.1.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
localhost.local * 255.255.255.255 UH 0 0 0 lo
10.65.50.0 10.65.50.1 255.255.255.128 UG 0 0 0 eth1
192.168.65.0 * 255.255.255.0 U 0 0 0 eth0
10.65.50.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 - 255.0.0.0 !D 0 - 0 -
default 192.168.65.1 0.0.0.0 UG 0 0 0 eth0

In this example, the internal interface is 10.65.50.1 and has 24-bit, we created a
route which has the same network 10.65.50.0 , but with netmask of 25-bit.
4. On Cisco device, define the following settings:
router ospf 1
router-id 10.10.120.10
log-adjacency-changes
redistribute static subnets
network 22.22.22.0 0.0.0.255 area 0.0.0.0

5. Create static routes, that point to a host located behind the Cisco device:
ip route 30.1.1.2 255.255.255.255 FastEthernet0/1

Configuration Verification and Connectivity

Test
On the VPN-1 module, enter into the GateD CLI shell and check the OSPF settings:
localhost.localdomain#show running-config
Building configuration...
router ospf 1
router-id 192.168.65.50
network 22.22.22.2 0.0.0.0 area 0.0.0.0
redistribute kernel
exit
localhost.localdomain#

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 12
 Check that OSPF Adjacency is Established

Check that OSPF Adjacency is Established

On the Cisco device, confirm adjacency as follows:
localhost.localdomain#show ip ospf neighbor
Routing Process "ospf 1":
Neighbor 10.10.120.10, interface address 22.22.22.2
In area 0.0.0.0 interface vt-cisco
Neighbor priority is 1, state is Full 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options is 18
Dead timer is due in 36 seconds

Cisco routes are shown on the VPN-1 module. Check that proper routes from the Cisco
device are learned by the VPN-1 module and appear in the OS routing table via Cisco's
VTI:
localhost.localdomain#show ip route ospf
Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF
D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel
A - Aggregate
22.22.22.0/24 [11121/10] via 22.22.22.2, 00:12:41, vt-cisco
30.1.1.2/32 [10/150] via 22.22.22.2, 00:04:46, vt-cisco
localhost.localdomain#

On the Cisco device, check that adjacency and route injection have the same
configuration:
router ospf 1
router-id 10.10.120.10
log-adjacency-changes
redistribute static subnets
network 22.22.22.0 0.0.0.255 area 0.0.0.0

Final Connectivity Test

Confirm that both the VPN-1 module and the Cisco device contain redistributed routes
which function as additional encryption domains.
• VPN-1 module: O 30.1.1.2/32 10/150] via 22.22.22.2, 00:04:46, vt-cisco
• Cisco device: O E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0
Cisco#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.65.50 0 FULL/ - 00:00:36 22.22.22.1 Tunnel0
Check routing table:
Cisco#show ip route ospf
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
E2 10.65.50.0/25 [110/1] via 22.22.22.1, 00:07:59, Tunnel0

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 13
 Final Connectivity Test

• Perform ping tests between hosts located behind VPN-1 and Cisco devices.
• Connection should be successfully established within encryption and decryption of
all traffic.
• Check that proper logs are received in SmartView Tracker.

Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 14