Академический Документы
Профессиональный Документы
Культура Документы
In This Document:
Overview page 1
System and Installation Requirements page 2
Configuring VPN Tunnel page 2
Configuring VPN on a Cisco Router page 5
Testing a VPN tunnel establishment page 6
Configuring VPN Tunnel Interface (VTI) on VPN-1 module page 6
Configuring Tunnel Interface on Cisco router page 7
GRE over IPsec Configuration page 8
Testing VPN Connectivity Using VTIs page 9
Configuring Route Based VPN - Using Static Routes page 9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF) page 10
Configuration Verification and Connectivity Test page 12
Check that OSPF Adjacency is Established page 13
Final Connectivity Test page 13
Overview
This document describes a proper way of how to configure Route Based VPN between
VPN-1 modules and interoperable Cisco devices that support IPsec, GRE and OSPF
protocols. The document provides a step by step configuration flow, based on an
example scenario of Check Point VPN-1 module and Cisco router (IOS 12.X - C2800
series).
The main aspects covered in this example are:
• Establishing VPN (IPsec) tunnel between a VPN-1 module and an interoperable
Cisco device (supporting GRE over IPsec) using a Simplified Policy.
• Creating a VPN Tunnel interface on a VPN-1 module (VTI).
Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved 1
System and Installation Requirements
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 2
Configuring VPN Tunnel
Figure 2
5. On the Topology page of the Cisco device, click Add and enter the tunnel IP address
information. This IP address is used in the Rule Base for security purposes and not
related to connectivity.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 3
Configuring VPN Tunnel
Figure 4
6. Create a meshed community. In the Participating Gateways page, add the VPN-1
module(s) and Cisco object.
Configure the required encryption methods and IKE authentication for the
community.
Note - In this example, define IKE authentication based on pre-shared secrets, however VPN-1 has
full support of IKE PKI based on RSA digital signatures (certificates) with Interoperable devices.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 4
Configuring VPN on a Cisco Router
Figure 5
Figure 6
7. Create a rule in the security Rule Base which allows ICMP and OSPF services. Keep
in mind that the VPN column should remain as Any Traffic. Additionally, there is no
need to define Source and Destination. In this example, the focus is on the VPN
dynamic routing, and not on creating a proper security Rule Base.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 5
Testing a VPN tunnel establishment
Table 2
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 123456 address 192.168.65.50
crypto isakmp peer address 192.168.65.50
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set testset esp-3des esp-sha-hmac
crypto map testmap 73 ipsec-isakmp
set peer 192.168.65.50
set transform-set testset
match address 141
interface FastEthernet0/0
ip address 10.10.120.10 255.255.255.0
speed 100
full-duplex
crypto map testmap
access-list 141 permit ip host 10.10.120.10 host 194.29.43.63
access-list 141 permit ip host 194.29.43.63 host 10.10.120.10
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 6
Configuring Tunnel Interface on Cisco router
Table 3
vpn shell i a n 22.22.22.1 22.22.22.2 cisco
Interface 'vt-cisco' was added successfully to the system
[admin@gw_a ~]$ vpn shell i s d vt-cisco
vt-cisco Type:numbered MTU:1500
inet addr:22.22.22.1 P-t-P:22.22.22.2
Mask:255.255.255.255
Peer:cisco Peer ID:10.10.120.10 Status:attached
Confirm that the VTI was fetched and properly configured in the Topology page of the
VPN-1 module.
When this is confirmed, install the policy.
Figure 7
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 7
GRE over IPsec Configuration
2. Select Custom settings > One VPN tunnel per Gateway pair.
3. In the drop down menu, select GRE on IPsec.
4. Install policy.
5. On the Cisco device, GRE encapsulation should be enabled by default. To confirm
this, see Table 5.
Table 5
Cisco# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 22.22.22.2/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.10.120.10 (FastEthernet0/0), destination
194.29.43.63
Tunnel protocol/transport GRE/IP, key disabled, sequencing
disabled
6. Edit a current access-list on the Cisco device, which allows GRE traffic between two
IPsec endpoints as shown in Table 6.
Table 6
access-list 141 permit gre host 10.10.120.10 host 192.168.65.50
access-list 141 permit gre host 192.168.65.50 host 10.10.120.10
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 8
Testing VPN Connectivity Using VTIs
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 9
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
Confirm that the static routes are defined in the operating system routing tables on the
Cisco device:
show ip route
Gateway of last resort is 10.10.120.1 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Tunnel0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.120.0/24 is directly connected, FastEthernet0/0
S 10.65.50.0/24 is directly connected, Tunnel0
30.0.0.0/24 is subnetted, 1 subnets
C 30.1.1.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.10.120.1
Perform cross "ping" from one of the hosts allocated in internal networks behind the
VPN-1 module and the Cisco device. For example, if the host IP address behind VPN-1
is 10.65.50.2, and host's IP behind Cisco is 30.1.1.2 - then establish a ping session
from both hosts:
VPN-1-host: ping 30.1.1.2 ; Cisco-host: ping 10.65.50.2
ICMP traffic to and from the VPN-1 gateways should be encrypted and decrypted
properly and the correct logs should be received by SmartView Tracker.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 10
Configuring Route Based VPN - Using Dynamic Routing Protocols (OSPF)
Table 7
[admin@gw_a ~]$ router
localhost.localdomain>ena
localhost.localdomain#conf t
localhost.localdomain(config)#router ospf 1
localhost.localdomain(config-router-ospf)#router-id 192.168.65.50
localhost.localdomain(config-router-ospf)#network 22.22.22.2
0.0.0.0 area 0.0.0.0
localhost.localdomain(config-router-ospf)#redistribute kernel
localhost.localdomain(config-router-ospf)#end
Review the settings:
localhost.localdomain#show running-config
Building configuration...
router ospf 1
router-id 192.168.65.50
network 22.22.22.2 0.0.0.0 area 0.0.0.0
redistribute kernel
exit
Check that VTI is OSPF related interface:
localhost.localdomain#show ip route ospf
Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF
D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel
A - Aggregate
localhost.localdomain#show ip ospf interface
vt-cisco is up
Internet Address 22.22.22.1, Area 0.0.0.0
Network Type Point-To-Point, Cost: 10
Transmit Delay is 1 sec, State Pt2Pt, Priority 1
No Designated Router on this network
No Backup Designated Router on this network
Timer intervals configured, Hello 10, Dead 40, Retransmit 5
Neighbor Count is 0
localhost.localdomain#
Note - We have chosen redistribution policy - "kernel", to advertise kernel routes allocated in SPLAT
Pro OS routing table. There are different policies supported by GateD dynamic routing daemon (for
example, bgp, direct, ospf, rip, and static). Refer to additional documents, describing how to use all
redistribute policy options.
3. Create a kernel (static) route in SPLAT Pro OS routing table which is considered as
a VPN encryption domain and advertised via VTI towards the Cisco device.
Table 8 illustrates how to redistribute specific range located behind a VPN-1 gateway:
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 11
Configuration Verification and Connectivity Test
Table 8
[admin@gw_a ~]$ route add -net 10.65.50.0 netmask 255.255.255.128 gw 10.65.50.1
[admin@gw_a ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
224.0.0.2 * 255.255.255.255 UHD 0 0 0 lo
22.22.22.2 * 255.255.255.255 UH 0 0 0 vt-cisco
22.22.22.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
224.0.0.6 * 255.255.255.255 UHD 0 0 0 lo
224.0.0.5 * 255.255.255.255 UHD 0 0 0 lo
1.1.1.1 localhost.local 255.255.255.255 UGH 0 0 0 lo
localhost.local * 255.255.255.255 UH 0 0 0 lo
10.65.50.0 10.65.50.1 255.255.255.128 UG 0 0 0 eth1
192.168.65.0 * 255.255.255.0 U 0 0 0 eth0
10.65.50.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 - 255.0.0.0 !D 0 - 0 -
default 192.168.65.1 0.0.0.0 UG 0 0 0 eth0
In this example, the internal interface is 10.65.50.1 and has 24-bit, we created a
route which has the same network 10.65.50.0 , but with netmask of 25-bit.
4. On Cisco device, define the following settings:
router ospf 1
router-id 10.10.120.10
log-adjacency-changes
redistribute static subnets
network 22.22.22.0 0.0.0.255 area 0.0.0.0
5. Create static routes, that point to a host located behind the Cisco device:
ip route 30.1.1.2 255.255.255.255 FastEthernet0/1
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 12
Check that OSPF Adjacency is Established
Cisco routes are shown on the VPN-1 module. Check that proper routes from the Cisco
device are learned by the VPN-1 module and appear in the OS routing table via Cisco's
VTI:
localhost.localdomain#show ip route ospf
Codes: C - connected, S - static, R - RIP, B - BGP, O - OSPF
D - DVMRP, 3 - OSPF3, I - IS-IS, K - Kernel
A - Aggregate
22.22.22.0/24 [11121/10] via 22.22.22.2, 00:12:41, vt-cisco
30.1.1.2/32 [10/150] via 22.22.22.2, 00:04:46, vt-cisco
localhost.localdomain#
On the Cisco device, check that adjacency and route injection have the same
configuration:
router ospf 1
router-id 10.10.120.10
log-adjacency-changes
redistribute static subnets
network 22.22.22.0 0.0.0.255 area 0.0.0.0
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 13
Final Connectivity Test
• Perform ping tests between hosts located behind VPN-1 and Cisco devices.
• Connection should be successfully established within encryption and decryption of
all traffic.
• Check that proper logs are received in SmartView Tracker.
Route Based VPN Deployment with Cisco VPN Devices— December 24, 2006 14