AppNote: NBM 3.8 Server with Check Point
Novell Cool Solutions: AppNote
By Upendra Gopu
Digg This -
Posted: 15 Jan 2004
Senior Software Engineer
This document describes how to interoperate NBM 3.8 Server with the Check Point Server in the following modes:
- Authentication Modes: Pre-shared key.
- Encryption Algorithms: 3DES, DES, Null.
This document is aimed at experienced administrators.
Table of Contents
- 1.0 Introduction
- 2.0 Implementation
- 3.0 Configuring Check Point
- 3.1 Creating the Network Objects (Private Networks of the Peers)
- 3.2 Creating the WorkStation Objects (Check Point and NBM3.8 Objects)
- 3.3 Setting the General Properties of the Check Point WorkStation Object
- 3.4 Setting the Topology Properties of the Check Point WorkStation Object
- 3.5 Setting the VPN Properties of the Check Point WorkStation Object
- 3.6 Setting the Pre-Shared Secret of the Check Point WorkStation Object
- 3.7 Creating the NBM 38 WorkStation Object
- 3.8 Setting the Topology Properties of the NBM 38 WorkStation Object
- 3.9 Setting the Rules for the Check Point Server
- 4.0 Configuring the NBM 3.8 Server
- 5.0 Conclusion
This document is based on the interoperability tests between the Check Point and the NBM 3.8 Server. The following were used for testing.
- Windows 2000 Server
- Check Point Next Generation (Build 52163)
- NBM 3.8 Server running on Netware 6.5
In addition to these, all the sample configurations in this document use the following IKE/IPsec proposals:
- IP compress: disabled
- IKE Lifetime: 20 minutes
- IPsec Lifetime: 15 minutes
- IKE integrity: MD5-HMAC
- IKE mode: Main mode
- IKE Group: MODP 1024 (group 2)
- IPsec integrity: MD5-HMAC, SHA-1-HMAC
- IPsec mode: tunnel (for all VPN connections)
- PFS: enabled. (MODP 1024, group 2), disabled
Figure 1: Basic Implementation
Keep the following in mind while setting up NBM 3.8 with Check Point, and check these items if the setup fails:
- PFS should be same on both the servers. They should both be either ON or OFF.
- Traffic rules should exactly match on both the servers. Either give all hosts or give the protected networks in the traffic rules on both the servers.
- PHASE 2 (IPsec) Encryption and Authentication Algorithms should match.
Note: The Check Point used here is the build (52163). The set up works for all versions of Check Point above version 52163.
After installing Check Point go to the start menu > Programs > Check Point Management Clients > Policy Editor and select the Policy Editor.
Then go to the Networks in the Network Objects list in the left pane. The Network Objects panel as shown in the figure 2.
Figure 2: Check Point Policy Editor with Networks.
Create Network objects of the protected network one for NBM 3.8 server and one for the Checkpoint server as shown in the figure 3. In our case it is 172.16.0.0 for the Checkpoint and 10.10.0.0 for the NBM 3.8 Server. From here onwards when ever you want to refer to those networks you can just attach these network objects.
Figure 3: Network Properties
Go to the WorkStation in the Network Objects Panel and the select Check Point (This is the name of the Windows 2000 Server in our case). You should be able to see as shown in the figure 4.
Figure 4: Check Point Policy Editor with workstation.
Right Click and select the Edit button. The dialog box is shown in Figure 5.
Give the Check Point public IP Address (in our case it will be 192.168.10.1).
Figure 5: Work Station Properties - Check Point - General
Select the Topology in the 'WorkStation Properties - checkpoint'.
Click Get Interfaces (if you are not able to see any interfaces). The dialog box is shown in Figure 6.
Figure 6: Work Station Properties - Check Point - Topology.
Select 'Checkptprtn' (this is the name of the network object of Check Point's protected network) in the drop down box of the Manually Defined under the VPN Domain. This is the protected network objects created under the Networks.
Now select the VPN in the left panel and you should be able to a dialog box as shown in Figure 7.
Now select IKE Check box.
Figure 7: Work Station properties - Check Point - VPN.
Click IKE and then click the Edit button as shown in Figure 7.
You should be able to see a dialog box as shown in Figure 8.
Figure 8: IKE Properties.
Select the Pre-Shared Secret check box and click the Edit Secrets button in the Support Authentication methods section. You should be able to see the dialog box as shown in Figure 9.
Figure 9: Shared Secret.
Select the peer and give the shared secret. Click Set > OK.
Click Advanced– in the IKE Properties and you should be able to see the dialog box as shown in Figure 10.
Figure 10: Advanced IKE Properties.
Select the IKE/IPsec properties and click OK as shown in the dialog box in Figure 10.
Come to the policy editor main screen.
Create a NBM Peer in the workstations.
Right click the workstations and click New Workstation.
Add the member as shown the dialog box. (See Figure 11)
Figure 11: Workstation Properties NBM 38.
Select the Interoperable VPN Device Check box and select the Topology.
You should be able to see the dialog box as shown in Figure 12.
Figure 12: Workstation Properties - NBM 38 - Topology.
Click the Get Interface Button and all the interfaces of the NBM 38 server will automatically will be found as shown in Figure 12.
Select the NBMprtn (This is the name of the network object you gave during the creation for the protected network of NBM 38 Server) in the Manually Defined drop down box and then click OK. This completes the actions in the NBM Peer configuration box.
In the Menu bar Select the Policy and click Install– This will install the policy you have configured. Disable the spoofing (if required).
Create the rules as shown in the Figure 13 in the Security-Standard. Right click the Security - Standard panel and add the rules for Check Point to NBM 38 protected networks and say Encrypt. After the rules are configured you should install the policy by selecting the policy in the menu bar and the click Install–
Figure 13: Rules Creation in the Checkpoint.
Configure the server using iManager and then add the new member as a slave as shown in the Figure 14.
Figure 14 Adding the slave using iManager.
Give the Name of the Check Point server, Public IP Address, Tunnel IP Address and the respective subnet mask. Select the Non-Border Manager VPN Checkbox. In the Authentication Method Select the PSS Radio button. Give the PSS key in the text box. It should exactly match what has been entered in the Check Point server (in our case it is border).
In the Protected Network list give the Check Point's protected network list (in our case it is 172.16.0.0).
Click OK and come to the members list. Select the 3rd Party Traffic Rules and create the rules for 3rd Party traffic. Select New and then give name of the traffic rule now follow the steps:
- In 3rd Party Configuration - Select the Check Point IP Address in the drop down menu.
- Select the Only Use IP Address list radio button and then
- Click the Add button
- Give the Check Point protected network
- In the NBM Server configuration select the Only Use IP Address list radio button
- Click the Add button
- Give the NBM 3.8 Server's protected network
- Expand the Action and then select the Encrypt radio button
- Give Key life time by time as 15 minutes
- Encryption as 3DES and Authentication as HMAC-SHA1
- Click OK till it comes to the VPN Site-to-Site Service
Take a client in the NBM 3.8 network and try to ping to a client in the Check Point network. You should be able to ping and the packets should go encrypted. In Check Point log viewer you should see some thing like the following diagram.
This setup has been tested for the PFS on/off, 3DES and DES Encryption, HMAC-MD5 and HMAC-SHA1, with different life times of both IKE and IPsec. Novell recommends that you first run it on a test setup before directly going for the deployment.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com