[FW1] Implementing SecuRemote / IKE Without an External CA

["Moon Dancer" <dancermoon@FW1-NOSPAMhotmail.com>]

Name of Document:

Implementing SecuRemote / IKE Without an External CA

Purpose of Document:

Enable SecuRemote clients to communicate through the firewall using IKE without setting up a certificate authority external to the firewall. This procedure starts with a "fresh" install of FireWall-1 and shows each change needed to make SecuRemote operate using IKE.

Comments:

Expansion of this document is encouraged. Please increment the version number and repost.

Procedure:

Starting with a fresh installation... FW-1 SP2 on Win NT, SP6...Combined Management Station, Firewall Module and GUI.

Select Manage | Network Objects

Click New... | Network

In the name field, enter "internal"

In the IP Address field, enter the IP address of your internal network.

In the Net Mask field, enter the network mask of your internal network.

Click OK

Click New... | Workstation

In the name field, enter "firewall"

In the IP address, enter the external address of your firewall.

Change the "Type" field from "host" to "gateway"

Click to check the block beside "VPN-1 & FireWall-1"

Click to check the block beside "Management Station"

Click the "interfaces" tab.

Select the Get button to have the interface information filled in automatically.

Click the "VPN" tab.

Under "Domain", select "Other" then in the selection box, select the "internal" network you just defined.

Click to select the box beside "Exportable for SecuRemote"

Under "Encryption schemes defined," click to select the box beside FWZ.

Click the "Edit" button.

Click the "Generate" button. Respond "Yes" to the dialogue box.

Click OK at the "Key created successfully" message.

Select the "DH Key" tab.

Click the "Generate" button. Respond "Yes" to the dialogue box.

Click the "Encapsulation" tab.

DO NOT select the box beside "Encapsulate SecuRemote connections." This could block SecuRemote users that are behind address-translating routers (such as Linksys).

Select OK to close the FWZ properties box.

Click to select the box beside IKE encryption scheme. Click the "edit" button.

Click to select the box beside "VPN-1 & FireWall-1 authentication for SecuRemote (Hybrid Mode)."

Select OK to close the IKE properties box.

Click the "Authentication" tab.

Click to select the box beside "VPN-1 & FireWall-1 Password."

Click OK to close the workstation properties window.

Click Close to close the Network Objects menu.

Select Manage | Users

Select New | Group

In the field Name, enter sr_users. (SR is SecuRemote)

Click OK to close the Group Properties dialogue box.

Select New | Default

In the Name field, enter George

Change the "Expiration Date" to a future value.

Select the "Groups" tab.

Highlight the sr_users group and click the Add button.

Select the "Encryption" tab.

Under "Client Encryption Methods," click to REMOVE the check beside FWZ.

Click to place a check beside IKE, then click Edit.

Click to REMOVE the check beside "Public Key."

Click the place a check beside Password, then enter a secret password for the user.

Select the "Encryption" tab.

Select the Encryption methods you wish to use. Any that are supported by your license will work.

Click OK to close the IKE Properties window.

Under "Successful Authentication Track" select "Log."

Click OK to close the User Properties window.

Click Close to close the Users window.

Select Edit | Add Rule | Bottom to create a new rule.

Right-click "Any" under Destination and select Add.

Highlight your "internal" network object and click OK.

Right-click "drop" under Action and select "Client Encrypt".

Right-click the space under Track and select "Long"

Select Policy | Install to install the policy.

On the SecuRemote client, select Sites | Create New.

In the "Name / IP" field, enter the IP address of the firewall's external interface, then click OK.

At the message "The IP address and the Key ID should be verified!" message, click OK. To verify, compare with the IP address of the firewall and the "Key ID" found at the firewall's workstation properties, VPN tab, FWZ key manager tab

(See Note 1, below)

(See Note 2, below)

If this is the first time you use IKE since the last server reboot, the following entry will be logged:

Action: key install

Proto.: blank

Rule: blank

User: blank

SrcKeyID: blank

DstKeyID: blank

Info: IKE Log: FW-1 IKE daemon: started

If you then access a resource through the firewall, complete the SecuRemote authentication screen and click OK, you will find the following three events logged (See Note 3, below):

Action: authcrypt

Proto.: blank

Rule: 0

User: George

SrcKeyID: blank

DstKeyID: blank

Info: reason Client Encryption: Authenticated by Pre-shared secret scheme: IKE methods: 3DES,IKE,SHA1

Action: key install

Proto.: blank

Rule: blank

User: blank

SrcKeyID: blank

DstKeyID: blank

Info: IKE Log: Phase 1 completion. 3DES/SHA1/Pre shared secrets Negotiation Id: 6a04855a0b4de1f3-ba461bcbfc0eb7ff (ID will vary)

Action: key install

Proto.: ip

Rule: 0

User: blank

SrcKeyID: 0xd82aeca2

DstKeyID: 0xd0f4af75

Info: scheme: IKE methods: Combined ESP: 3DES + SHA1 (phase 2 completion) for host 10.10.10.10 and for subnet 0.0.0.0 (mask=0.0.0.0) Note 1: This message means that (1) your firewall will send information about its topology to anyone and (2) the firewall topology is sent in cleartext. This can be a security risk. If you monitor and examine the data being sent, you will see that the firewall sends extensive information about its configuration, including:

the key negotiation protocols supported,

the version of your firewall,

the ip addresses of internal interfaces,

the encryption domain,

the firewall's desktop security configuration values,

the ca name,

the challenge string,

the public key (from the firewall's workstation properties, VPN tab, FWZ key manager tab)

the public key modulus (from the same window as the public key)

the date of the key.

To avoid sending this topology in the clear, REMOVE the check from Policy | Properties | Desktop Security | Respond to Unauthenticated Topology Requests. Then reinstall the rulebase. The next new site creation will not result in this message. Instead, you will find a transaction in the firewall log with the following info:

Action: key install

Proto.: ip

Rule: 0

User: blank

SrcKeyID: 0xd82aeca2 (varies)

DstKeyID: 0xd0f4af75 (varies)

Info: reason User authenticated by Firewall. Sending Enrypted Topology. scheme SSL

Note 2:

Monitoring the data between the SecuRemote server and the firewall will show that the topology download uses TCP port 264 on the firewall.

Note 3:

Monitoring the data between SecuRemote and the firewall will show the following progression once a resource from the encryption domain is requested from the SecuRemote server:

First, the request is sent from the SecuRemote client to the resource, such as to TCP port 80 for a web server.

Second, the SecuRemote client brings up a dialogue box requesting the user's name and password. After entering this information, the next seven exchanges are on UDP port 500. This is the IKE process taking place.

Immediately after the seven IKE exchanges, the following data uses IP protocol 50. This is the encrypted data passing with IPSEC ESP.

General Note 1:

For stronger security, uncheck Policy | Properties | Security Policy | Accept VPN-1 & Firewall-1 Control Connections. Then add rules to the rulebase allowing the predefined FW1_topo and IKE services to access your firewall from your SecuRemote clients.

Document Version 1.0

---

Get your FREE download of MSN Explorer at http://explorer.msn.com

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================