VPNs and SmartLSM Security Gateways
Configuring VPNs on SmartLSM Security Gateways
Secured communication between your CO gateway and the SmartLSM Security Gateways is dependent on correct configuration of the Virtual Private Network.
You can define how the VPN domain of a selected SmartLSM Security Gateway is encrypted. You can change the keys as needed and perform other VPN maintenance and change management operations. Before you can configure the IKE certificate, you must have already defined Certificate Authority servers as objects in SmartDashboard. See the R77 Security Management Administration Guide.
|
Note - After you change the CO gateway configuration, is can be necessary to create a new certificate. This is especially important when there are topology changes.
|
To configure the VPN encryption of a selected SmartLSM Security Gateway:
- Open the SmartLSM Security Gateway window and select the Topology tab.
- Define a VPN domain.
- Select the VPN tab.
If, when you created this SmartLSM Security Gateway in the New SmartLSM Security Gateway wizard, you cleared the I wish to create a VPN Certificate from the Internal CA check box, you can select VPN Not supported. No IKE certificate will be generated. You can change this setting at any time.
If you want this SmartLSM Security Gateway to participate in a VPN, continue with the next steps.
- Select Use Certificate Authority Certificate.
If you selected the I wish to create a VPN Certificate from the Internal CA check box in the wizard, this option is automatically selected and cannot be edited.
- From the Certificate Authority Name drop-down list, select a CA server object that was previously defined in SmartDashboard.
If you cleared the I wish to create a VPN Certificate from the Internal CA check box in the wizard, you can select a third-party CA from this list.
If you selected the I wish to create a VPN Certificate from the Internal CA check box in the wizard, the Check Point Internal CA is selected and cannot be edited.
- If you select a third-party CA in Certificate Authority Name, provide a Key Identifier or Authorization Code, as instructed by the CA.
- If this SmartLSM Security Gateway does not yet have an initiated IKE certificate, click Generate.
If you want to generate a new IKE certificate, click Reset.
The SmartLSM Security Gateway's Distinguished Name (DN) of the certificate is automatically provided and cannot be edited.
- To apply a new IKE certificate, update the CO gateway.
Creating VPNs for SmartLSM Security Gateways
The previous sections explained how to configure a SmartLSM Security Gateway to be part of a VPN. This section explains how to create the VPN itself in SmartDashboard. Before doing so, you must have first configured, in SmartProvisioning, the SmartLSM Security Gateways to support VPN participation.
To create a VPN tunnel between a SmartLSM Security Gateway and a CO gateway:
- Open SmartDashboard.
- Define a VPN Star Community (IPsec VPN > New > Star Community).
- Open Star Community Properties > Central Gateways, click Add, select the CO gateway from the displayed list, and click OK.
- Open Star Community Properties > Satellite Gateways, click Add, select the SmartLSM Security Gateway or SmartLSM Security Profile from the displayed list, and click OK.
If you select the profile, rather than a single gateway, all SmartLSM Security Gateways that reference this SmartLSM Security Profile are added to the VPN community, if they are configured with the ability to participate in a VPN (see Configuring VPNs on SmartLSM Security Gateways).
- Open Star Community Properties > Advanced Settings > Advanced VPN Properties, and specify the IKE Phase properties.
- Open Star Community Properties > Advanced Settings > Shared Secret, and clear the Use only Shared secret for all External Members check box.
- Open Security Policy Rule Base, and create a rule base defining the services allowed for the VPN community. See Example Rules for VPN with SmartLSM Security Gateway.
- Install the Security Policy with this rule on the CO gateway.
A topology file and a certificate are downloaded to the SmartLSM Security Gateway, listing the members of the VPN community and specifying encryption information.
After you have created the VPN tunnel in SmartDashboard, perform the following:
- Update the CO gateway. See Updating Corporate Office Gateways.
- Establish the VPN tunnel. Send a test connection with an allowed service (according to the rules created in Security Policy Rule Base) and then use SmartView Monitor or SmartView Tracker to verify that the test was successfully encrypted, sent, and received.
Sample VPN Rules for a SmartLSM Security Gateway
Creating VPNs for SmartLSM Security Gateways includes a step for creating a rule in SmartDashboard's Security Policy Rule Base that defines the services for the VPN community. This section provides examples of such a rule base.
In the rules, the following Dynamic Objects are used:
- MyComm: Resolves to the IP address range of the VPN Community.
- MyCO: Resolves to the IP address of the CO gateway.
- CO_VPN: Resolves to the IP address range of the encryption domain of the CO gateway.
- Edge_Net: Resolves to the IP address range of exposed UTM-1 Edge SmartLSM Security Gateways, or the network behind the UTM-1 Edge gateway.
Rule for Outgoing Connections
Source
|
Destination
|
VPN
|
Service
|
Action
|
Install On
|
Any
|
Any
|
MyCommunity
|
ftp
telnet
|
Accept
|
MyCO
|
VPN Rules for Incoming Connections
Source
|
Destination
|
VPN
|
Service
|
Action
|
Install On
|
Edge_Net
|
CO_VPN
|
MyCommunity
|
ftp
telnet
|
Accept
|
MyProfile
|
CO_VPN
|
Edge_Net
|
MyCommunity
|
ftp
telnet
|
Accept
|
MyProfile
|
VPN with One or More LSM Profiles
You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Profile Gateway and Cluster. You can also configure the community with two SmartLSM Profile Clusters or two SmartLSM Profile Gateways. All included SmartLSM Profile Gateways and Clusters must have the IPsec VPN blade enabled.
The procedure requires configuration in:
- SmartDashboard
- Security Management Server CLI
- SmartProvisioning Console
- Center Gateway CLI
Using SmartDashboard
In SmartDashboard create network objects that represent the VPN community members and their networks. You must create a star community with as the selected option for (> > ).
To configure a VPN star community between two SmartLSM Profiles in SmartDashboard:
- Create and configure a SmartLSM Profile Cluster.
When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.
- Create and configure a SmartLSM Profile Gateway.
- Create a regular Security Gateway to be the Center Gateway.
Note - Security Gateway 80 gateways cannot be the Center Gateway.
- Create a VPN Star Community, select IPsec VPN > New > Star Community.
- Select from the tree.
- Click and select the Security Gateway that you created to be the Center Gateway.
- Select from the tree.
- Click and select the SmartLSM Profile Cluster and SmartLSM Profile Gateway (or second cluster).
- Select > from the tree.
- Select .
- Create a object that represents the internal network of each satellite in the VPN community.
- From the Network Objects tree, right-click and select .
- In the field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
- Create a object that represents the external IP address of each satellite in the VPN community.
- From the Network Objects tree, right-click and select > .
- In the IP field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
- Create a object that represents the networks for each satellite object:
- From the Network Objects tree, right-click and select > > .
- Enter a for the group that is unique for one satellite.
- Select the object that you created for that satellite's internal network and click .
- Select the object that you created for that satellite's external IP address and click .
- Create a object that represents the Center Gateway.
- From the Network Objects tree, right-click and select > > .
- Enter a for the group that is unique for the Center Gateway.
- Select the Gateway object and click .
Using the CLI
Edit the routing table of the Domain Management Server or Security Management Server to enable two SmartLSM Profile Gateways or Clusters to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.
To edit the vpn_route.conf file:
Open the vpn_route.conf file.
- In a Multi-Domain Security Management environment, on a Domain Management Server:
- If satellites are 80 series Gateways or Clusters:
/var/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPSG80CMP-<version>/conf/vpn_route.conf
- If satellites are on a different SecurePlatform appliance or open server:
/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPsuite-<version>/fw1/conf/vpn_route.conf
- In a Security Management Server environment:
- If satellites are 80 series Gateways or Clusters:
/opt/CPSG80CMP-<version>/conf/vpn_route.conf
- If satellites are on a different SecurePlatform appliance or open server:
/opt/CPsuite-<version>/fw1/conf/vpn_route.conf
If two SmartLSM Gateways on different LSM Gateway profiles will communicate with each other through the Center gateway, edit the file:
# destination
|
router
|
[install on]
|
< of internal network of SmartLSM Gateway>
|
<Center Gateway>
|
<Name of second LSM Profile>
|
<of internal network of second SmartLSM Gateway>
|
<Center Gateway>
|
<Name of LSM Profile>
|
If more than one SmartLSM Gateway in the same LSM Profile will communicate with each other through the Center gateway, edit the file:
# destination
|
router
|
[install on]
|
< of internal network of SmartLSM Gateway>
|
<Center Gateway>
|
<Name of LSM Profile>
|
Install policy on the SmartLSM Profiles and on the Center Gateway.
Completing the Configuration
Complete the configuration in the SmartProvisioning Console and the CLI of the Center Gateway.
To complete the VPN configuration:
- Open the SmartProvisioning Console.
- Create a new SmartLSM Cluster or Gateway based on the type of device you have. Select > > select an option.
- Generate a VPN certificate for each Gateway or Cluster member:
- Open the cluster or gateway object > tab.
- Select .
- Click .
- Do these steps again for each cluster member.
|
Note - If topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the tab and update the gateway ( > ).
|
- In the CLI of the Center Gateway, run:
LSMenabler on
- In the SmartProvisioning GUI Console, right-click the Center Gateway and select > .
- In the tab of each object, make sure that the topology of provisioned objects is correct for each device:
- Make sure that the interfaces have the same IP addresses as the actual gateways.
- Make sure that the external and internal interfaces are recognized and configure correctly as "External" and "Internal".
- If the interfaces show without IP addresses, click: .
- In the tab, configure the VPN domain:
- For SmartLSM Profile Gateways choose an option.
- For SmartLSM Profile Clusters, select and manually add the encryption domains that you want to include.
- .
All traffic between the satellites and Center Gateway is encrypted.
Special Considerations for VPN Routing
VPN Routing for SmartLSM Security Gateways
The VPN routing option To center and to other satellites through center is not supported by SmartLSM Security Gateways. This procedure explains how to overcome this limitation.
To configure VPN routing through SmartLSM Security Gateways, enable VPN Routing for a hub and spoke configuration, by editing the vpn_route.conf file on the Security Management Server.
For example:
- Generate a group that contains the encryption domains of all the satellite SmartLSM Security Gateways, and call it SmartLSM_domain.
- Generate a group that contains all the central gateways, and call it Center_gws.
- In vpn_route.conf, add the rule:
Destination
|
Router
|
Install On
|
SmartLSM_domain
|
Center_gws
|
SmartLSM_profile
|
You can have a Star VPN topology for multiple routing gateways, if one of these conditions is met.
UTM-1 Edge Clusters
A UTM-1 Edge Cluster (formerly known as a SmartLSM cluster) is a logical entity that provides high-availability VPN connectivity by using two UTM-1 Edge devices, each serving as an entry point to the same network. In a UTM-1 Edge cluster:
- There are only two UTM-1 Edge devices
- The devices belong to the same VPN domain. A device can only participate in one cluster at a time.
- There is no state synchronization between the devices: if the active UTM-1 Edge cluster member becomes unavailable, users are not automatically connected to the other member. The party that initiated the communication must actively intervene to reconnect the users.
To create a topology in which two UTM-1 Edge SmartLSM Security Gateways serve as entry points to the same network, a mechanism such as VRRP clustering must be configured for that network. This configuration handles the routing in situations where only one of the gateways is available, as well as in situations where both of the gateways are available.
VRRP Configuration Prerequisites for UTM-1 Edge clusters
- The internal (LAN) interfaces of both devices are configured with different IP addresses.
- Both the interfaces need to have a third, shared IP address, to be utilized by the member, designated as the VRRP master. (The VRRP master designates which UTM-1 Edge cluster member is active.)
- The external interfaces of both devices need to have different IP addresses.
- The VPN domains of both gateways have to be the same.
The Corporate Office (CO) gateway recognizes that the two UTM-1 Edge SmartLSM Security Gateways in any UTM-1 Edge cluster represent entry points to the same network. When the CO gateway initiates communication with that network, it communicates with the UTM-1 Edge cluster member that last communicated with the CO gateway. (The CO gateway may recognize several UTM-1 Edge clusters, on different networks.)
Creating UTM-1 Edge clusters
To create a UTM-1 Edge cluster:
- In SmartProvisioning, right-click a UTM-1 Edge SmartLSM Security Gateway that you want to designate as a member of the UTM-1 Edge cluster.
- Select Actions > Define UTM-1 Edge cluster.
- Check that the gateway name displayed in the First Member field is the gateway that you want to be the primary gateway of the UTM-1 Edge cluster. If it is not, click Find to select another gateway.
- In the Search to field, begin to type the name of the gateway that you want to add to the cluster and then click Find.
The Search SmartLSM Security Gateway window displays UTM-1 Edge SmartLSM Security Gateways that may be selected to join the cluster.
- Select the gateway that you want and then click OK.
- In the Define UTM-1 Edge cluster window, in the Second Member field, click Find and select the second member of the UTM-1 Edge cluster.
- Click OK.
Viewing UTM-1 Edge Cluster Pairs
To view the name of the gateway that participates in a UTM-1 Edge cluster:
- From SmartProvisioning, open the UTM-1 Edge SmartLSM Security Gateway window.
- Click the Details tab.
Deleting or Changing UTM-1 Edge Clusters
To change one member of a UTM-1 Edge cluster, you must first remove the existing UTM-1 Edge cluster and then create the new one.
To delete a UTM-1 Edge cluster:
From SmartProvisioning, right-click a gateway in the pair and select Actions > Remove UTM-1 Edge cluster.
|
|