From jono@biggins.securityreports.com  Sun Jul 15 19:36:54 2001
Return-Path: <jono@biggins.securityreports.com>
Received: from biggins.securityreports.com (adsl-64-168-72-58.dsl.snfc21.pacbell.net [64.168.72.58])
	by hub.freebsd.org (Postfix) with ESMTP id BA81C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 15 Jul 2001 19:36:51 -0700 (PDT)
	(envelope-from jono@biggins.securityreports.com)
Received: (from root@localhost)
	by biggins.securityreports.com (8.11.4/8.11.1) id f6G2dk870176;
	Sun, 15 Jul 2001 19:39:46 -0700 (PDT)
	(envelope-from jono)
Message-Id: <200107160239.f6G2dk870176@biggins.securityreports.com>
Date: Sun, 15 Jul 2001 19:39:46 -0700 (PDT)
From: jono@networkcommand.com
Reply-To: jono@networkcommand.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: jono@networkcommand.com
Subject: New article for docproj "Checkpoint VPN-1/Firewall-1 and FreeBSD IPSEC"
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28994
>Category:       docs
>Synopsis:       New article for docproj "Checkpoint VPN-1/Firewall-1 and FreeBSD IPSEC"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 15 19:40:01 PDT 2001
>Closed-Date:    Mon Dec 23 14:39:36 PST 2002
>Last-Modified:  Mon Dec 23 14:39:36 PST 2002
>Originator:     Jon Orbeton
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
Security Reports
>Environment:
System: FreeBSD biggins.securityreports.com 4.3-STABLE FreeBSD 4.3-STABLE #8: Wed Jun 13 21:30:04 PDT 2001 root@biggins.securityreports.com:/usr/obj/usr/src/sys/BIGGINS i386


>Description:
	This is just an addition of a new article to the docproj. 
	Please review and double-check my CVS id keywords,
	I wasn't clear on this.

>How-To-Repeat:
	No repeat
>Fix:

<!-- Copyright (c) 2001 The FreeBSD Documentation Project

     Redistribution and use in source (SGML DocBook) and 'compiled' forms
     (SGML, HTML, PDF, PostScript, RTF and so forth) with or without
     modification, are permitted provided that the following conditions
     are met:

      1. Redistributions of source code (SGML DocBook) must retain the above
         copyright notice, this list of conditions and the following
         disclaimer as the first lines of this file unmodified.

      2. Redistributions in compiled form (transformed to other DTDs,
         converted to PDF, PostScript, RTF and other formats) must reproduce
         the above copyright notice, this list of conditions and the
         following disclaimer in the documentation and/or other materials
         provided with the distribution.

     THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
     IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
     THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NIK CLAYTON BE LIABLE FOR ANY
     DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
     ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE
     POSSIBILITY OF SUCH DAMAGE.

     $Header$
-->

<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
%man;
<!ENTITY legalnotice SYSTEM "../../share/sgml/legalnotice.sgml">
]>

<article>
  <articleinfo>
    <title>Integration of Checkpoint VPN-1/Firewall-1 and FreeBSD IPSEC</title>

    <authorgroup>
      <author>
	    <firstname>Jon</firstname>
	    <surname>Orbeton</surname>

	    <affiliation>
	      <address><email>info@networkcommand.com</email></address>
	    </affiliation>
      </author>

      <author>
	    <firstname>Matt</firstname>
	    <surname>Hite</surname>

	    <affiliation>
	      <address><email>mhite@hotmail.com</email></address>
	    </affiliation>
      </author> 
    </authorgroup>

    <pubdate>$Date$</pubdate>

    <copyright>
      <year>2001</year>
      <holder role="mailto:info@networkcommand.com">Jon Orbeton</holder>
    </copyright>

    &legalnotice;
    
    <abstract>
      <para>This document explains how to configure a VPN tunnel
        between FreeBSD and Checkpoint's VPN-1/Firewall-1.
        Other documents provide similar information, but do
        not contain instructions specific to VPN-1/Firewall-1
        and its integration with FreeBSD. These documents are
        listed at the conclusion of this paper for further reference.</para>
    </abstract>
  </articleinfo>

  <sect1 id="prerequisites">
    <title>Prerequisites</title>

    <para>The following is a diagram of the machines and networks
        referenced in this document.</para>

    <programlisting>
      External Interface                    External Interface
           208.229.100.6                    216.218.197.2
                       |                    |
         +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
         |                                                |
  FW-1 Protected Nets                              Internal Nets
   199.208.192.0/24                               192.168.10.0/24
    </programlisting>

    <para>The FreeBSD GW serves as a firewall and NAT device for
      "internal nets."</para>

    <para>The FreeBSD kernel must be compiled to support IPSec.
      Use the following kernel options:

      <programlisting>
        options         IPSEC
        options         IPSEC_ESP
        options         IPSEC_DEBUG
      </programlisting>

    <para>For instructions on building a custom kernel, refer to the
      <ulink url="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x3663.html">
      FreeBSD handbook</ulink>. Please note that IP protocol 50 (ESP) and UDP port
      500 must be open between the Firewall-1 host and the FreeBSD GW.</para>

    <para>Also, racoon must be installed to support key exchange.
      Racoon is part of the FreeBSD ports collection in
      <filename>/usr/ports/security/racoon</filename>. The racoon
      configuration file will be covered later in this document.</para>
  </sect1>

  <sect1 id="object">
      <title>Firewall-1 Network Object Configuration</title>

    <para>Begin by configuring the Firewall-1 Policy. Open the
      Policy Editor on the Firewall-1 Management server and create
      a new "Workstation" Network Object representing FreeBSD GW.</para>

    <programlisting>
      General Tab:
               Set name and IP address

      VPN Tab:
               Encryption Schemes Defined:             IKE               ---> Edit

      IKE Properties:
               Key Negotiation Encryption Methods:     3DES
               Authenication Method:                   Pre-Shared Secret ---> Edit
    </programlisting>

    <para>Select the Firewall Object and set a pre-shared secret.
      (Don't use our example.)</para>

    <programlisting>
      Support Aggresive Mode:                 Checked
      Supports Subnets:                       Checked
    </programlisting>
   
    <para>After setting the pre-shared secret in the Firewall-1 Network
      Object definition, place this secret in <filename>
      /usr/local/etc/racoon/psk.txt</filename> on FreeBSD GW. The format 
      for <filename>psk.txt</filename> is:

      <programlisting>208.229.100.6          rUac0wtoo?</programlisting>      

  </sect1>

  <sect1 id="rulecfg">
    <title>Firewall-1 VPN Rule Configuration</title>

    <para>Next, create a Firewall-1 rule enabling encryption between
      the FreeBSD GW and the Firewall-1 protected network. In this
      rule, the network services permitted through the VPN must be
      defined.

    <programlisting>
      Source            | Destination        | Service      | Action  | Track
      ------------------------------------------------------------------------
      FreeBSD GW        | FW-1 Protected Net | VPN services | Encrypt | Long
      FW-1 Protected Net| FreeBSD GW         |              |         |
    </programlisting>

    <para>"VPN services" are any services (i.e. telnet, ssh, ntp, etc.)
      remote hosts are permitted to access through the VPN. Use caution
      when permitting services; hosts connecting through a VPN still
      represent a potential security risk. Encrypting the traffic between
      the two networks offers little protection if a host on either side
      of the tunnel has been compromised.</para>

    <para>Once the rule specifying data encryption between the FreeBSD GW
      and the Firewall-1 protected network has been configured, review
      the "Action Encrypt" settings.</para>

    <programlisting>
      Encryption Schemes Defined:     IKE ---> Edit
      Transform:                      Encryption + Data Integrity (ESP)
      Encryption Algorithm:           3DES
      Data Integrity:                 MD5
      Allowed Peer Gateway:           Any or Firewall Object
      Use Perfect Forward Secrecy:    Checked
    </programlisting>

    <para>The use of Perfect Forward Secrecy (PFS) is optional. Enabling PFS
      will add another layer of encryption security, but does come at the
      cost of increased CPU overhead. If PFS is not used, uncheck the box
      above and comment out the <literal>pfs_group 1</literal> line from 
      <filename>racoon.conf</filename> on FreeBSD GW. An example 
      <filename>racoon.conf</filename> is provided later in this document.</para>

  </sect1>

  <sect1 id="policy">
    <title>FreeBSD VPN Policy Configuration</title>

    <para>At this point, the VPN policy on FreeBSD GW must be defined. The
      <filename>/usr/sbin/setkey</filename> tool performs this function.</para>

    <para>Below is an example shellscript which will flush setkey and add your
      VPN policy rules.</para>

    <programlisting>
      #
      # /etc/vpn1-ipsec.sh
      #
      # IP addresses
      #
      #     External Interface                    External Interface
      #          208.229.100.6                    216.218.197.2
      #                      |                    |
      #        +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
      #        |                                                |
      # FW-1 Protected Nets                              Internal Nets
      #    199.208.192.0/24                                  192.168.10.0/24
      #
      # Flush the policy
      #
      setkey -FP
      setkey -F
      #
      # Configure the Policy
      #
      setkey -c << END
      spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec
      esp/tunnel/216.218.197.2-208.229.100.6/require;
      spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec
      esp/tunnel/208.229.100.6-216.218.197.2/require;
      END
      #
    </programlisting>

    <para>Execute the setkey commands:</para>

    <screen>&prompt.root; <userinput>sh /etc/vpn1-ipsec.sh</userinput></screen>
  </sect1>

  <sect1 id="racoon">
    <title>FreeBSD Racoon Configuration</title>

    <para>To facilitate the negotiation of IPSec keys on FreeBSD GW,
      <filename>/usr/ports/security/racoon</filename> must be installed and
      configured.</para>

    <para>The following is a racoon configuration file suitable for use with
      the examples outlined in this document. Please make sure you fully
      understand this file before using in a production environment.</para>

    <programlisting>
      # racoon.conf for use with Checkpoint VPN-1/Firewall-1
      #
      # search this file for pre_shared_key with various ID key.
      path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
      #
      #
      log debug;
      #
      # "padding" defines some parameter of padding.  You should not touch these.
      padding
      {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
      }
      #
      listen
      {
        #isakmp ::1 [7000];
        #isakmp 0.0.0.0 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
      }
      #
      # Specification of default various timers.
      #
      timer
      {
        # These values can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        #
        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
      }
      
      remote anonymous
      {
        exchange_mode aggressive,main; # For Firewall-1 Aggressive mode

        #my_identifier address;
        #my_identifier user_fqdn "";
        #my_identifier address "";
        #peers_identifier address "";
        #certificate_type x509 "" "";

        nonce_size 16;
        lifetime time 10 min;    # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
      }

      sainfo anonymous
      {
        pfs_group 1;
        lifetime time 10 min;
        lifetime byte 50000 KB;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
      }
    </programlisting>

    <para>Ensure that <filename>/usr/local/etc/racoon/psk.txt</filename>
      contains the shared secret configured in the "Firewall-1 Network Object
      Configuration" section of this document and has mode 600 permissions.</para>

    <screen>&prompt.root; <userinput>chmod 600 /usr/local/etc/racoon/psk.txt</userinput></screen>

    </sect1>

    <sect1 id="startingvpn">
      <title>Starting the VPN</title>

    <para>You are now ready to launch racoon and test the VPN tunnel.
      For debugging purposes, open the Firewall-1 Log Viewer and define
      a log filter to isolate entries pertaining to FreeBSD GW. You may
      also find it helpful to tail the racoon log:</para>

    <screen>&prompt.root; <userinput>tail -f /var/log/racoon.log</userinput></screen>

    <para>Start racoon using the following command:</para>

    <screen>&prompt.root; <userinput>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf
    </userinput></screen>

    <para>Once racoon has been launched, telnet to a host on the Firewall-1
      protected network.</para>

    <screen>&prompt.root; <userinput>telnet -s 192.168.10.3 199.208.192.66 22
    </userinput></screen>

    <para>This command attempts to connect to the ssh port on 199.208.192.66,
      a machine in the Firewall-1 protected network. The <literal>-s</literal> switch indicates
      the source interface of the outbound connection. This is particularly important
      when running NAT and IPFW on FreeBSD GW. Using <literal>-s</literal> and specifying an
      explicit source address prevents NAT from mangling the packet prior to tunneling.</para>

    <para>A successful racoon key exchange will output the following to racoon.log:</para>

    <programlisting>
      pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
      pk_recvupdate(): IPsec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
      get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2
    </programlisting>

    <para>Once key exchange completes (which takes a few seconds), an ssh banner will appear.
      If all went well, two "Key Install" messages will be logged in the Firewall-1 Log Viewer.
    </para>

    <programlisting>
      Action      |  Source        |  Dest.             | Info.
      Key Install |  216.218.197.2 |  208.229.100.6     | IKE Log: Phase 1 (aggressive) completion.
      Key Install |  216.218.197.2 |  208.229.100.6     | scheme: IKE methods
    </programlisting>

    <para>Under the information column, the full log detail will read:</para>

    <programlisting>
      IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id:
      scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host:
    </programlisting>
  </sect1>

  <sect1 id="References">
    <title>References</title>

  <itemizedlist>
    <listitem>
      <para><ulink url="http://www.freebsd.org/handbook/ipsec.html">
        FreeBSD Handbook: IPSEC</ulink></para>
    </listitem>

    <listitem>
      <para><ulink url="http://www.kame.net">KAME Project</ulink></para>
    </listitem>

    <listitem>
      <para><ulink url="http://www.x-itec.de/projects/tuts/ipsec-howto.txt">
        FreeBSD IPSEC mini-HOWTO</ulink></para>
    </listitem>
  </itemizedlist>

  </sect1>
</article>
>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: jono@networkcommand.com
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/28994: New article for docproj "Checkpoint VPN-1/Firewall-1 and FreeBSD IPSEC" 
Date: Thu, 19 Jul 2001 05:28:32 -0700

 jono@networkcommand.com writes:
 
 Some very minor style/convention nits:
 
 >      $Header$
 
 This should be "$FreeBSD$".
 
 > <article>
 >   <articleinfo>
 >     <title>Integration of Checkpoint VPN-1/Firewall-1 and FreeBSD IPSEC</title>
 
 Notice how you capitalized "IPSEC" here.
 
 >     <pubdate>$Date$</pubdate>
 
 This should also be "$FreeBSD$"; it may be a bit too much, but $Date$
 wouldn't get expanded.
 
 >     <programlisting>
 >       External Interface                    External Interface
 >            208.229.100.6                    216.218.197.2
 >                        |                    |
 >          +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
 >          |                                                |
 >   FW-1 Protected Nets                              Internal Nets
 >    199.208.192.0/24                               192.168.10.0/24
 >     </programlisting>
 
 Things inside <programlisting> should cuddle up to the tags.  Thus,
 the above should be written like this:
 
      <programlisting>External Interface                    External Interface
             208.229.100.6                    216.218.197.2
                         |                    |
           +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
           |                                                |
    FW-1 Protected Nets                              Internal Nets
     199.208.192.0/24                               192.168.10.0/24</programlisting>
 
 There are some more violations of this below; I won't point them out
 explicitly, but you should fix them.
 
 >     <para>The FreeBSD GW serves as a firewall and NAT device for
 >       "internal nets."</para>
 
 How about: <quote>internal networks</quote>
 
 > 
 >     <para>The FreeBSD kernel must be compiled to support IPSec.
 
 Remember how you capitalized "IPSEC" above?  It'd be nice if they were
 the same.  Personally I'd make them all "IPsec", but it's up to you.
 There are some other instances of this that should be fixed as well.
 
 >     <para>Also, racoon must be installed to support key exchange.
 
 "<command>racoon</command>" or "&man.racoon.1;", please (pick one).
 
 >       <programlisting>208.229.100.6          rUac0wtoo?</programlisting>     
 >  
 > 
 >   </sect1>
 
 Extraneous whitespace.
 
 >       -----------------------------------------------------------------------
 > -
 >       FreeBSD GW        | FW-1 Protected Net | VPN services | Encrypt | Long
 >       FW-1 Protected Net| FreeBSD GW         |              |         |
 >     </programlisting>
 > 
 >     <para>"VPN services" are any services (i.e. telnet, ssh, ntp, etc.)
 
 <quote>VPN services</quote>....
 
 Also, since you're referring to the protocols TELNET, SSH, NTP,
 etc. and not the commands, you should capitalize them.  And if you
 were referring to protocols, you would mark them up inside <command>.
 
 >     <para>At this point, the VPN policy on FreeBSD GW must be defined. The
 >       <filename>/usr/sbin/setkey</filename> tool performs this function.</para>
 
 "&man.setkey.1;", please.
 
 >     <para>Ensure that <filename>/usr/local/etc/racoon/psk.txt</filename>
 >       contains the shared secret configured in the "Firewall-1 Network Object
 
 <quote>Firewall-1 Network Object Configuration</quote>
 
 >       Configuration" section of this document and has mode 600 permissions.</para>
 
 "<literal>600</literal>", please.
 
 >     <para>This command attempts to connect to the ssh port on 199.208.192.66,
 >       a machine in the Firewall-1 protected network. The <literal>-s</literal> switch indicates
 
 "<option>-s</option>", please.
 
 >       the source interface of the outbound connection. This is particularly important
 >       when running NAT and IPFW on FreeBSD GW. Using <literal>-s</literal> and specifying an
 >       explicit source address prevents NAT from mangling the packet prior to 
 > tunneling.</para>
 > 
 >     <para>A successful racoon key exchange will output the following to racoon.log:</para>
 
 Lines should be <= 80 characters in width (note that this does *not*
 apply to text inside <programlisting> or <screen>).
 
 
 Overall, this is a *very* good article!  I think it would be one of
 the most well-written ones in our tree.  I'll gladly add it once you
 fix the above nits.
 
 Thanks, and nice work!
 
 					Dima Dorfman
 					dima@unixfreak.org
State-Changed-From-To: open->feedback 
State-Changed-By: dd 
State-Changed-When: Sun Jul 29 02:56:57 PDT 2001 
State-Changed-Why:  
Have you had a chance to do the updates yet?  If not, that's okay, I'm 
just making sure you didn't accidently send it to the wrong address or 
something, and are thinking it's my turn to do something. 


Responsible-Changed-From-To: freebsd-doc->dd 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sun Jul 29 02:56:57 PDT 2001 
Responsible-Changed-Why:  
I'll look after this. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28994 
State-Changed-From-To: feedback->closed 
State-Changed-By: trhodes 
State-Changed-When: Mon Dec 23 14:38:43 PST 2002 
State-Changed-Why:  
Took comments from dd && marked up better.  Then ran the entire thing through 
aspell.  Finally, added a Makefile and committed!  Thanks alot for the submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=28994 
>Unformatted:
