     Integraciya FreeBSD IPsec i Check Point VPN-1(R)/Firewall-1(R)

  Jon Orbeton

   <jono@securityreports.com>

  Matt Hite

   <mhite@hotmail.com>

   Copyright (c) 2001, 2002, 2003 Jon Orbeton

   $FreeBSD: head/ru_RU.KOI8-R/articles/checkpoint/article.sgml 38886
   2012-05-25 14:40:55Z taras $

   Rasprostranenie i ispol'zovanie ishodnyh (SGML DocBook) i
   ''skompilirovannyh'' form (SGML, HTML, PDF, PostScript, RTF i
   prochih) s modifikaciej ili bez onoj, razresheny pri soblyudenii
   sleduyuschih soglashenij:

    1. Rasprostranyaemye kopii ishodnogo koda (SGML DocBook) dolzhny
       sohranyat' vysheupomyanutye ob"yavleniya copyright, `etot
       spisok polozhenij i sleduyuschij otkaz ot otvetstvennosti v
       pervyh strokah `etogo fajla v neizmennom vide.

    2. Rasprostranyaemye kopii skompilirovannyh form (preobrazovannye
       v drugie DTD, konvertirovannye v PDF, PostScript, RTF i drugie
       formaty) dolzhny povtoryat' vysheupomyanutye ob"yavleniya
       copyright, `etot spisok polozhenij i sleduyuschij otkaz ot
       otvetstvennosti v dokumentacii i/ili drugih materialah,
       postavlyaemyh s distrib'yuciej.

     Vazhno: `ETA DOKUMENTACIYA POSTAVLYAETSYA PROEKTOM DOKUMENTACII
     FREEBSD "KAK EST'" I LYUBYE YAVNYE ILI NEYAVNYE GARANTII,
     VKLYUCHAYA, NO NE OGRANICHIVAYAS' NEYAVNYMI GARANTIYAMI,
     KOMMERCHESKOJ CENNOSTI I PRIGODNOSTI DLYA KONKRETNOJ CELI
     OTRICAYUTSYA. NI PRI KAKIH USLOVIYAH PROEKT DOKUMENTIROVANIYA
     FREEBSD NE NESET OTVETSTVENNOSTI ZA LYUBOJ PRYAMOJ, KOSVENNYJ,
     SLUCHAJNYJ, SPECIAL'NYJ, OBRAZCOVYJ ILI POSLEDUYUSCHIJ USCHERBY
     (VKLYUCHAYA, NO NE OGRANICHIVAYAS' POSTAVKOJ TOVAROV ZAMENY ILI
     USLUG; POTERYU DANNYH ILI IH NEPRAVIL'NUYU PEREDACHU ILI POTERI;
     PRIOSTANOVLENIE BIZNESA), I TEM NE MENEE VYZVANNYE I V LYUBOJ
     TEORII OTVETSTVENNOSTI, NEZAVISIMO OT KONTRAKTNOJ, STROGOJ
     OTVETSTVENNOSTI, ILI PRAVONARUSHENII (VKLYUCHAYA HALATNOST' ILI
     INYM SPOSOBOM), VOZNIKSHEM LYUBYM PUTEM PRI ISPOL'ZOVANII `ETOJ
     DOKUMENTACII, DAZHE ESLI BY BYLO SOOBSCHENO O VOZMOZHNOSTI
     TAKOGO USCHERBA.

   FreeBSD `eto zaregistrirovannaya torgovaya marka FreeBSD
   Foundation.

   Check Point, Firewall-1, i VPN-1 `eto torgovye marki Check Point
   Software Technologies Ltd.

   Mnogie iz oboznachenij, ispol'zuemye proizvoditelyami i prodavcami
   dlya oboznacheniya svoih produktov, zayavlyayutsya v kachestve
   torgovyh marok. Kogda takie oboznacheniya poyavlyayutsya v `etom
   dokumente, i Proektu FreeBSD izvestno o torgovoj marke, k
   oboznacheniyu dobavlyaetsya znak ''(TM)'' ili ''(R)''.

   V `etom dokumente opisyvaetsya, kak nastroit' VPN-tunnelirovanie
   mezhdu FreeBSD i VPN-1(R)/ Firewall-1(R) kompanii Check Point. V
   drugih imeyuschihsya publikaciyah daiotsya takaya informaciya, no
   v nej ne soderzhatsya instrukcii, specifichnye dlya
   VPN-1/Firewall-1 i ego integracii s FreeBSD. Oni perechisleny v
   zavershayuschej chasti `etoj raboty dlya dal'nejshego izucheniya.

     --------------------------------------------------------------

1. Ishodnye dannye

   Dalee pokazana shema raspolozheniya mashin i setej, o kotoryh
   idiot rech' v `etom dokumente.

          Vneshnij interfejs                Vneshnij interfejs
            208.229.100.6                    216.218.197.2
                        |                    |
          +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
          |                                                |
 Seti pod zaschitoj FW-1                              Vnutrennie seti
 199.208.192.0/24                               192.168.10.0/24

   SHlyuz GW na osnove FreeBSD vystupaet v kachestve mezhsetevogo
   `ekrana i NAT-ustrojstva dlya ''vnutrennih setej.''

   YAdro FreeBSD dolzhno byt' postroeno s podderzhkoj IPsec. Dlya
   vklyucheniya IPsec v vashem yadre ispol'zujte sleduyuschie
   parametry yadra:

 options         IPSEC
 options         IPSEC_ESP
 options         IPSEC_DEBUG

   Dlya polucheniya informacii po postroeniyu nestandartnogo yadra,
   obratites' k Rukovodstvu po FreeBSD. Pozhalujsta, zamet'te, chto
   mezhdu hostami Firewall-1 i GW s FreeBSD dolzhny byt' razresheny
   soedineniya IP protocol 50 (ESP) i UDP port 500.

   Krome togo, dlya podderzhki obmena klyuchami dolzhen byt'
   ustanovlen paket racoon. Racoon yavlyaetsya chast'yu kollekcii
   portov FreeBSD i nahoditsya v pakadzhe security/racoon. Fajl
   konfiguracii racoon budet opisan nizhe v `etom dokumente.

     --------------------------------------------------------------

2. Nastrojka setevyh ob"ektov v Firewall-1

   Nachnite s nastrojki politiki Firewall-1. Otkrojte redaktor
   politik Policy Editor na servere upravleniya Firewall-1 i sozdajte
   novyj setevoj ob"ekt (Network Object) tipa ''Workstation'',
   kotoryj budet predstavlyat' mashinu GW s FreeBSD.

 General Tab:
                 Set name and IP address

 VPN Tab:
                 Encryption Schemes Defined:             IKE               ---> Edit

 IKE Properties:
                 Key Negotiation Encryption Methods:     3DES

 Authentication Method:
                 Pre-Shared Secret ---> Edit

   Vyberite Firewall Object i ustanovite zaranee izvestnyj parol'.
   (Ne ispol'zujte ego iz nashego primera.)

 Support Aggressive Mode:                 Checked
 Supports Subnets:                      Checked

   Posle ustanovki izvestnogo parolya v opredelenii setevogo ob"ekta
   Firewall-1, ukazhite `etot parol' v fajle
   /usr/local/etc/racoon/psk.txt v sisteme FreeBSD na GW. Format
   fajla psk.txt takov:

 208.229.100.6          rUac0wtoo?

     --------------------------------------------------------------

3. Konfiguraciya VPN-pravila v Firewall-1

   Teper' sozdajte v Firewall-1 pravilo, vklyuchayuschee shifrovanie
   mezhdu mashinoj GW s FreeBSD i set'yu, zaschischionnoj Firewall-1.
   V `etom pravile dolzhny byt' zadany setevye servisy, razreshionnye
   k rabote cherez VPN.

 Source            | Destination        | Service      | Action  | Track
 ------------------------------------------------------------------------
 FreeBSD GW        | FW-1 Protected Net | VPN services | Encrypt | Long
 FW-1 Protected Net| FreeBSD GW         |              |         |

   ''VPN-servisami'' yavlyayutsya lyubye servisy (to est' telnet,
   SSH, NTP i tak dalee), k kotorym razreshion dostup udalionnomu
   hostu cherez VPN. Bud'te vnimatel'ny pri vklyuchenii servisov;
   hosty, podklyuchaemye cherez VPN, prodolzhayut predstavlyat'
   potencial'nuyu opasnost'. SHifrovanie trafika mezhdu dvumya
   setyami daiot slabuyu zaschitu, esli lyuboj iz hostov na obeih
   storonah tunnelya byl vzloman.

   Posle nastrojki pravila shifrovaniya dannyh mezhdu mashinoj GW s
   FreeBSD i set'yu, zaschischionnoj Firewall-1, prosmotrite
   nastrojki ''Action Encrypt''.

 Encryption Schemes Defined:     IKE ---> Edit
 Transform:                      Encryption + Data Integrity (ESP)
 Encryption Algorithm:           3DES
 Data Integrity:                 MD5
 Allowed Peer Gateway:           Any or Firewall Object
 Use Perfect Forward Secrecy:    Checked

   Ispol'zovanie tehnologii Perfect Forward Secrecy (PFS) yavlyaetsya
   neobyazatel'nym. Vklyuchenie PFS dobavit eschio odin uroven'
   bezopasnosti na urovne shifrovaniya dannyh, odnako privediot k
   uvelicheniyu nagruzki na CPU. Esli PFS ne ispol'zuetsya, to
   vyklyuchite flag vyshe i zakommentirujte strochku pfs_group 1 v
   fajle racoon.conf na mashine GW s FreeBSD. Primer fajla
   racoon.conf dan v `etom dal'she.

     --------------------------------------------------------------

4. Konfiguraciya politiki VPN vo FreeBSD

   Na `etom `etape dolzhna byt' zadana politika VPN na mashine GW s
   FreeBSD. `Etu funkciyu vypolnyaet utilita setkey(8).

   Nizhe daiotsya primer skripta komandnogo processora, kotoryj
   sbrasyvaet setkey(8) i dobavlyaet vashi pravila politiki VPN.

 #
 # /etc/vpn1-ipsec.sh
 #
 # IP addresses
 #
 #     External Interface                    External Interface
 #       208.229.100.6                       216.218.197.2
 #                   |                       |
 #        +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
 #        |                                                |
 # FW-1 Protected Nets                              Internal Nets
 #    199.208.192.0/24                                  192.168.10.0/24
 #
 # Flush the policy
 #
 setkey -FP
 setkey -F
 #
 # Configure the Policy
 #
 setkey -c << END
 spdadd 216.218.197.2/32 199.208.192.0/24 any -P out ipsec
 esp/tunnel/216.218.197.2-208.229.100.6/require;
 spdadd 199.208.192.0/24 216.218.197.2/32 any -P in ipsec
 esp/tunnel/208.229.100.6-216.218.197.2/require;
 END
 #

   Vypolnite komandy setkey(8):

 # sh /etc/vpn1-ipsec.sh

     --------------------------------------------------------------

5. Konfiguraciya Racoon vo FreeBSD

   Dlya obespecheniya soglasovaniya klyuchej IPsec na mashine GW s
   FreeBSD, neobhodimo ustanovit' i skonfigurirovat' port
   security/racoon.

   Dalee privoditsya fajl konfiguracii racoon, kotoryj podhodit dlya
   ispol'zovaniya s primerami, opisannymi v `etom dokumente.
   Pozhalujsta, pered ego ispol'zovaniem v real'noj `ekspluatacii
   ubedites', chto polnost'yu ponimaete ego naznachenie.

 # racoon.conf for use with Check Point VPN-1/Firewall-1
 #
 # search this file for pre_shared_key with various ID key.
 #
         path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
         log debug;
 #
 # "padding" defines some parameter of padding.  You should not touch these.
 #
         padding
       {
         maximum_length 20;      # maximum padding length.
         randomize off;          # enable randomize length.
         strict_check off;       # enable strict check.
         exclusive_tail off;     # extract last one octet.
       }

         listen
       {
         #isakmp ::1 [7000];
         #isakmp 0.0.0.0 [500];
         #admin [7002];          # administrative port by kmpstat.
         #strict_address;        # required all addresses must be bound.
       }
 #
 # Specification of default various timers.
 #
         timer
       {
 #
 # These values can be changed per remote node.
 #
         counter 5;              # maximum trying count to send.
         interval 20 sec;        # maximum interval to resend.
         persend 1;              # the number of packets per a send.
 #
 # timer for waiting to complete each phase.
 #
         phase1 30 sec;
         phase2 15 sec;
       }

         remote anonymous
       {
         exchange_mode aggressive,main; # For Firewall-1 Aggressive mode

         #my_identifier address;
         #my_identifier user_fqdn "";
         #my_identifier address "";
         #peers_identifier address "";
         #certificate_type x509 "" "";

         nonce_size 16;
         lifetime time 10 min;   # sec,min,hour
         lifetime byte 5 MB;     # B,KB,GB
         initial_contact on;
         support_mip6 on;
         proposal_check obey;    # obey, strict or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm md5;
                 authentication_method pre_shared_key;
                 dh_group 2 ;
         }
       }

         sainfo anonymous
       {
         pfs_group 1;
         lifetime time 10 min;
         lifetime byte 50000 KB;
         encryption_algorithm 3des;
         authentication_algorithm hmac_md5;
         compression_algorithm deflate ;
       }

   Prover'te, chto fajl /usr/local/etc/racoon/psk.txt soderzhit tot
   zhe samyj zaranee izvestnyj parol', chto nastraivalsya pri
   pomoschi razdela ''Nastrojka setevyh ob"ektov v Firewall-1''
   `etogo dokumenta, i imeet rezhim dostupa 600.

 # chmod 600 /usr/local/etc/racoon/psk.txt

     --------------------------------------------------------------

6. Zapusk VPN v rabotu

   Teper' vy gotovy k zapusku racoon i testirovaniyu tunnelya VPN.
   Dlya celej otladki otkrojte Log Viewer na Firewall-1 i zadajte
   fil'tr protokolirovaniya dlya vydeleniya zapisej, otnosyaschihsya
   k mashine GW s FreeBSD. Vam mozhet takzhe prigodit'sya prosmotr
   zhurnala racoon pri pomoschi komandy tail(1):

 # tail -f /var/log/racoon.log

   Zapustite racoon posredstvom sleduyuschej komandy:

 # /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf

   Posle zapuska racoon vypolnite podklyuchenie po telnet(1) k hostu
   v seti, zaschischionnoj Firewall-1.

 # telnet -s 192.168.10.3 199.208.192.66 22

   Po `etoj komande vypolnyaetsya popytka podklyucheniya k
   ssh(1)-portu mashiny 199.208.192.66, toj, chto nahoditsya v seti,
   zaschischionnoj Firewall-1. Parametr -s zadaiot ispol'zuemyj
   interfejs v ishodyaschem soedinenii. `Eto, v chastnosti, vazhno
   pri ispol'zovanii na mashine GW s FreeBSD tehnologij NAT i IPFW.
   Ispol'zovanie -s i yavnoe zadanie ishodyaschego adresa ne pozvolit
   NAT podmenyat' pakety pered tunnelirovaniem.

   Pri uspeshnom obmene klyuchami racoon vydast v fajl protokola
   racoon.log sleduyuschee:

 pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6
 pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6
 get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2

   Posle togo, kak obmen klyuchami budet zavershion (chto zanimaet
   neskol'ko sekund), budet vydana zastavka ssh(1). Esli vsio proshlo
   normal'no, v sredstve Log Viewer na Firewall-1 budet zafiksirovano
   dva soobscheniya ''Key Install''.

 Action      |  Source        |  Dest.             | Info.
 Key Install |  216.218.197.2 |  208.229.100.6     | IKE Log: Phase 1 (aggressive) completion.
 Key Install |  216.218.197.2 |  208.229.100.6     | scheme: IKE methods

   V informacionnoj kolonke podrobnyj protokol budet vyglyadet' tak:

 IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id:
 scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host:

     --------------------------------------------------------------

7. Ssylki

     * Rukovodstvo FreeBSD: VPN cherez IPsec
       http://www.FreeBSD.org/doc/ru_RU.KOI8-R/books/handbook/ipsec.html

     * Proekt KAME http://www.kame.net

     --------------------------------------------------------------

            `Etot, i drugie dokumenty, mogut byt' skachany s
                ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

  Po voprosam, svyazannym s FreeBSD, prochitajte dokumentaciyu prezhde
                 chem pisat' v <questions@FreeBSD.org>.
         Po voprosam, svyazannym s `etoj dokumentaciej, pishite
                           <doc@FreeBSD.org>.
  Po voprosam, svyazannym s russkim perevodom dokumentacii, pishite v
                    rassylku <frdp@FreeBSD.org.ua>.
  Informaciya po podpiske na `etu rassylku nahoditsya na sajte proekta
                               perevoda.
