Policy Based Site to Site VPN (AES 256) with Check Point AI (Traditional Mode VPN)

Policy Based Site to Site VPN (AES 256) with Check Point NGX R61 (Simplified Mode VPN)

Configuring Juniper via WebUI

1. Interfaces

Network > Interfaces > Edit (for trust): Enter the following, and then click Apply:

Zone Name: Trust

Static IP

IP Address / Netmask: 192.168.1.1 / 24 (Juniper Private Network)

Interface Mode: ROUTE

Network > Interfaces > Edit (for untrust): Enter the following, and then click Apply:

Zone Name: Untrust

Static IP

IP Address / Netmask: 200.200.200.34/ 28 (Juniper Public Network)

Interface Mode: ROUTE

2. Addresses

Objects > Addresses > List > New: Enter the following and then click OK:

Address Name: Juniper LAN

IP Address/Domain Name:

IP/Netmask (select): 192.168.1.0/24

Zone: Trust

Objects > Addresses > List > New: Enter the following and then click OK:

Address Name: Checkpoint_LAN

IP Address/Domain Name:

IP/Netmask (select): 192.168.2.0/24

Zone: Untrust

(Optional) You will need to continue to add networks

Objects > Addresses > List > New: Enter the following and then click OK:

Address Name: Checkpoint_LAN VLAN4

IP Address/Domain Name:

IP/Netmask (select): 172.16.4.0/22

Zone: Untrust

3. Proposals

VPNs > AutoKey Advanced > P1 Proposal > New: Enter the following and then click OK:

Name: Check Point PH1

Authentication Method: Preshare

DH Group: Group 2

Encryption Algorithm: AES-CBC(256 Bits)

Hash Algorithm: SHA-1

Lifetime: 1440 Min

VPNs > AutoKey Advanced > P2 Proposal > New: Enter the following and then click OK:

Name: Check Point PH2

Perfect Forward Secrecy: DH Group 2

Encapsulation

Encryption (ESP)

Encryption Algorithm: AES-CBC(256 Bits)

Authentication Algorithm: SHA-1

Lifetime: 3600 Sec (make sure you select the seconds button)

4. VPN

VPNs > AutoKey Advanced > Gateway > New: Enter the following and then click OK:

Gateway Name: To R61 Checkpoint

Security Level: Custom

Remote Gateway Type:

Static IP Address (select), IP Address/Hostname: 100.200.150.34

Preshared Key

Preshared Key: abcd1234

Outgoing Interface: ethernet0/2 (Untrust)

Ø Advanced: Enter the following advanced settings, and then click RETURN to return to the basic Gateway configuration page:

Security Level: Custom

Phase 1 Proposal (For Custom Security Level):

Check Point PH1

Mode (initiator): Main (ID Protection)

VPNs > AutoKey IKE > New: Enter the following and then click OK:

VPN Name: R61 Checkpoint VPN

Security Level: Custom

Remote Gateway: Predefined: (select): To R61 Checkpoint

Ø Advanced: Enter the following advanced settings, and then click RETURN to return to the basic AutoKey IKE configuration page:

Security Level: Custom

Phase 2 Proposal (For Custom Security Level):

Check Point PH2

Replay Protection (select)

Check VPN Monitor

5. Route

Network > Routing > Routing Entries > trust-vr > New: Enter the following, and then click OK:

Network Address/Netmask: 192.168.2.0/24

Gateway: (select):

Interface: ethernet0/0 (untrust)

Gateway IP Address: 100.200.150.34

(Optional) You will need to add additional routes for the VPN networks.

6. Route

Network > Routing > Routing Entries > trust-vr > New: Enter the following, and then click OK:

Network Address/Netmask: 172.16.4.0/22

Gateway: (select):

Interface: untrust

Gateway IP Address: 100.200.150.34

7. Policies

Policies > (From: Trust, to: Untrust) New: Enter the following, and then click OK:

Source Address:

Address Book Entry: (select), Juniper LAN

Destination Address:

Address Book Entry: (select), Checkpoint _ LAN

Service: ANY

Action: Tunnel

Tunnel VPN: R61 Checkpoint VPN

Modify matching bidirectional VPN policy (select)

Position at Top: (select)

Logging

(Optional) You will need to create additional policies for the different networks

8. Policies

Policies > (From: Trust, to: Untrust) New: Enter the following, and then click OK:

Source Address:

Address Book Entry: (select), Juniper LAN

Destination Address:

Address Book Entry: (select), Checkpoint _LAN VLAN4

Service: ANY

Action: Tunnel

Tunnel VPN: R61 Checkpoint VPN

Modify matching bidirectional VPN policy (select)

Position at Top: (select)

Logging

Configuring Check Point:

- This assumes your interfaces and default gateway is already set.

1. Objects

Right click on Network Objects > New > Network: Enter the following then click OK:

Name: jn-192.168.1.0-juniper (Juniper Network)

Network Address: 192.168.1.0

Net Mask: 255.255.255.0

Right click on Network Objects > New > Network: Enter the following then click OK:

Name: cp-192.168.2.0 (Checkpoint Network)

Network Address: 192.168.2.0

Net Mask: 255.255.255.0

(Optional) Add for each additional network which will access the Juniper LAN

Right click on Network Objects > New > Network: Enter the following then click OK:

Name: cp-172.16.4.0

Network Address: 172.16.4.0

Net Mask: 255.255.252.0

Right click on Network Objects > New > Interoperable Device: Enter the following then click OK:

Name: jf-200.200.200.34-junpr (Juniper Firewall)

IP Address: 200.200.200.34

Topology > Manually Defined (select)

Choose > jn-192.168.1.0-juniper

Our CheckPoint Firewalls have already been defined

Edit the Check Point Gateway Object that will terminate the VPN: Enter the following then click OK:

IP Address: 100.200.150.34

Under Products (select VPN)

Topology > VPN Domain > Manually defined (select)

Choose > cp-192.168.2.0 (If you have multiple networks behind the checkpoint create a group and use the group as the manually defined networks)

2. VPN

Click on the VPN Manager tab > Right Click > New Community > Star: Enter the following then click OK:

Name: junpr_checkpointR61

Center Gateways > Add (select): Check Point Gateway (cp-100.200.150.34 (Checkpoint Firewall))

Satellite Gateway >Add (select): Juniper NetScreen (jf-200.200.200.34-junpr (Juniper Firewall))

VPN Properties

Phase 1

Perform key exchange encryption with: AES-256

Perform data integrity with: SHA1

Phase 2

Perform IPsec data encryption with: AES-256

Perform data integrity with: SHA1

Advanced Settings:

Shared Secret

(select) Use only Shared Secret for all External members

Edit > Enter Shared Secret > abcd1234

Click OK

Advanced VPN Properties:

IKE (Phase1) DH Group: Group 2 (1024 bit)

Renegotiate IKE 1440 min.

IPsec (Phase 2)

(select) Use Perfect Forward Secrecy DH Group 2 (1024 bit)

Renegotoate IPsec security associations every 3600 seconds

NAT

(select) Disable NAT inside the VPN community

3. VPN Policy (Look at Policy rules 1, 2, and 4)

Click on Main Security Tab > Then Click on Rule 1 > Source >Enter the following:

Rule 1:

Source: Juniper NetScreen LAN (jn-192.168.1.0-juniper)

Destination: CheckPoint R61 LAN (cp-192.168.2.0 (Checkpoint Network))

VPN: Any Traffic

Service: ANY

Action: Accept

Track: Log

Install On: (Right Click > Add > Targets > Select Target)

Choose: The Check Point Gateway that will terminate the VPN

Rule 2:

Source CheckPoint R61 LAN (cp-192.168.2.0 (Checkpoint Network))

Destination: Juniper NetScreen LAN (jn-192.168.1.0-juniper)

VPN: Any Traffic

Service: ANY

Action: Accept

Track: Log

Install On: (Right Click > Add > Targets > Select Target)

Choose: The Check Point Gateway that will terminate the VPN

Rule 3:

Source Interoperable Juniper Firewall jf-200.200.200.34-junpr

Destination: Interoperable Juniper Firewall jf-200.200.200.34-junpr

Source Checkpoint Firewall cp-200.200.200.34

Destination: Checkpoint Firewall cp-200.200.200.34

VPN: Any Traffic

Service: ANY

Action: Accept

Track: Log

Install On: (Right Click > Add > Targets > Select Target)

Choose: The Check Point Gateway that will terminate the VPN

4. Test the VPN

Check Point Log (example of successful PH1)

Check Point Log (example of successful PH2)

Check Point Log (HTTP session successfully traversed tunnel)