HOWTO: Configure ISAKMP between OpenBSD and Checkpoint FW-1

Presumptions

• You understand at least the basics of IP networking (gateways, routes, etc)
• You're comfortable with OpenBSD and have some command line skills
• You're using IKE as your Checkpoint Encryption scheme
• You're using a Pre-Shared secret as your authentication method (not Public Key Signatures or SecuRemote: I may write a howto on this later)
• You have root access on the OpenBSD host

Prerequisites

• You must have a kernel with IPSEC enabled (enabled by default)

  If this isn't enabled, you've obviously recompiled a kernel without IPSEC. You should then know enough to re-enable IPSEC. Check google.com if you're unsure.




• You must have esp/ah enabled (enabled by default)

  To confirm:
  # sysctl net.inet.esp.enable
  net.inet.esp.enable = 1
  
  # sysctl net.inet.ah.enable
  net.inet.ah.enable = 1
  
  If these are not both equal to one, run the following commands as needed
  
  # sysctl -w net.inet.esp.enable=1
  
  # sysctl -w net.inet.ah.enable=1
  
  If you use the above -w command(s), you'll want to add these to your /etc/sysctl.conf, so they will be re-enabled after reboot.
  



• You must know the following information

  • Networks:

    [OPENBSD_INTERNAL_NETWORK(s)]	The networks on your side of the VPN
    [CHECKPOINT_INTERNAL_NETWORK(s)]	The networks "behind" the Checkpoint FW

  
  
  • Checkpoint's VPN settings:

    [CHECKPOINT_WAN_IP]	Checkpoint's WAN IP address you'll be using as the remote end of the tunnel
    [CHECKPOINT_KEY_ENC]	Key Exchange encryption (DES, CAST, or 3DES) This HOWTO uses 3DES
    [CHECKPOINT_HASH]	Data integrity (MD5 or SHA1) This HOWTO uses SHA1
    [CHECKPOINT_SECRET]	Pre-Shared Secret

  
  
  • OpenBSD:

    [OPENBSD_WAN_IP]	The WAN IP address on your OpenBSD host
    [OPENBSD_LAN_IP]	An address on your OpenBSD host which exists in one of the OPENBSD_INTERNAL_NETWORK(s)

  
  

Configuration of isakmpd.policy

Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
                esp_present == "yes" &&
                esp_enc_alg != "null" -> "true";

Configuration of isakmpd.conf

[General]
Retransmits=		5
Exchange-max-time=	120
Listen-on=		[OPENBSD_WAN_IP]

[Phase 1]
[CHECKPOINT_WAN_IP]=	openbsd-checkpoint

[openbsd-checkpoint]
Phase=			1
Transport=		udp
Local-address=		[OPENBSD_WAN_IP]
Address=		[CHECKPOINT_WAN_IP]
Configuration=		Default-main-mode
Authentication=		[CHECKPOINT_SECRET]

[Phase 2]
Connections=		VPN-myhost-theirhost-10.0.0.0/255.255.255.0, VPN-myhost-theirhost-172.16.0.0/255.255.255.0

[VPN-myhost-theirhost-10.0.0.0/255.255.255.0]
Phase=			2
ISAKMP-peer=		openbsd-checkpoint
Configuration=		Default-quick-mode
Local-ID=		mynetwork-192.168.0.0/255.255.255.0
Remote-ID=		theirnetwork-10.0.0.0/255.255.255.0

[VPN-myhost-theirhost-172.16.0.0/255.255.255.0]
Phase=			2
ISAKMP-peer=		openbsd-checkpoint
Configuration=		Default-quick-mode
Local-ID=		mynetwork-192.168.0.0/255.255.255.0
Remote-ID=		theirnetwork-172.16.0.0/255.255.255.0

[mynetwork-192.168.0.0/255.255.255.0]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.0.0
Netmask=		255.255.255.0

[theirnetwork-10.0.0.0/255.255.255.0]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.0.0
Netmask=		255.255.255.0

[theirnetwork-172.16.0.0/255.255.255.0]
ID-type=		IPV4_ADDR_SUBNET
Network=		172.16.0.0
Netmask=		255.255.0.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA
#	The above 3DES-SHA is based on [CHECKPOINT_KEY_ENC] and [CHECKPOINT_HASH]  see the manpage for isakmpd.conf for other alternatives. 

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-SUITE

Adding routes

Important Notes

• Tunnel initiation:

  While troubleshooting I was constantly stopping and restarting isakmpd on the OpenBSD host. A constant ping from a host on OPENBSD_INSIDE_NETWORKS to a host on CHECKPOINT_INSIDE_NETWORKS would stop (obviously) when isakmpd was killed, and would restart soon after isakmpd was restarted. In other words, the OpenBSD side was able to easily re-establish the VPN tunnel on a restart of isakmpd. However, if isakmpd was stopped, and the OpenBSD host had no reason to open the tunnel (i.e. no outbound VPN traffic) it appeared the Checkpoint side was unable to initiate the tunnel. I'm not sure what causes this, but the following seems to be a work-around. If you're going to bounce isakmpd, and you expect the remote Checkpoint FW to re-esstablish the tunnel, let isakmpd stay down for a while (???). This extended outage seems to reset the Checkpoint FW so that it's able to re-establish the tunnel. If anybody knows why this is the case... I'm all ears.