Google Cloud Platform

This chapter describes the procedure to establish a Site-to-Site IPsec tunnel between your Check Point SASE network and Google Cloud Platform (GCP).

Prerequisites

  • An active Check Point SASE Administrator Portal account and network.

  • Make sure you have installed the Check Point SASE Agent on your devices.

  • Administrator account in the Firewall/ Router/ Cloud Management Portal.

Step 1 - Configurations in the GCP Console

Creating a Virtual Private Gateway

  1. Access the GCP console and go to Network Connectivity.

  2. In the left menu, click VPN.

  3. Click Cloud VPN Gateways > Create VPN gateway.

  4. Click the link to create Classic VPN.

  5. Enter these:

    1. Name - Name of the gateway.

    2. Network - Select default or a specific VPC.

    3. Region - Select the region where your resources are located.

    4. IP address - Create an IP address to connect your gateway and click Reserve.

Creating a Tunnel

  1. Access the GCP console and go to Network Connectivity.

  2. In the left menu, click VPN.

  3. Click Cloud VPN Tunnels > Create VPN tunnel.

  4. Enter these:

    1. Name - Name of the tunnel.

    2. Remote peer IP address - IP address of your Check Point SASE Gateway.

      To obtain this, go to the Check Point SASEAdministrator Portal > Networks and select the network that contains the gateway to which you wan to create a tunnel.

    3. IKE Version - IKEv2

    4. IKE pre-shared key - Click Generate and copy or select a key of your own and note it down.

    5. Routing options - Route-based

    6. Remote network IP ranges - 10.255.0.0/16 (unless customized)

  5. Click Done and then Create.

Configuring the Routing Rules to the VPC Network

  1. Access the GCP console and go to the VPC Network section.

  2. In the left menu, click Routes.

  3. Click Create Route Rule.

  4. Enter these:

    1. Name - Name of the VPN gateway.

    2. Network - Select the VPC network that contains the instances served by the VPN gateway. This must be the same network selected in the previous steps.

    3. Destination IP range - 10.255.0.0/16 (or customized)

    4. Priority - 1000

    5. Next hop - Select Specify VPN Tunnel.

    6. Next hop VPN tunnel - Select the VPN tunnel you created in the previous steps.

  5. Click Create.

Allowing Incoming Connections from Check Point SASE Local Network Using Firewall Rules

  1. Access the GCP console and go to the VPC Network section.

  2. In the left menu, click Firewall rules.

  3. Click Create Firewall Rule.

  4. Enter these:

    1. Name - Name of the rule.

    2. Logs - Off

    3. Network - Select the VPC network that contains the instances served by the VPN gateway. This must be the same network selected in the previous steps.

    4. Priority - 1000

    5. Direction of traffic - Ingress.

    6. Action on match - Allow

    7. (Optional) Target tags

    8. Source filter - IP ranges

    9. Source IP ranges - 10.255.0.0/16 (unless customized)

    10. Second source filter - None

    11. Protocols and ports - Allow all

Step 2 - Creating the Tunnel in the Check Point SASE Administrator Portal

  1. Access the Check Point SASE Administrator Portal and click Networks.

  2. Click the network where you want to create the tunnel.

  3. In the required gateway, click > Add Tunnel.

  4. Click IPSec Site-2-Site Tunnel and click Continue.

  5. Click Single Tunnel and click Continue.

    The IPSec Site-2-Site Tunnel window appears.

  6. In the General Settings section, enter these:

    1. Name - Name of the tunnel.

    2. Check Point SASE Gateway Proposal Subnets - Any (0.0.0.0/0)

    3. Remote Gateway Proposal Subnets - Any (0.0.0.0/0)

  7. In the Advanced Settings section, enter the information for your tunnel type:

    Field

    IKE Version

    IKE Lifetime

    Tunnel Lifetime

    Dead Peer Detection Delay

    Dead Peer Detection Timeout

    Encryption (Phase 1)

    Encryption (Phase 2)

    Integrity (Phase 1)

    Integrity (Phase 2)

    Diffie Hellman Groups (Phase 1)

    Diffie Hellman Groups (Phase 2)

    Cloud Vendor

    Amazon AWS

    Single Tunnel - AWS Virtual Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521
    Single Tunnel - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521
    Redundant Tunnels - AWS Virtual Private Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521
    Redundant Tunnels - AWS Transit Gateway V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521

    Google Cloud Platform

    Single Tunnel 1 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521

    Redundant Tunnels

    		 V2 8h 1h 10s 30s aes256 aes256 sha512 sha512 ecp521 ecp521
    Microsoft Azure  

    Single Tunnel -

    Azure Virtual Network Gateway

    V2

    3600s

    27000s

    10s

    45s

    		 aes256 aes256 sha1 sha1 modp1024 modp1024

    Redundant Tunnels - Virtual Network Gateway

    V2

    9h

    9h

    		 10s 30s aes256 aes256 sha1 sha1 modp1024 modp1024

    Redundant Tunnels - Virtual WAN

    V2

    8h

    		 1h 10s 30s aes256 aes256

    sha256

    sha256

    		 modp2048 modp2048

    Other tunnel types

     
    Alibaba Cloud V1 8h 1h 10s 30s aes256 aes256 sha1 sha1 modp1024 modp1024

    IBM Cloud

    V1

    		 8h 1h 10s 30s aes256 aes256

    sha256

    sha256

    		 ecp521 ecp521

    1 Suggested values. For other supported ciphers, see this Google article.

  8. Click Add Tunnel.