VPNs and SmartLSM Security Gateways

Configuring VPNs on SmartLSM Security Gateways

Secured communication between your CO gateway and the SmartLSM Security Gateways is dependent on correct configuration of the Virtual Private Network.

You can define how the VPN domain of a selected SmartLSM Security Gateway is encrypted. You can change the keys as needed and perform other VPN maintenance and change management operations. Before you can configure the IKE certificate, you must have already defined Certificate Authority servers as objects in SmartDashboard. See the R77 Security Management Administration Guide.

To configure the VPN encryption of a selected SmartLSM Security Gateway:

1. Open the SmartLSM Security Gateway window and select the Topology tab.
2. Define a VPN domain.
3. Select the VPN tab.

   If, when you created this SmartLSM Security Gateway in the New SmartLSM Security Gateway wizard, you cleared the I wish to create a VPN Certificate from the Internal CA check box, you can select VPN Not supported. No IKE certificate will be generated. You can change this setting at any time.

   If you want this SmartLSM Security Gateway to participate in a VPN, continue with the next steps.

4. Select Use Certificate Authority Certificate.

   If you selected the I wish to create a VPN Certificate from the Internal CA check box in the wizard, this option is automatically selected and cannot be edited.

5. From the Certificate Authority Name drop-down list, select a CA server object that was previously defined in SmartDashboard.

   If you cleared the I wish to create a VPN Certificate from the Internal CA check box in the wizard, you can select a third-party CA from this list.

   If you selected the I wish to create a VPN Certificate from the Internal CA check box in the wizard, the Check Point Internal CA is selected and cannot be edited.

6. If you select a third-party CA in Certificate Authority Name, provide a Key Identifier or Authorization Code, as instructed by the CA.
7. If this SmartLSM Security Gateway does not yet have an initiated IKE certificate, click Generate.

   If you want to generate a new IKE certificate, click Reset.

   The SmartLSM Security Gateway's Distinguished Name (DN) of the certificate is automatically provided and cannot be edited.

8. To apply a new IKE certificate, update the CO gateway.

Creating VPNs for SmartLSM Security Gateways

The previous sections explained how to configure a SmartLSM Security Gateway to be part of a VPN. This section explains how to create the VPN itself in SmartDashboard. Before doing so, you must have first configured, in SmartProvisioning, the SmartLSM Security Gateways to support VPN participation.

To create a VPN tunnel between a SmartLSM Security Gateway and a CO gateway:

1. Open SmartDashboard.
2. Define a VPN Star Community (IPsec VPN > New > Star Community).
3. Open Star Community Properties > Central Gateways, click Add, select the CO gateway from the displayed list, and click OK.
4. Open Star Community Properties > Satellite Gateways, click Add, select the SmartLSM Security Gateway or SmartLSM Security Profile from the displayed list, and click OK.

   If you select the profile, rather than a single gateway, all SmartLSM Security Gateways that reference this SmartLSM Security Profile are added to the VPN community, if they are configured with the ability to participate in a VPN (see Configuring VPNs on SmartLSM Security Gateways).

5. Open Star Community Properties > Advanced Settings > Advanced VPN Properties, and specify the IKE Phase properties.
6. Open Star Community Properties > Advanced Settings > Shared Secret, and clear the Use only Shared secret for all External Members check box.
7. Open Security Policy Rule Base, and create a rule base defining the services allowed for the VPN community. See Example Rules for VPN with SmartLSM Security Gateway.
8. Install the Security Policy with this rule on the CO gateway.

   A topology file and a certificate are downloaded to the SmartLSM Security Gateway, listing the members of the VPN community and specifying encryption information.

After you have created the VPN tunnel in SmartDashboard, perform the following:

1. Update the CO gateway. See Updating Corporate Office Gateways.
2. Establish the VPN tunnel. Send a test connection with an allowed service (according to the rules created in Security Policy Rule Base) and then use SmartView Monitor or SmartView Tracker to verify that the test was successfully encrypted, sent, and received.

Sample VPN Rules for a SmartLSM Security Gateway

Creating VPNs for SmartLSM Security Gateways includes a step for creating a rule in SmartDashboard's Security Policy Rule Base that defines the services for the VPN community. This section provides examples of such a rule base.

In the rules, the following Dynamic Objects are used:

• MyComm: Resolves to the IP address range of the VPN Community.
• MyCO: Resolves to the IP address of the CO gateway.
• CO_VPN: Resolves to the IP address range of the encryption domain of the CO gateway.
• Edge_Net: Resolves to the IP address range of exposed UTM-1 Edge SmartLSM Security Gateways, or the network behind the UTM-1 Edge gateway.

Rule for Outgoing Connections

VPN Rules for Incoming Connections

VPN with One or More LSM Profiles

You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Profile Gateway and Cluster. You can also configure the community with two SmartLSM Profile Clusters or two SmartLSM Profile Gateways. All included SmartLSM Profile Gateways and Clusters must have the IPsec VPN blade enabled.

The procedure requires configuration in:

• SmartDashboard
• Security Management Server CLI
• SmartProvisioning Console
• Center Gateway CLI

Using SmartDashboard

In SmartDashboard create network objects that represent the VPN community members and their networks. You must create a star community with To center and to other satellites through center as the selected option for VPN Routing (Star Community Properties > Advanced Settings > VPN Routing).

To configure a VPN star community between two SmartLSM Profiles in SmartDashboard:

1. Create and configure a SmartLSM Profile Cluster.

   When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.

2. Create and configure a SmartLSM Profile Gateway.
3. Create a regular Security Gateway to be the Center Gateway.

   Note - Security Gateway 80 gateways cannot be the Center Gateway.

4. Create a VPN Star Community, select IPsec VPN > New > Star Community.
   1. Select Center Gateways from the tree.
   2. Click Add and select the Security Gateway that you created to be the Center Gateway.
   3. Select Satellite Gateways from the tree.
   4. Click Add and select the SmartLSM Profile Cluster and SmartLSM Profile Gateway (or second cluster).
   5. Select Advanced Settings > VPN Routing from the tree.
   6. Select To center and to other satellites through center.
5. Create a Network object that represents the internal network of each satellite in the VPN community.
   1. From the Network Objects tree, right-click Networks and select Network.
   2. In the Network Address field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
6. Create a Node object that represents the external IP address of each satellite in the VPN community.
   1. From the Network Objects tree, right-click Nodes and select Node > Gateway.
   2. In the IP Address field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
7. Create a Group object that represents the networks for each satellite object:
   1. From the Network Objects tree, right-click and select New > Groups > Simple Group.
   2. Enter a Name for the group that is unique for one satellite.
   3. Select the Network object that you created for that satellite's internal network and click Add.
   4. Select the Node object that you created for that satellite's external IP address and click Add.
8. Create a Group object that represents the Center Gateway.
   1. From the Network Objects tree, right-click and select New > Groups > Simple Group.
   2. Enter a Name for the group that is unique for the Center Gateway.
   3. Select the Gateway object and click Add.

Using the CLI

Edit the routing table of the Domain Management Server or Security Management Server to enable two SmartLSM Profile Gateways or Clusters to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.

To edit the vpn_route.conf file:

Open the vpn_route.conf file.

• In a Multi-Domain Security Management environment, on a Domain Management Server:
  • If satellites are 80 series Gateways or Clusters:
    /var/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPSG80CMP-<version>/conf/vpn_route.conf
  • If satellites are on a different SecurePlatform appliance or open server:
    /opt/CPmds-<version>/customers/<Domain Management Server_name>/CPsuite-<version>/fw1/conf/vpn_route.conf
• In a Security Management Server environment:
  • If satellites are 80 series Gateways or Clusters:
    /opt/CPSG80CMP-<version>/conf/vpn_route.conf
  • If satellites are on a different SecurePlatform appliance or open server:
    /opt/CPsuite-<version>/fw1/conf/vpn_route.conf

If two SmartLSM Gateways on different LSM Gateway profiles will communicate with each other through the Center gateway, edit the file:

If more than one SmartLSM Gateway in the same LSM Profile will communicate with each other through the Center gateway, edit the file:

Install policy on the SmartLSM Profiles and on the Center Gateway.

Completing the Configuration

Complete the configuration in the SmartProvisioning Console and the CLI of the Center Gateway.

To complete the VPN configuration:

1. Open the SmartProvisioning Console.
2. Create a new SmartLSM Cluster or Gateway based on the type of device you have. Select File > New > select an option.
3. Generate a VPN certificate for each Gateway or Cluster member:
   1. Open the cluster or gateway object > VPN tab.
   2. Select Use Certificate Authority Certificate.
   3. Click Generate.
   4. Do these steps again for each cluster member.

      Note - If topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the VPN tab and update the gateway (Actions > Update Gateway).

4. In the CLI of the Center Gateway, run: LSMenabler on
5. In the SmartProvisioning GUI Console, right-click the Center Gateway and select Actions > Update Corporate Office Gateway.
6. In the Topology tab of each object, make sure that the topology of provisioned objects is correct for each device:
   • Make sure that the interfaces have the same IP addresses as the actual gateways.
   • Make sure that the external and internal interfaces are recognized and configure correctly as "External" and "Internal".
   • If the interfaces show without IP addresses, click: Get Actual Settings.
7. In the Topology tab, configure the VPN domain:
   • For SmartLSM Profile Gateways choose an option.
   • For SmartLSM Profile Clusters, select Manually defined and manually add the encryption domains that you want to include.
8. Push Policy.

All traffic between the satellites and Center Gateway is encrypted.

Special Considerations for VPN Routing

VPN Routing for SmartLSM Security Gateways

The VPN routing option To center and to other satellites through center is not supported by SmartLSM Security Gateways. This procedure explains how to overcome this limitation.

To configure VPN routing through SmartLSM Security Gateways, enable VPN Routing for a hub and spoke configuration, by editing the vpn_route.conf file on the Security Management Server.

For example:

1. Generate a group that contains the encryption domains of all the satellite SmartLSM Security Gateways, and call it SmartLSM_domain.
2. Generate a group that contains all the central gateways, and call it Center_gws.
3. In vpn_route.conf, add the rule:

You can have a Star VPN topology for multiple routing gateways, if one of these conditions is met.

• The gateways are listed under install on in vpn_route.conf
• The satellite gateways selected in SmartDashboard are also NGX R65 or higher level gateways.

  For more information, see Route Based VPN in the R77 VPN Administration Guide.

UTM-1 Edge Clusters

A UTM-1 Edge Cluster (formerly known as a SmartLSM cluster) is a logical entity that provides high-availability VPN connectivity by using two UTM-1 Edge devices, each serving as an entry point to the same network. In a UTM-1 Edge cluster:

• There are only two UTM-1 Edge devices
• The devices belong to the same VPN domain. A device can only participate in one cluster at a time.
• There is no state synchronization between the devices: if the active UTM-1 Edge cluster member becomes unavailable, users are not automatically connected to the other member. The party that initiated the communication must actively intervene to reconnect the users.

To create a topology in which two UTM-1 Edge SmartLSM Security Gateways serve as entry points to the same network, a mechanism such as VRRP clustering must be configured for that network. This configuration handles the routing in situations where only one of the gateways is available, as well as in situations where both of the gateways are available.

VRRP Configuration Prerequisites for UTM-1 Edge clusters

• The internal (LAN) interfaces of both devices are configured with different IP addresses.
• Both the interfaces need to have a third, shared IP address, to be utilized by the member, designated as the VRRP master. (The VRRP master designates which UTM-1 Edge cluster member is active.)
• The external interfaces of both devices need to have different IP addresses.
• The VPN domains of both gateways have to be the same.

The Corporate Office (CO) gateway recognizes that the two UTM-1 Edge SmartLSM Security Gateways in any UTM-1 Edge cluster represent entry points to the same network. When the CO gateway initiates communication with that network, it communicates with the UTM-1 Edge cluster member that last communicated with the CO gateway. (The CO gateway may recognize several UTM-1 Edge clusters, on different networks.)

Creating UTM-1 Edge clusters

To create a UTM-1 Edge cluster:

1. In SmartProvisioning, right-click a UTM-1 Edge SmartLSM Security Gateway that you want to designate as a member of the UTM-1 Edge cluster.
2. Select Actions > Define UTM-1 Edge cluster.
3. Check that the gateway name displayed in the First Member field is the gateway that you want to be the primary gateway of the UTM-1 Edge cluster. If it is not, click Find to select another gateway.
4. In the Search to field, begin to type the name of the gateway that you want to add to the cluster and then click Find.

   The Search SmartLSM Security Gateway window displays UTM-1 Edge SmartLSM Security Gateways that may be selected to join the cluster.

5. Select the gateway that you want and then click OK.
6. In the Define UTM-1 Edge cluster window, in the Second Member field, click Find and select the second member of the UTM-1 Edge cluster.
7. Click OK.

Viewing UTM-1 Edge Cluster Pairs

To view the name of the gateway that participates in a UTM-1 Edge cluster:

1. From SmartProvisioning, open the UTM-1 Edge SmartLSM Security Gateway window.
2. Click the Details tab.

Deleting or Changing UTM-1 Edge Clusters

To change one member of a UTM-1 Edge cluster, you must first remove the existing UTM-1 Edge cluster and then create the new one.

To delete a UTM-1 Edge cluster:

From SmartProvisioning, right-click a gateway in the pair and select Actions > Remove UTM-1 Edge cluster.