Getting Started with Site-to-Site VPN
Setting up Site-to-Site VPN between Gateways
Scenario: Two Check Point gateways are managed by the same Security Management Server. How do you create a site-to-site VPN between the two gateways so that they can communicate securely?
Overview of the Workflow:
- Create the gateway objects in SmartConsole and make sure that IPsec VPN is enabled on each one.
- Generate internal CA certificates for each gateway (done automatically).
- Create the VPN Community.
- Define the VPN Domain.
- Make sure that the VPN will work with your configured routing, or change the routing or link selection settings as necessary.
- Create rules for the traffic.
- Install the Access Control Policy.
Enabling IPsec VPN on a Gateway
Site to Site VPN requires two or more gateways with the IPsec VPN Software Blade enabled. Other Software Blades can be enabled on the same gateway.
Make sure that Trusted Communication is established between all gateways and the Security Management Server.
To enable the IPsec VPN Software Blade on a gateway:
- In SmartConsole, open a gateway object.
- On the page, in the tab, select .
- Click .
An internal CA certificate for the gateway is created automatically.
Creating a VPN Community
You can create a Meshed or Star VPN Community. The procedure below shows an example of a Star Community.
To create a new VPN community:
- In SmartConsole > tab, in the area, click .
- Click the icon and select .
A window opens.
- Enter a name for the VPN Community.
- In the area, click the plus icon to add one or more gateways to be in the center of the community.
- In the area, click the plus icon to add one or more gateways to be around the center gateway.
- Click .
The Community uses the default encryption and VPN Routing settings.
- Optional: Edit more settings for the VPN Community in the community object.
More VPN Community Settings
In addition to the gateway members, you can edit these settings for the VPN Community in the community object:
- - Select to encrypt and decrypt all traffic between the Security Gateways. If this is not selected, create rules in the Security Policy Rule Base to allow encrypted traffic between community members
- - Select encryption settings that include the and . See VPN Community Object - Encryption Settings.
- - Select settings VPN tunnels that include and Tunnel Sharing. See Configuring Tunnel Features.
- -For Star Communities, select how VPN traffic is routed between the center and satellite gateways. By default this is always set to . See Configuring Domain Based VPN.
- - For Star Communities, select how the entry gateway for VPN traffic is chosen. This only applies when you have multiple center gateways in the community. See Configuring MEP.
- - Add services that are not to be encrypted, for example Firewall control connections. VPN tunnels are not created for the Services included here.
- - Configure shared secret authentication to use for communication with external gateways that are part of a VPN community. See Configuring a VPN with External Security Gateways Using Pre-Shared Secret.
- - Select to define internal interfaces and communities as trusted and bypass the firewall for some communication. See Configuring Wire Mode.
- - Configure advanced settings related to IKE, IPsec, and NAT. You can also to revert all VPN Community settings to their default values. See Configuring Advewanced IKE Properties.
Defining the VPN Domain for a Gateway
The VPN Domain defines the networks and IP addresses that are included in the VPN community. It is also called the Encryption Domain. When you create a Check Point gateway object, the VPN Domain is automatically defined as all IP Addresses behind the gateway, based on the topology information.
You can manually define the VPN domain to include one or more networks. You must have a Network object or Network Group object that represents the domain.
To manually define the VPN Domain:
- In SmartConsole, open a gateway object.
- Open the > page.
- Select and:
- Browse to the object list and select an object that represents the domain.
- Browse to the object list and click > or to define a new group of machines or network.
- Click .
Confirming VPN Routing
By default, IPsec VPN uses the main , defined in the page of the Gateway, for the VPN tunnel connection.
If you want to use this IP address for the VPN communication, and it is an external interface, you do not need additional routing.
If the main IP address is an internal interface, or if you want VPN communication on a different interface, make sure that:
- The settings for the gateway are configured. Choose which gateway links are used by VPN to route traffic correctly.
- VPN Routing is configured to allow the connections. For information how to configure routing in Gaia OS, see the R80.10 Gaia Administration Guide - Chapter Network Management.
Configuring Site to Site VPN Rules in the Access Policy
You must configure rules to allow traffic to and from VPN Communities. Configure rules in SmartConsole > > . All layers of the Access Control Policy can contain VPN rules.
To make a rule apply to a VPN Community, the column of the Rule Base must contain one of these:
- - The rules applies to all VPN Communities and to non-VPN related traffic. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.
- One or more specified VPN communities - For example, Right-click in the VPN column of a rule and select . The rule applies to the communities shown in the VPN column.
Examples:
- This rule allows encrypted traffic between domains of member gateways of "community_X."
Name
|
Source
|
Destination
|
VPN
|
Services & Applications
|
|
|
|
|
|
- This rule allows traffic from all VPN Communities to the internal network on all services.
Name
|
Source
|
Destination
|
VPN
|
Services & Applications
|
|
|
|
|
|
- This rule allows traffic between two VPN domains with all services.
Name
|
Source
|
Destination
|
VPN
|
Services & Applications
|
|
|
|
|
|
Confirming that a VPN Tunnel Opens Successfully
To make sure that a VPN tunnel has successfully opened:
- Edit the VPN rule and select as the option.
- Click > .
- From the bottom of the window, click
Check Point SmartView Monitor opens
- Click the gateway to see IPsec VPN traffic and tunnels opened. A successful connection shows encrypt, decrypt and key install logs.
Alternatively:
- In SmartConsole click .
- On the tab, search for VPN to see the relevant logs.
- Open SmartView Monitor and see that VPN tunnels are up.