VPN Communities
What can I do here?
In this window you can add, edit, and delete VPN communities and change their gateway assignments.
|
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities
|
Setting up Site-to-Site VPN between Gateways
Scenario: Two Check Point gateways are managed by the same Security Management Server. How do you create a site-to-site VPN between the two gateways so that they can communicate securely?
Overview of the Workflow:
- Create the gateway objects in SmartConsole and make sure that IPsec VPN is enabled on each one.
- Generate internal CA certificates for each gateway (done automatically).
- Create the VPN Community.
- Define the VPN Domain.
- Make sure that the VPN will work with your configured routing, or change the routing or link selection settings as necessary.
- Create rules for the traffic.
- Install the Access Control Policy.
Enabling IPsec VPN on a Gateway
Site to Site VPN requires two or more gateways with the IPsec VPN Software Blade enabled. Other Software Blades can be enabled on the same gateway.
Make sure that Trusted Communication is established between all gateways and the Security Management Server.
To enable the IPsec VPN Software Blade on a gateway:
- In SmartConsole, open a gateway object.
- On the page, in the tab, select .
- Click .
An internal CA certificate for the gateway is created automatically.
Defining the VPN Domain for a Gateway
The VPN Domain defines the networks and IP addresses that are included in the VPN community. It is also called the Encryption Domain. When you create a Check Point gateway object, the VPN Domain is automatically defined as all IP Addresses behind the gateway, based on the topology information.
You can manually define the VPN domain to include one or more networks. You must have a Network object or Network Group object that represents the domain.
To manually define the VPN Domain:
- In SmartConsole, open a gateway object.
- Open the > page.
- Select and:
- Browse to the object list and select an object that represents the domain.
- Browse to the object list and click > or to define a new group of machines or network.
- Click .
Creating a VPN Community
You can create a Meshed or Star VPN Community. The procedure below shows an example of a Star Community.
To create a new VPN community:
- In SmartConsole > tab, in the area, click .
- Click the icon and select .
A window opens.
- Enter a name for the VPN Community.
- In the area, click the plus icon to add one or more gateways to be in the center of the community.
- In the area, click the plus icon to add one or more gateways to be around the center gateway.
- Click .
The Community uses the default encryption and VPN Routing settings.
- Optional: Edit more settings for the VPN Community in the community object.
More VPN Community Settings
In addition to the gateway members, you can edit these settings for the VPN Community in the community object:
- - Select to encrypt and decrypt all traffic between the Security Gateways. If this is not selected, create rules in the Security Policy Rule Base to allow encrypted traffic between community members
- - Select encryption settings that include the and . See VPN Community Object - Encryption Settings.
- - Select settings VPN tunnels that include and Tunnel Sharing. See Configuring Tunnel Features.
- -For Star Communities, select how VPN traffic is routed between the center and satellite gateways. By default this is always set to . See Configuring Domain Based VPN.
- - For Star Communities, select how the entry gateway for VPN traffic is chosen. This only applies when you have multiple center gateways in the community. See Configuring MEP.
- - Add services that are not to be encrypted, for example Firewall control connections. VPN tunnels are not created for the Services included here.
- - Configure shared secret authentication to use for communication with external gateways that are part of a VPN community. See Configuring a VPN with External Security Gateways Using Pre-Shared Secret.
- - Select to define internal interfaces and communities as trusted and bypass the firewall for some communication. See Configuring Wire Mode.
- - Configure advanced settings related to IKE, IPsec, and NAT. You can also to revert all VPN Community settings to their default values. See Configuring Advanced IKE Properties.
Confirming VPN Routing
By default, IPsec VPN uses the main , defined in the page of the Gateway, for the VPN tunnel connection.
If you want to use this IP address for the VPN communication, and it is an external interface, you do not need additional routing.
If the main IP address is an internal interface, or if you want VPN communication on a different interface, make sure that:
- The settings for the gateway are configured. Choose which gateway links are used by VPN to route traffic correctly.
- VPN Routing is configured to allow the connections. For information how to configure routing in Gaia OS, see the R80.30 Gaia Administration Guide - Chapter Network Management.
Understanding VPN Communities
VPN Communities
Creating VPN tunnels between Security Gateways is made easier through the configuration of VPN communities. A VPN community is a collection of VPN enabled gateways capable of communicating via VPN tunnels.
To understand VPN Communities, a number of terms need to be defined:
- VPN Community member. Refers to the Security Gateway that resides at one end of a VPN tunnel.
- VPN domain. Refers to the hosts behind the Security Gateway. The VPN domain can be the whole network that lies behind the Security Gateway or just a section of that network. For example a Security Gateway might protect the corporate LAN and the DMZ. Only the corporate LAN needs to be defined as the VPN domain.
- VPN Site. Community member plus VPN domain. A typical VPN site would be the branch office of a bank.
- VPN Community. The collection of VPN tunnels/links and their attributes.
- Domain Based VPN. Routing VPN traffic based on the encryption domain behind each Security Gateway in the community. In a star community, satellite Security Gateways can communicate with each other through center Security Gateways.
- Route Based VPN. Traffic is routed within the VPN community based on the routing information, static or dynamic, configured on the Operating Systems of the Security Gateways.
The methods used for encryption and ensuring data integrity determine the type of tunnel created between the Security Gateways, which in turn is considered a characteristic of that particular VPN community.
A Security Management Server can manage multiple VPN communities, which means communities can be created and organized according to specific needs.
VPN Topologies
The most basic topology consists of two Security Gateways capable of creating a VPN tunnel between them. Security Management Server's support of more complex topologies enables VPN communities to be created according to the particular needs of an organization. Security Management Server supports two main VPN topologies:
Meshed VPN Community
A Mesh is a VPN community in which a VPN site can create a VPN tunnel with any other VPN site in the community:
Star VPN Community
A star is a VPN community consisting of central Security Gateways (or "hubs") and satellite Security Gateways (or "spokes"). In this type of community, a satellite can create a tunnel only with other sites whose Security Gateways are defined as central.
A satellite Security Gateway cannot create a VPN tunnel with a Security Gateway that is also defined as a satellite Security Gateway.
Central Security Gateways can create VPN tunnels with other Central Security Gateways only if the Mesh center Security Gateways option has been selected on the Central Security Gateways page of the Star Community Properties window.
Access Control and VPN Communities
Configuring Security Gateways into a VPN community does not create a de facto access control policy between the Security Gateways. The fact that two Security Gateways belong to the same VPN community does not mean the Security Gateways have access to each other.
The configuration of the Security Gateways into a VPN community means that if these Security Gateways are allowed to communicate via an access control policy, then that communication is encrypted. Access control is configured in the Security Policy Rule Base.
Using the VPN column of the Security Policy Rule Base, it is possible to create access control rules that apply only to members of a VPN community, for example:
Source
|
Destination
|
VPN
|
Services & Applications
|
Action
|
Any
|
Any
|
Community_A
|
HTTP
|
Accept
|
The connection is matched only if all the conditions of the rule are true, that is - it must be an HTTP connection between a source and destination IP address within VPN Community A. If any one of these conditions is not true, the rule is not matched. If all conditions of the rule are met, the rule is matched and the connection allowed.
It is also possible for a rule in the Security Policy Rule Base to be relevant for both VPN communities and host machines not in the community. For example:
The rule in the Security Policy Rule Base allows an HTTP connection between any internal IP with any IP:
Source
|
Destination
|
VPN
|
Services & Applications
|
Action
|
Any_internal_machine
|
Any
|
Any
|
HTTP
|
Accept
|
An HTTP connection between host 1 and the Internal web server behind Security Gateway 2 matches this rule. A connection between the host 1 and the web server on the Internet also matches this rule; however, the connection between host 1 and the internal web server is a connection between members of a VPN community and passes encrypted; the connection between host 1 and the Internet web server passes in the clear.
In both cases, the connection is simply matched to the Security Policy Rule; whether or not the connection is encrypted is dealt with on the VPN level. VPN is another level of security separate from the access control level.
Routing Traffic within a VPN Community
VPN routing provides a way of controlling how VPN traffic is directed. There are two methods for VPN routing:
- Domain Based VPN
- Route Based VPN
VPN Community Options
- > - Create a new Meshed Community. Opens the Meshed Community Properties window.
- > - Create a new Star Community. Opens the Star Community Properties window.
- - Change the selected community. Opens the Community Properties window.
- - Delete the selected community.
Click a listed community to see the gateways that belong to it, and the encryption algorithms used in the VPN communications.
