Print Download Complete help as Archive Send Feedback

Previous

Next

VPN Communities

What can I do here?

In this window you can add, edit, and delete VPN communities and change their gateway assignments.

Getting Here

Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities

Setting up Site-to-Site VPN between Gateways

Scenario: Two Check Point gateways are managed by the same Security Management Server. How do you create a site-to-site VPN between the two gateways so that they can communicate securely?

Overview of the Workflow:

  1. Create the gateway objects in SmartConsole and make sure that IPsec VPN is enabled on each one.
  2. Generate internal CA certificates for each gateway (done automatically).
  3. Create the VPN Community.
  4. Define the VPN Domain.
  5. Make sure that the VPN will work with your configured routing, or change the routing or link selection settings as necessary.
  6. Create rules for the traffic.
  7. Install the Access Control Policy.
Enabling IPsec VPN on a Gateway

Site to Site VPN requires two or more gateways with the IPsec VPN Software Blade enabled. Other Software Blades can be enabled on the same gateway.

Make sure that Trusted Communication is established between all gateways and the Security Management Server.

To enable the IPsec VPN Software Blade on a gateway:

  1. In SmartConsole, open a gateway object.
  2. On the General Properties page, in the Network Security tab, select IPsec VPN.
  3. Click OK.

    An internal CA certificate for the gateway is created automatically.

Defining the VPN Domain for a Gateway

The VPN Domain defines the networks and IP addresses that are included in the VPN community. It is also called the Encryption Domain. When you create a Check Point gateway object, the VPN Domain is automatically defined as all IP Addresses behind the gateway, based on the topology information.

You can manually define the VPN domain to include one or more networks. You must have a Network object or Network Group object that represents the domain.

To manually define the VPN Domain:

  1. In SmartConsole, open a gateway object.
  2. Open the Network Management > VPN Domain page.
  3. Select Manually defined and:
    • Browse to the object list and select an object that represents the domain.
    • Browse to the object list and click New > Group or Network to define a new group of machines or network.
  4. Click OK.
Creating a VPN Community

You can create a Meshed or Star VPN Community. The procedure below shows an example of a Star Community.

To create a new VPN community:

  1. In SmartConsole > Security Policies tab, in the Access Tools area, click VPN Communities.
  2. Click the New icon and select Star Community.

    A New Star Community window opens.

  3. Enter a name for the VPN Community.
  4. In the Center Gateways area, click the plus icon to add one or more gateways to be in the center of the community.
  5. In the Satellite Gateways area, click the plus icon to add one or more gateways to be around the center gateway.
  6. Click OK.

    The Community uses the default encryption and VPN Routing settings.

  7. Optional: Edit more settings for the VPN Community in the community object.
More VPN Community Settings

In addition to the gateway members, you can edit these settings for the VPN Community in the community object:

Confirming VPN Routing

By default, IPsec VPN uses the main IPv4 Address, defined in the General Properties page of the Gateway, for the VPN tunnel connection.

If you want to use this IP address for the VPN communication, and it is an external interface, you do not need additional routing.

If the main IP address is an internal interface, or if you want VPN communication on a different interface, make sure that:

Understanding VPN Communities

VPN Communities

VPN Topologies

Meshed VPN Community

Star VPN Community

Access Control and VPN Communities

Routing Traffic within a VPN Community

VPN Community Options

Click a listed community to see the gateways that belong to it, and the encryption algorithms used in the VPN communications.