VPNs and SmartLSM Security Gateways

In This Section: Configuring VPNs on SmartLSM Security Gateways Creating a VPN Community for SmartLSM Security Gateways Sample VPN Rules for a SmartLSM Security Gateway VPN with One or More LSM Profiles Special Considerations for VPN Routing

Configuring VPNs on SmartLSM Security Gateways

Secured communication between your CO gateway and the SmartLSM Security Gateways depends on correct configuration of the Virtual Private Network.

You can define how the VPN domain of a selected SmartLSM Security Gateway is encrypted. You can change the keys as needed and perform other VPN maintenance and change management operations. Before you can configure the IKE certificate, you must have already defined Certificate Authority servers as objects in SmartConsole. See the R80.30 Security Management Administration Guide.

Note - After you change the CO gateway configuration, it can be necessary to create a new certificate. This is especially important when there are topology changes.

To configure the VPN encryption of a selected SmartLSM Security Gateway:

1. Open the SmartLSM Security Gateway window and select the Topology tab.
2. Define a VPN domain.
3. Select the VPN tab.

   If, when you created this SmartLSM Security Gateway in the gateway creation wizard, you cleared the I wish to create a VPN Certificate from the Internal CA option, you can select VPN Not supported. No IKE certificate is generated. You can change this setting at any time.

   For this SmartLSM Security Gateway to participate in a VPN, continue with the next steps.

4. Select Use Certificate Authority Certificate.

   If you selected I wish to create a VPN Certificate from the Internal CA in the wizard, this option is automatically selected and cannot be edited.

5. From the Certificate Authority Name drop-down list, select a CA server object that was previously defined in SmartConsole.

   If you cleared I wish to create a VPN Certificate from the Internal CA in the wizard, you can select a third-party CA from this list.

   If you selected I wish to create a VPN Certificate from the Internal CA in the wizard, the Check Point Internal CA is selected and cannot be edited.

6. If you select a third-party CA in Certificate Authority Name, enter a Key Identifier or Authorization Code, as instructed by the CA.
7. If this SmartLSM Security Gateway does not yet have an initiated IKE certificate, click Generate.

   To generate a new IKE certificate, click Reset.

   The SmartLSM Security Gateway's Distinguished Name (DN) of the certificate is automatically provided and cannot be edited.

8. To apply a new IKE certificate, update the CO gateway.

Creating a VPN Community for SmartLSM Security Gateways

This section explains how to create the VPN itself in SmartConsole. Before doing so, you must first configure, in SmartProvisioning, the SmartLSM Security Gateways to support VPN participation.

To create a VPN tunnel between a SmartLSM Security Gateway and a CO gateway:

1. Open SmartConsole.
2. Define a VPN Star Community: Security Policies > Access Control > Policy > Access Tools > VPN Communities > New > Star Community.
3. In Gateways > Center Gateways, click Add, select the CO gateway from the displayed list.
4. In Gateways > Satellite Gateways, click Add, select the SmartLSM Security Profile from the displayed list.

   When you select the profile, all SmartLSM Security Gateways assigned to this SmartLSM Security Profile are added to the VPN community. The gateways must be configured with the ability to participate in a VPN community (see Configuring VPNs on SmartLSM Security Gateways).

5. In the Advanced tab, specify the IKE (Phase 1) properties.
6. In the Shared Secret tab, clear Use only Shared secret for all External Members.
7. Click OK.
8. In Access Control > Policy, create a Rule Base which defines the services allowed for the VPN community. See Example Rules for VPN with SmartLSM Security Gateway.
9. Install the Security Policy with this rule on the CO gateway.

   A topology file and a certificate are downloaded to the SmartLSM Security Gateway, listing the members of the VPN community and specifying encryption information.

After you create the VPN tunnel in SmartConsole, do these steps:

1. Update the CO gateway. See Updating Corporate Office Gateways.
2. Establish the VPN tunnel. Send a test connection with an allowed service (according to the rules created in the Security Policy Rule Base) and use SmartView Monitor to make sure that the test was successfully encrypted, sent, and received. To access SmartView Monitor, go to the Logs & Monitor view > External Apps > Tunnel & User Monitoring.

Sample VPN Rules for a SmartLSM Security Gateway

To creating a VPN community for SmartLSM Security Gateways, you must create a step for creating a rule in SmartConsole's Security Policy Rule Base that defines the services for the VPN community.

In the rules, these Dynamic Objects are used:

• MyComm: Resolves to the IP address range of the VPN Community.
• MyCO: Resolves to the IP address of the CO gateway.
• CO_VPN: Resolves to the IP address range of the encryption domain of the CO gateway.
• Edge_Net: Resolves to the IP address range of exposed UTM-1 Edge SmartLSM Security Gateways, or the network behind the UTM-1 Edge gateway.

Rule for Outgoing Connections

Source	Destination	VPN	Service	Action	Install On
Any	Any	MyCommunity	ftp telnet	Accept	MyCO

VPN Rules for Incoming Connections

Source	Destination	VPN	Service	Action	Install On
Edge_Net	CO_VPN	MyCommunity	ftp telnet	Accept	MyProfile
CO_VPN	Edge_Net	MyCommunity	ftp telnet	Accept	MyProfile

VPN with One or More LSM Profiles

You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Gateway Profile and SmartLSM Cluster Profile. You can also configure the community with two SmartLSM Cluster Profiles or two SmartLSM Gateway Profiles. All included SmartLSM Gateways and Cluster Profiles must have the IPsec VPN blade enabled.

The procedure requires configuration in:

• SmartConsole
• Security Management Server CLI
• SmartProvisioning SmartConsole
• Center Gateway CLI

Configuring a VPN Star Community in SmartConsole

In SmartConsole, create network objects that represent the VPN community members and their networks. You must create a star community with To center and to other satellites through center as the selected option for VPN Routing in the Star Community Properties.

To configure a VPN star community between two SmartLSM Profiles in SmartConsole:

1. In SmartConsole, create and configure a SmartLSM Cluster Profile.

   When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.

2. Create and configure a SmartLSM Gateway Profile.
3. Create a Security Gateway to be the Center Gateway.

   Note - Small Office Appliance cannot be the Center Gateway.

4. In SmartConsole > Security Policies > Access Control > Access Tools, click VPN Communities.
5. Click the New icon and select Star Community.

   A New Star Community window opens.

   1. Enter a name for the VPN Community.
   2. In the Center Gateways area, click the plus icon to add one or more gateways to be in the center of the community.
   3. In the Satellite Gateways area, click the plus icon select the SmartLSM Cluster Profile and SmartLSM Gateway Profile (or second cluster).
   4. In VPN Routing, select To center and to other satellites through center.
6. Click OK.
7. Create a Network object that represents the internal network of each satellite in the VPN community.
   1. From the Objects bar, select New > Network Object > Network.
   2. In the Network Address field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
8. Create a Host object that represents the external IP address of each satellite in the VPN community.
   1. From the Objects bar, select right-click New > Network Object > Gateways and Servers > Check Point Host.
   2. In the IP Address field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
9. Create a Group object that represents the networks for each satellite object:
   1. From the Objects bar, select New > Network Object > Group > New Network Group.
   2. Enter a Name for the group that is unique for one satellite.
   3. Click Add and select the Network object that you created for that satellite's internal network.
   4. Click Add and select the Host object that you created for that satellite's external IP address.
10. Create a Group object that represents the Center Gateway.
    1. From the Objects bar, select New > Network Object > Group > New Network Group.
    2. Enter a Name for the group that is unique for the Center Gateway.
    3. Click Add, and select the Gateway object .

Using the CLI

Edit the routing table of the Domain Management Server or Security Management Server to enable two SmartLSM Gateways or Cluster Profiles to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.

To edit the vpn_route.conf file:

Open the vpn_route.conf file.

• In a Multi-Domain Security Management environment, on a Domain Management Server:
  • If satellites are Small Office Appliance Gateways or Clusters:
    /var/opt/CPmds-R80.30/customers/<Domain Management Server_name>/CPSG80CMP-R80.30/conf/vpn_route.conf
  • If satellites are on a different appliance or open server:
    /opt/CPmds-R80.30/customers/<Domain Management Server_name>/CPsuite-R80.30/fw1/conf/vpn_route.conf
• In a Security Management Server environment:
  • If satellites are Small Office Appliance Gateways or Clusters:
    /opt/CPSG80CMP-R80.30/conf/vpn_route.conf
  • If satellites are on a different appliance or open server:
    /opt/CPsuite-R80.30/fw1/conf/vpn_route.conf

If two SmartLSM Gateways on different LSM Gateway profiles communicate with each other through the Center gateway, edit the file:

# destination	router	[install on]
<Network Group Name of internal network of SmartLSM Gateway>	<Center Gateway>	<Name of second LSM Profile>
<Network Group Name of internal network of second SmartLSM Gateway>	<Center Gateway>	<Name of LSM Profile>

If more than one SmartLSM Gateway in the same LSM Profile communicate with each other through the Center gateway, edit the file:

# destination	router	[install on]
<Network Group Name of internal network of SmartLSM Gateway>	<Center Gateway>	<Name of LSM Profile>

Install policy on the SmartLSM Profiles and on the Center Gateway.

Completing the Configuration

Complete the configuration in the SmartProvisioning Console and the CLI of the Center Gateway.

To complete the VPN configuration:

1. Open the SmartProvisioning Console.
2. Create a new SmartLSM Cluster or Gateway based on the type of device you have.
3. Generate a VPN certificate for each Gateway or Cluster member:
   1. Open the cluster or gateway object > VPN tab.
   2. Select Use Certificate Authority Certificate.
   3. Click Generate.
   4. Do these steps again for each cluster member.

   Note - If the topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the VPN tab and update the gateway (Actions > Update Gateway).

4. In the CLI of the Center Gateway, run: LSMenabler on
5. In the SmartProvisioning GUI Console, right-click the Center Gateway and select Actions > Update Selected Corporate Office Gateway.
6. In the Topology tab of each object, make sure that the topology of the provisioned objects is correct for each device:
   • Make sure that the interfaces have the same IP addresses as the actual gateways.
   • Make sure that the external and internal interfaces are recognized and configured correctly as "External" and "Internal".
   • If the interfaces show without IP addresses, click: Get Actual Settings.
7. In the Topology tab, configure the VPN domain:
   • For a SmartLSM Gateways Profile, select one of the options.
   • For a SmartLSM Cluster Profile, select Manually defined and manually add the encryption domains that you want to include.
8. Push Policy.

All traffic between the satellites and Center Gateway is encrypted.

Special Considerations for VPN Routing

The VPN routing option To center and to other satellites through center is not supported by SmartLSM Security Gateways.

To configure VPN routing to SmartLSM Security Gateways through the center, enable VPN Routing for a hub and spoke configuration, by editing the vpn_route.conf file on the Security Management Server.

For example:

1. Generate a group that contains the encryption domains of all the satellite SmartLSM Security Gateways, and call it SmartLSM_domain.
2. Generate a group that contains all the central gateways, and call it Center_gws.
3. In vpn_route.conf, add the rule:

   Destination	Router	Install On
   SmartLSM_domain	Center_gws	SmartLSM_profile

You can have a Star VPN topology for multiple routing gateways, if the gateways are listed under install on in the vpn_route.conf

For more information, see Route Based VPN in the R80.30 Site to Site VPN Administration Guide.