Site to Site Solutions for Different Deployments

In This Section: Configuring VPN Routing for Security Gateways through R80 SmartConsole Enabling Route Based VPN Configuring Tunnel Features Permanent Tunnels Configuring RIM in a Star Community Enabling the RIM_inject_peer_interfaces flag Enabling Wire Mode on a VPN Community Enabling Wire Mode on a Specific Security Gateway Configurable Objects in a Direction Configuring Directional VPN Within a Community Configuring Directional VPN Between Communities Configuring On Demand Links Configuring Link Selection and ISP Redundancy VPN Community Object - Encryption Settings

Configuring VPN Routing for Security Gateways through R80 SmartConsole

For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community in R80 SmartConsole:

1. On the Star Community window, in the:
   1. Center Gateways section, select the Security Gateway that functions as the "Hub".
   2. Satellite Gateways section, select Security Gateways as the "spokes", or satellites.
2. On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:
   • To center and to other Satellites through center - This allows connectivity between the Security Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a Security Gateway with a static IP address.
   • To center, or through the center to other satellites, to internet and other VPN targets - This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.
3. Create an appropriate Access Control Policy rule.
4. NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the Internet.

The two Dynamic Objects (DAIP Security Gateways) can securely route communication through the Security Gateway with the static IP address.

Configuring the 'Accept VPN Traffic Rule'

In R80 SmartConsole:

1. Double click on a Star or Meshed Community.
2. On the Encrypted Traffic page, select Accept all encrypted traffic.
3. In a Star community, choose between accepting encrypted traffic on Both center and satellite gateways or Satellite gateways only.
4. Click OK.

Enabling Route Based VPN

If you configure a Security Gateway for Domain Based VPN and Route Based VPN, Domain Based VPN takes precedence by default. To force Route Based VPN to take priority, you must create a dummy (empty) group and assign it to the VPN domain.

To force Route-Based VPN to take priority:

1. In the Gateways & Servers view, edit a Check Point Security Gateway.
2. Go to the Network Management > VPN Domain page.
3. Select Manually define.
4. Click New > Group > Simple Group.
5. Enter a Name and click OK.

Configuring VTIs in a Clustered Environment

After configuring the VTIs on the cluster members, you must configure in the R80 SmartConsole the VIP of these VTIs.

In R80 SmartConsole:

1. In the Gateways & Servers view, edit the Check Point Cluster.
2. In Network Management window, click Get Interfaces.

   The VTIs are shown in the Topology column as Point to point.

   Interfaces are members of the same VTI if these criteria match:

   • Remote peer name
   • Remote IP address
   • Interface name
3. Configure the VTI VIP. Select the interface and click Edit. Edit the interface in the General page of the interface object.
4. Click OK and install policy.

Configuring Anti-Spoofing on VTIs

In R80 SmartConsole:

1. In the Gateways & Servers view, edit a Check Point Security Gateway.
2. Go to the Network Management page.
3. Click Get Interfaces to read the interface information on the Security Gateway computer.
4. Select an interface, and click Edit.
5. In the Topology section of the General page, click Modify.
6. In the IP Addresses behind peer Security Gateway that are within reach of this interface section, select:
   • Not Defined to accept all traffic.
   • Specific to choose a particular network. The IP addresses in this network will be the only addresses accepted by this interface.
7. In the Perform Anti-Spoofing based on interface topology section, select Don't check packets from to ensure Anti-Spoofing checks do not take place for addresses from certain internal networks coming into the external interface. Define a network object that represents those internal networks with valid addresses, and from the drop-down list, select that network object.

   Objects selected in the Don't check packets from drop-down menu are disregarded by the Anti-Spoofing enforcement mechanism.

8. Under Spoof Tracking select Log, and click OK.

Configuring Unnumbered VTIs

Working with unnumbered interfaces eliminates the need to assign two IP addresses per interface (the local IP, and the remote IP Address), and the need to synchronize this information among the peers.

If the VPN Tunnel Interface is unnumbered, local and remote IP addresses are not configured. This interface is associated with a proxy interface from which the virtual interface inherits an IP address. Traffic initiated by the Security Gateway and routed through the virtual interface will have the physical interface's IP Address as the source IP.

Unnumbered interfaces are supported for Gaia and IPSO (3.4 and higher) platforms.

Note - IPSO platform supports unnumbered VTIs in a VRRP HA configuration, active-passive mode only.

To configure unnumbered VTIs for IPSO:

1. Log into IPSO Network Voyager.
2. Click Configuration.
3. Click Interface Configuration.
4. On the next page, click FWVPN Tunnel.
5. On the FWVPN Tunnel Configuration page, enter the name of the Security Gateway you want to connect to in the Peer GW Object Name field.
6. Select a proxy interface from the Proxy drop down menu.
7. Click Apply.

   The new interface shows on the FWVPN Tunnel Configuration page.

To configure unnumbered VTIs for Gaia:

1. In Gaia WebUI, select Interface Management > Network Interfaces.
2. Click Add > VPN Tunnel.
3. In the Add/Edit window that opens, configure these parameters:
   • VPN Tunnel ID - an integer from 1 to 99, and Gaia automatically adds vpnt prefix to the Tunnel ID
   • Remote Peer Name - alpha-numeric Peer ID, as defined for the Remote Peer Name in the VPN community. You must define the two peers in the VPN community before you define the VTI.
   • VPN Tunnel Type - select Unnumbered
   • Local Address - leave empty for unnumbered VTI
   • Remote Address - leave empty for unnumbered VTI
   • Physical Device - the name of the local peer interface (the loopback interface can also be configured as the local peer interface)

Configuring Tunnel Features

To configure Tunnel Management options:

1. In R80 SmartConsole, click Object Explorer (Ctrl+E)
2. Click New > VPN Community and choose Star Community or Meshed community.
3. Click Tunnel Management. and configure the tunnel settings:
   • Permanent Tunnels
   • Tracking Options
   • VPN Tunnel Sharing

Permanent Tunnels

In the Star Community or Meshed community object, on the Tunnel Management page, select Set Permanent Tunnels. These are the options:

• On all tunnels in the community
• On all tunnels of specific Security Gateways
• On specific tunnels in the community

To configure all tunnels as permanent, select On all tunnels in the community. Clear this option to terminate all Permanent Tunnels in the community.

To configure on all tunnels of specific Security Gateways:

1. Select On all tunnels of specific gateways and click Select Gateways.

   The Select Gateway window is displayed.

   To terminate Permanent Tunnels connected to a specific Security Gateway, highlight the Security Gateway and click Remove.

2. To configure the Tracking options for a specific Security Gateway, highlight a Security Gateway and click Gateway Tunnel Properties.

To configure on specific tunnels in the community:

1. Select On specific tunnels in the community and click Select Permanent Tunnels.

   The Select Permanent Tunnels window opens.

2. Double click in the white cell that intersects the Security Gateways where a permanent tunnel is required.

   The Tunnel Properties window is displayed.

3. Click Set these tunnels to be permanent tunnels.

   To terminate the Permanent Tunnel between these two Security Gateways, clear Set these tunnels to be permanent tunnels.

4. Click OK.

Advanced Permanent Tunnel Configuration

In R80 SmartConsole:

1. Click Menu > Global Properties.

   The Global Properties window shows.

2. Select Advanced > Configure.

   The Advanced configuration window shows.

3. Click VPN Advanced Properties > Tunnel Management to see the five attributes that may be configured to customize the amount of tunnel tests sent and the intervals in which they are sent:
   • life_sign_timeout - Set the amount of time the tunnel test runs without a response before the peer host is declared 'down.'
   • life_sign_transmitter_interval - Set the time between tunnel tests.
   • life_sign_retransmissions_count - When a tunnel test does not receive a reply, another test is resent to confirm that the peer is 'down.' The Life Sign Retransmission Count is set to how many times the tunnel test is resent without receiving a response.
   • life_sign_retransmissions_interval - Set the time between the tunnel tests that are resent after it does not receive a response from the peer.
   • cluster_status_polling_interval - (Relevant for HA Clusters only) - Set the time between tunnel tests between a primary Security Gateway and a backup Security Gateway. The tunnel test is sent by the backup Security Gateway. When there is no reply, the backup Security Gateway will become active.

DPD Responder Mode

In this mode the Check Point gateway sends the IKEv1 DPD Vendor ID to peers from which the DPD Vendor ID was received.

To enable DPD Responder Mode:

1. Run on each gateway:

   ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1

2. Enable the keep_IKE_SAs property in GuiDBedit to prevent a problem where the Check Point gateway deletes IKE SAs:
   1. In R80 SmartConsole, go to Menu > Global Properties > Advanced > Advanced Configuration > VPN advanced properties > VPN IKE properties.
   2. Change keep_IKE_SAs to true.

To disable DPD Responder Mode:

1. Run on each gateway:

   ckp_regedit -d SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload

Note - Enable the keep_IKE_SAs property in GuiDBedit to prevent a problem where the Check Point gateway deletes IKE SAs. The DPD mechanism is based on IKE SA keys. In some situations, the Check Point gateway deletes IKE SAs and a peer, usually a 3rd Party gateway, sends DPD requests without response and concludes that the Check Point gateway is down. The peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point gateway to be dropped by the remote peer.

Permanent Tunnel Mode Based on DPD

DPD can monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnels are supported.

To configure DPD for a permanent tunnel, the permanent tunnel must be in the VPN community. After you configure the permanent tunnel, configure Permanent Tunnel mode Based on DPD. There are different possibilities for permanent tunnel mode:

• tunnel_test (default) - The permanent tunnel is monitored by tunnel test (as in earlier versions). It works between Check Point gateways only. Keepalive packets are always sent.
• dpd - The active DPD mode. A peer receives DPD requests at regular intervals (10 seconds). DPD requests are only sent when there is no traffic from the peer.
• passive - The passive DPD mode. Peers do not send DPD requests to this peer. Tunnels with passive peers are monitored only if there is IPsec traffic and incoming DPD requests.

  Note: To use this mode for only some gateways, enable the forceSendDPDPayload registry key on Check Point remote peers.

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit. This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

1. In GuiDBedit, go to Network Objects > network_objects > <gateway> > VPN.
2. For the Value, select a permanent tunnel mode.
3. Save.
4. Install policy on the gateways.

Optional Configuration

• IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.

  Edit the property in GuiDBedit under Network Objects > network_objects > <gateway Name> > VPN.

• Delete IKE SAs for dead peer - Based on RFC 3706, a VPN gateway has to delete IKE SAs from a dead peer. This functionality is enabled, by default.

  To disable this feature, set the DPD_DONT_DEL_SA environment variable to 0:

  • To do this temporarily, run:

    cpstop

    export DPD_DONT_DEL_SA=0

    cpstart

  • To do this permanently:
    1. Add this line to the $CPDIR/tmp/.CPprofile.sh file:

    DPD_DONT_DEL_SA=0 ; export DPD_DONT_DEL_SA

    1. Reboot

    Note: To re-enable the feature, remove the DPD_DONT_DEL_SA environment variable.

Configuring RIM in a Star Community

1. Open the Star Community > Tunnel Management page.
2. In the Permanent Tunnels section, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available:
   • On all tunnels in the community
   • On all tunnels of specific Security Gateways
   • On specific tunnels in the community

When choosing tunnels, keep in mind that RIM can only be enabled on tunnels that have been configured to be permanent. On all tunnels in the community must be selected if MEP is enabled on the community.

1. Select Enable Route Injection Mechanism (RIM).
2. Click Settings...

   The Star Community Settings window opens

   Decide if:

   • RIM should run automatically on the central or satellite Security Gateways (Gaia, SecurePlatform, or IPSO only).
   • A customized script should be run on central or satellite Security Gateways whenever a tunnel changes its states (goes up or down).

   You can also configure the tracking options.

3. If a customized script is run, edit custom_rim (.sh or .bat) script in the $FWDIR/Scripts directory on each of the Security Gateways.

Enabling the RIM_inject_peer_interfaces flag

To enable the RIM_inject_peer_interfaces flag:

1. In R80 SmartConsole, click Menu > Global Properties.
2. Go to Advanced > Configure.

   The Advanced Configuration window opens

3. Click VPN Advanced Properties > Tunnel Management.
4. Select RIM_inject_peer_interfaces.
5. Click OK.

Enabling Wire Mode on a VPN Community

1. In R80 SmartConsole, open the Object Explorer, select the VPN community to be configured and click Edit.
2. Open the Wire Mode page.
3. To enable Wire Mode on the community, select Allow uninspected encrypted traffic between Wire mode interfaces of the Community members.
4. To enable Wire Mode Routing, select Wire Mode Routing - Allow members to route uninspected encrypted traffic in VPN routing configurations.

Enabling Wire Mode on a Specific Security Gateway

1. In R80 SmartConsole, open the Gateways & Servers view, select the relevant Security Gateway and click Edit.
2. Open the IPsec VPN > VPN Advanced page.
3. To enable Wire Mode on the Security Gateway, select Support Wire Mode (and Wire mode routing...)
4. Click Add to include the interfaces to be trusted by the selected Security Gateway.
5. Select Log Wire mode traffic to log wire mode activity.

Configurable Objects in a Direction

The table shows all the objects that can be configured in a direction, including three new objects created for Directional VPN:

Name of Object	Description
Remote Access Site2SiteVPN	Remote Access community Regular Star/Mesh community
Any Traffic	Any traffic
All_GwToGw	All gateway to gateway traffic
All_Communities	All communities
External_clear	For traffic outside the VPN community
Internal_clear	For traffic between local domains within the community

Note - Clear text connections originating from the following objects are not subject to enforcement:

• Any Traffic
• External_clear
• Internal_clear

There is no limit to the number of VPN directions that can be configured on a single rule. In general, if you have many directional enforcements, consider replacing them with a standard bidirectional condition.

Configuring Directional VPN Within a Community

To configure Directional VPN within a community:

1. In the Global Properties > VPN > Advanced page, select Enable VPN Directional Match in VPN Column.
2. In the VPN column of the appropriate rule, select Directional Match Condition.

   The New Directional Match Condition window opens.

3. In the Traffic reaching from drop-down box, select the object for Internal_clear (the source).
4. In the Traffic leaving to drop-down box, select the relevant community object (the destination).
5. Add another directional match in which the relevant community object is both the source and destination.

   This allows traffic from the local domain to the community, and within the community.

6. Click OK.

Configuring Directional VPN Between Communities

To configure Directional VPN between communities:

1. In the Global Properties > VPN > Advanced page, select Enable VPN Directional Match in VPN Column.
2. In the VPN column of the appropriate rule, select Directional Match Condition.

   The New Directional Match Condition window opens.

3. In the Traffic reaching from drop-down box, select the source of the connection.
4. In the Traffic leaving to drop-down box, select the destination of the connection
5. Click OK.

Configuring On Demand Links

You can enable On Demand Links only if you enabled Route Based Probing. Configure On Demand Links commands in GuiDBedit, the Check Point Database Tool.

Property	Description
use_on_demand_links	Enables on-demand links. The default is FALSE. Change to TRUE.
on_demand_metric_min	Defines the minimum metric level for an on-demand link. This value must be equal to or higher than the configured minimum metric.
on_demand_initial_script	The name of the on-demand script, which runs when all not-on-demand routes stop responding. Put the script in the $FWDIR/conf directory.
on_demand_shutdown_script	This script is run when the failed links become available. Put the script in the $FWDIR/conf directory.

If you do not want to use GuiDBedit, you can configure the use_on_demand_links and on_demand_metric_min commands in R80 SmartConsole:

1. In R80 SmartConsole, click Menu > Global Properties > Advanced > Configure.
2. In VPN Advanced Properties, click Link Selection.
3. Click use_on_demand_links to enable On Demand Links.
4. Set the minimum metric level for an On Demand Link next to the on_demand_metric_min command.

Configuring Link Selection and ISP Redundancy

Configure Link Selection and ISP Redundancy in the Other > ISP Redundancy page of the Gateway object.

VPN Community Object - Encryption Settings

IPv6 automatically works with IKEv2 encryption only. The option that you select here, applies to IPv4 traffic.

To configure a VPN Community object:

1. In R80 SmartConsole, click Open Object Explorer (Ctrl+E).
2. From the navigation tree, click VPN Communities.
3. Double-click the VPN Community object.

   The Community object window opens and shows the Gateways page.

4. From the navigation tree, click Encryption.
5. Configure the settings.
6. Click OK and publish the changes.

Encryption Method

• Encryption Method - For IKE phase I and II.
  • IKEv2 only - Only support encryption using IKEv2. Security Gateways in this community cannot access peer gateways that support IKEv1 only.
  • Prefer IKEv2, support IKEv1 - If a peer supports IKEv2, the Security Gateway will use IKEv2. If not, it will use IKEv1 encryption. This is recommended if you have a community of older and new Check Point Security Gateways.
  • IKEv1 only - IKEv2 is not supported.

Encryption Suite

• Use this encryption suite - Select the methods negotiated in IKE phase 2 and used in IPSec connections. Select and choose the option for best interoperability with other vendors in your environment.
  • VPN-A or VPN B - See RFC 4308 for more information.
  • Suite-B GCM-128 or 256 - See RFC 6379 for more information.
• Custom encryption suite - If you require algorithms other than those specified in the other options, select the properties for IKE Phase 1, including which Diffie-Hellman group to use. Also, select properties for IKE Phase 2.

  Note - Suite-B GCM-128 and 256 encryption suites are supported on R71.50 gateways and from R75.40 gateways.

If there is a Dynamic IP Gateway inside the community, R77.30 (or lower) community member gateways that respond to its IKE negotiation, use the configuration defined in Global Properties > Remote Access > VPN -Authentication and Encryption.

More

• Use aggressive mode (Main mode is the default) - Select only if the peer only supports aggressive mode. This is only supported with IKEv1.
• Use Perfect Forward Secrecy, and the Diffie-Hellman group - Select if you need extremely high security.
• Support IP compression - Select to increase throughput.

VPN Community Object - Advanced Settings

Configure these options in the VPN Community object Advanced page:

IKE (Phase 1)

When to renegotiate the IKE Security Associations.

IKE (Phase 2)

When to renegotiate the IPsec security associations. This sets the expiration time of the IPsec encryption keys.

NAT

Disable NAT inside the VPN community - Select to not apply NAT for the traffic while it passes through IPsec tunnels in the community.

Reset

Reset all VPN properties to the default.