Introduction to VPN

In This Section: Migrating from Traditional Mode to Simplified Mode Configuring a Meshed Community Between Internally Managed Gateways Configuring a Star VPN Community Confirming a VPN Tunnel Successfully Opens VPN with External Security Gateways Using Certificates VPN with External Security Gateways Using Pre-Shared Secret Authorizing Firewall Control Connections in VPN Communities

Migrating from Traditional Mode to Simplified Mode

To migrate from Traditional Mode VPN to Simplified Mode:

1. On the Global Properties > VPN page, select one of these options:
   • Simplified mode to all new Firewall Policies
   • Traditional or Simplified per new Firewall Policy
2. Click OK.
3. From the R80 SmartConsole Menu, select Manage policies.

   The Manage Policies window opens.

4. Click New.

   The New Policy window opens.

5. Give a name to the new policy and select Access Control.

   In the Security Policy Rule Base, a new column marked VPN shows and the Encrypt option is no longer available in the Action column. You are now working in Simplified Mode.

Configuring a Meshed Community Between Internally Managed Gateways

To configure an internally managed VPN meshed community:

1. Install and configure the Security Gateways.
2. In R80 SmartConsole, double click on the Security Gateway object.
3. In the General Properties page:
   1. Enter the gateway Name.
   2. Enter the IPv4 Address or IPv6 Address (or both).
   3. In the Network Security tab, Select IPsec VPN.
   4. Click Communication and establish trusted communication with the Gateway.
4. In the Network Management page, click Get Interfaces.
   1. After the interfaces show in the table, click Edit to open the Interface window.
   2. In the Interface window, define the general properties of the interface and the topology of the network behind it.
5. In the Network Management > VPN Domain page, define the VPN domain one of:
   • All IP Addresses behind the Gateway based on Topology information
   • Manually defined as an address range, a network, or a group that can be a combination of address ranges, networks, and even other groups.

     (In a primary backup MEP configuration, leave the backup encryption domain empty.)

   The network Security Gateway objects are now configured, and need to be added to a VPN community.

   Note - There is nothing to configure on the IPsec VPN page, regarding certificates, because internally managed Security Gateways automatically receive a certificate from the internal CA.

6. Open the Object Explorer (Ctrl+E), and select VPN Communities.
   1. Click New > VPN Communities > Meshed Community.

      The New Meshed Community window opens.

   2. In the Encrypted Traffic page, select Accept all encrypted traffic if you need all traffic between the Security Gateways to be encrypted. If not, then create appropriate rules in the Security Policy Rule Base that allows encrypted traffic between community members (step 7).
   3. On the Gateways page, add the Security Gateways created in step 1.

   A VPN tunnel is now configured.

   You can also configure these options: Encryption, Shared Secret, and Advanced.

7. If you did not select Accept all encrypted traffic in the Encrypted Traffic page of the Community, build an access control policy, for example:

Source	Destination	VPN	Services & Applications	Action
Any	Any	Meshed community	Any	Accept

Where "Meshed community" is the VPN community you have just defined.

Configuring a Star VPN Community

A star VPN community is configured in much the same way as a meshed community, the difference being the options on the Star Community window:

• On the VPN Routing page - Select To center only.
• On the Gateways page:
  • Central Gateways - Add the central Security Gateways.
  • Central Gateways - Select Mesh central Security Gateways if you want the central Security Gateways to communicate.
  • Satellite Gateways - Add the satellite Security Gateways.

Confirming a VPN Tunnel Successfully Opens

To make sure that a VPN tunnel has successfully opened:

1. Edit the VPN rule and Select Log as the Track option.
2. Open Logs & Monitor and click a new tab.
3. From the bottom of the window, click Tunnel and User Monitoring.

   Check Point SmartView Monitor opens.

4. Click the gateway to see IPsec VPN traffic and tunnels opened. A successful connection shows encrypt, decrypt and key install logs.

Alternatively, search for VPN in R80 SmartConsole to see the relevant logs:

1. Open SmartView Monitor and see that VPN tunnels are up.

VPN with External Security Gateways Using Certificates

To configure VPN using certificates, with the external Security Gateways as satellites in a star VPN Community:

1. Obtain the certificate of the CA that issued the certificate for the peer VPN Security Gateways, from the peer administrator. If the peer Security Gateway is using the ICA, you can obtain the CA certificate using a web browser from:

   http://<IP address of peer Security Gateway or Management Server>:18264

2. In R80 SmartConsole, define the CA object for the CA that issued the certificate for the peer.
3. Define the CA that will issue certificates for your side if the Certificate issued by ICA is not appropriate for the required VPN tunnel.

   You may have to export the CA certificate and supply it to the peer administrator.

4. Define the Network Object(s) of the Security Gateway(s) that are internally managed. In particular, be sure to do the following:
   • In the General Properties page of the Security Gateway object, select IPsec VPN.
   • In the Network Management page, define the Topology.
   • In the VPN Domain page, define the VPN Domain. If it does not contain all the IP addresses behind the Security Gateway, define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.
5. If the ICA certificate is not appropriate for this VPN tunnel, then in the IPsec VPN page, generate a certificate from the relevant CA.
6. Define the Network Object(s) of the externally managed Security Gateway(s).
   • If it is not a Check Point Security Gateway, define an Interoperable Device: In Object Explorer click New > Network Object > More > Interoperable Device.
   • If it is a Check Point Security Gateway, define an Externally Managed VPN Gateway: In Object Explorer, click New > Network Object > Gateways and Servers > More > Externally Managed VPN Gateway.
7. Set the various attributes of the peer Security Gateway. In particular, be sure to do the following:
   • For an Externally Managed Check Point Security Gateway: In the General Properties page of the Security Gateway object, select IPsec VPN.
   • Define the Topology.
   • Define the VPN Domain using the VPN Domain information obtained from the peer administrator. If the VPN Domain does not contain all the IP addresses behind the Security Gateway, define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.
   • For an Externally Managed Check Point Security Gateway: In the IPsec VPN page, define the Matching Criteria. Specify that the peer must present a certificate signed by its own CA. If feasible, enforce details that appear in the certificate as well.
8. Define the Community.

   These details assume that a Star Community is used, but you can also use a Meshed Community. If you are working with a Meshed community, ignore the difference between the Central Security Gateways and the Satellite Security Gateways.

   • Agree with the peer administrator about the various IKE properties and set them in the Encryption page and the Advanced page of the community object.
   • Define the Central Security Gateways. These are usually the internally managed ones. If no other Community is defined for them, decide whether or not to mesh the central Security Gateways. If they are already in a Community, do not mesh the central Security Gateways.
   • Define the Satellite Security Gateways. These are usually the external ones.
9. Click OK and publish the changes.
10. Define the relevant access rules in the Security Policy.
11. Add the Community in the VPN column, the services in the Service & Applications column, the desired Action, and the appropriate Track option.
12. Install the Access Control Policy.

VPN with External Security Gateways Using Pre-Shared Secret

The configuration instructions require an understanding of how to build a VPN.

To configure a VPN using pre-shared secrets, with the external Security Gateways as satellites in a star VPN Community:

1. Define the Network Object(s) of the Security Gateways that are internally managed. In particular, be sure to:
   • In the General Properties page of the Security Gateway object, in the Network Security tab, select IPsec VPN.
   • In the Network Management page, define the Topology.
   • In the Network Management > VPN Domain page, define the VPN Domain. If it does not contain all the IP addresses behind the Security Gateway, define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.
2. Define the Network Object(s) of the externally managed Security Gateway(s).
   • If it is not a Check Point Security Gateway, define an Interoperable Device: In Object Explorer click New > Network Object > More > Interoperable Device.
   • If it is a Check Point Security Gateway, define an Externally Managed VPN Gateway: In Object Explorer, click New > Network Object > Gateways and Servers > More > Externally Managed VPN Gateway.
3. Set the various attributes of the peer Security Gateway. In particular, make sure to configure:
   • In the Topology page, define the Topology and the VPN Domain using the VPN Domain information obtained from the peer administrator.
   • If the VPN Domain does not contain all the IP addresses behind the Security Gateway, define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.
4. Define the Community.

   The following details assume that a Star Community was chosen, but a Meshed Community is an option as well. If you are working with a Mesh community, ignore the difference between the Central Security Gateways and the Satellite Security Gateways.

   • Agree with the peer administrator about the various IKE properties and set them in the Encryption page and the Advanced page of the community object.
   • Define the Central Security Gateways. These will usually be the internally managed ones. If there is no another Community defined for them, decide whether or not to mesh the central Security Gateways. If they are already in a Community, do not mesh the central Security Gateways.
   • Define the Satellite Security Gateways. These will usually be the external ones.
5. Publish the changes.
6. Agree on a pre-shared secret with the administrator of the external Community members. Then, in the Shared Secret page of the community, select Use only Shared Secret for all external members. For each external peer, enter the pre-shared secret.
7. Define the relevant access rules in the Access Control Policy. Add the Community in the VPN column, the services in the Services & Applications column, the desired Action, and the appropriate Track option.
8. Install the Security Policy.

Authorizing Firewall Control Connections in VPN Communities

Check Point Nodes communicate with other Check Point Nodes by means of control connections. For example, a control connection is used when the Security Policy is installed from the Security Management Server to a Security Gateway. Also, logs are sent from Security Gateways to the Security Management Server across control connections. Control connections use Secure Internal Communication (SIC).

Control connections are allowed using Implied Rules in the Access Control Rule Base. Implied Rules are added to or removed from the Access Control Rule Base, by selecting or clearing options in the Firewall page of the R80 SmartConsole Global Properties.