Traditional Mode VPNs

In This Section: Editing a Traditional Mode Policy Configuring VPN between Internal Gateways with ICA Certificates Configuring VPN between Internal Gateways with Third Party CA Certificates

Editing a Traditional Mode Policy

An existing Traditional Mode policy will open in Traditional Mode.

To start a new Traditional Mode policy:

1. Open the Global Properties window, VPN page.
2. Select one of these options:
   • Traditional mode to all new Firewall Policies
   • Traditional or Simplified per new Firewall Policy
3. Install the Access Control policy.

If you selected Traditional or Simplified per new Firewall Policy:

1. From the R80 SmartConsole Menu, select Manage policies (Ctrl+O).

   The Manage policies window opens.

2. Click New

   The New Policy window opens.

3. Give the new policy a name.
4. Select the Policy types.
5. Select VPN Traditional mode.
6. Click OK.

   In the new Policy Rule Base, one of the available Actions is Encrypt.

Configuring VPN between Internal Gateways with ICA Certificates

To define the Security Gateways:

1. For each Security Gateway that is to be part of the VPN define a Check Point Security Gateway object. In the In Gateways & Servers view, click New > Gateway.
2. In the General Properties page of the Check Point Security Gateway object, select IPsec VPN.
3. In the Communication window, establish Trusted Communication.
4. In the Network Management page, define the IP address, network mask, and Anti-Spoofing for every Security Gateway interface
5. In the Network Management > VPN Domain page, define the VPN Domain. select either:
   • All IP Addresses behind Security Gateway based on Topology information or
   • Manually defined. Either select an existing network or group from the drop-down list or create a new group of machines or networks by clicking New...
6. In the IPsec VPN page, Repository of Certificates Available to the Gateway, Add a certificate issued by the ICA.
7. Still on the IPsec VPN page, click Traditional mode configuration. The Traditional mode IKE properties window opens.
   • In the Support authentication methods area, select Public Key Signatures. To specify that the Security Gateway will only use certificates issued by the ICA, click Specify and select the ICA.
   • Select IKE Phase 1 encryption and data integrity methods or accept the checked defaults.

Configuring VPN between Internal Gateways with Third Party CA Certificates

To define the Security Gateways:

1. For each Security Gateway that is to be part of the VPN define a Check Point Security Gateway object. In the In Gateways & Servers view, click New > Gateway.
2. In the General Properties page of the Check Point Security Gateway object, select IPsec VPN.
3. In the Communication window, establish Trusted Communication.
4. In the Network Management page, define the IP address, network mask, and Anti-Spoofing for every Security Gateway interface
5. In the Network Management > VPN Domain page, define the VPN Domain. select either:
   • All IP Addresses behind Security Gateway based on Topology information or
   • Manually defined. Either select an existing network or group from the drop-down list or create a new group of machines or networks by clicking New...
6. In the IPsec VPN page, Repository of Certificates Available to the Gateway, Add a certificate issued by the certificate authority defined in step 1.
7. Still on the IPsec VPN page, click Traditional mode configuration. The Traditional mode IKE properties window opens.
   • In the Support authentication methods area, select Public Key Signatures. To specify that the Security Gateway will only use certificates issued by the ICA, click Specify and select the CA.
   • Select IKE Phase 1 encryption and data integrity methods or accept the checked defaults.
8. Repeat step 2 to step 7 for each Security Gateway taking part in the VPN.