VPN Communities - Tunnel Management
What can I do here?
Use this window to set permanent VPN tunnels and VPN Tunnel Sharing.
|
Getting Here - SmartConsole > Security Policies > Access Control > Policy > Access Tools > VPN Communities > New Star Community > Tunnel Management
|
Understanding VPN Tunnels
Overview of Tunnel Management
A Virtual Private Network (VPN) provides a secure connection, typically over the Internet. VPNs accomplish this by creating an encrypted tunnel that provides the same security available as in a private network. This allows workers who are in the field or working at home to securely connect to a remote corporate server and also allows companies to securely connect to branch offices and other companies over the Internet. The VPN tunnel guarantees:
- authenticity, by using standard authentication methods.
- privacy, by encrypting data.
- integrity, by using standard integrity assurance methods.
Types of tunnels and the number of tunnels can be managed with the following features:
- Permanent Tunnels - This feature keeps VPN tunnels active allowing real-time monitoring capabilities.
- VPN Tunnel Sharing - This feature provides greater interoperability and scalability between Security Gateways. It also controls the number of VPN tunnels created between peer Security Gateways.
The status of all VPN tunnels can be viewed in SmartView Monitor. For more information on monitoring see the Monitoring Tunnels chapter in the R80 SmartView Monitor Administration Guide.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay.
Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. A VPN tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security Gateways. The configuration of Permanent Tunnels takes place on the community level and:
- Can be specified for an entire community. This option sets every VPN tunnel in the community as permanent.
- Can be specified for a specific Security Gateway. Use this option to configure specific Security Gateways to have permanent tunnels.
- Can be specified for a single VPN tunnel. This feature allows configuring specific tunnels between specific Security Gateways as permanent.
Permanent Tunnels in a MEP Environment
In a Multiple Entry Point (MEP) environment, VPN tunnels that are active are rerouted from the predefined primary Security Gateway to the backup Security Gateway if the primary Security Gateway becomes unavailable. When a Permanent Tunnel is configured between Security Gateways in a MEP environment where RIM is enabled, the satellite Security Gateways see the center Security Gateways as "unified." As a result, the connection will not fail but will fail over to another center Security Gateway on a newly created permanent tunnel. For more information on MEP see Multiple Entry Point VPNs.
In this scenario:
- Host 1, residing behind Security Gateway S1, is communicating through a Permanent Tunnel with Host 2, residing behind Security Gateway M1.
- M1 and M2 are in a MEPed environment.
- M1 and M2 are in a MEP environment with Route Injection Mechanism (RIM) enabled.
- M1 is the Primary Security Gateway and M2 is the Backup Security Gateway.
In this case, should Security Gateway M1 become unavailable, the connection would continue through a newly created permanent tunnel between S1 and M2.
Tunnel Testing for Permanent Tunnels
Check Point uses a proprietary protocol to test if VPN tunnels are active, and supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways, and uses UDP port 18234. Check Point tunnel testing protocol does not support 3rd party Security Gateways.
Dead Peer Detection
In addition to Tunnel Testing,
Dead Peer Detection (DPD) is a different method to test if VPN tunnels are active.
Dead Peer Detection does support 3rd party Security Gateways and supports permanent tunnels with interoperable devices based on IKEv1/IKEv2 DPD (IKEv1 DPD is based on RFC 3706). It uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.
The tunnel testing mechanism is the recommended keepalive mechanism for Check Point to Check Point VPN gateways because it is based on IPsec traffic and requires an IPsec established tunnel. DPD is based on IKE encryption keys only.
DPD has two modes:
- - Requires an R77.10 or higher gateway managed by an R77 or higher management server.
- Requires an R77.10 or higher gateway managed by an R77.10 or higher management.
DPD Responder Mode
In this mode the Check Point gateway sends the IKEv1 DPD Vendor ID to peers, from which the DPD Vendor ID was received.
To enable DPD Responder Mode:
- On each Security Gateway, run this command:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1
- To prevent a problem, where the Check Point Security Gateway deletes IKE SAs:
Note - The DPD mechanism is based on IKE SA keys. In some situations, the Check Point Security Gateway deletes IKE SAs, and a VPN peer, usually a 3rd Party gateway, sends DPD requests and does not receive a response. As a result, the VPN peer concludes that the Check Point Security Gateway is down. The VPN peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point Security Gateway to be dropped by the remote peer.
- In SmartConsole, click > > > .
- Click > .
- Select .
- Click .
- Install the Access Control Policy.
To disable DPD Responder Mode:
On each Security Gateway, run this command:
ckp_regedit -d SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload
Permanent Tunnel Mode Based on DPD
DPD can monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnels are supported.
To configure DPD for a permanent tunnel, the permanent tunnel must be in the VPN community. After you configure the permanent tunnel, configure Permanent Tunnel mode Based on DPD. There are different possibilities for permanent tunnel mode:
To enable DPD monitoring:
On each VPN gateway in the VPN community, configure the property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).
- In GuiDBedit Tool, go to > > > .
- For the , select a permanent tunnel mode.
- Save all the changes.
- Install the Access Control Policy.
Optional Configuration
- - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property to .
Edit the property in GuiDBedit Tool (see sk13009) > > > > .
- - Based on RFC 3706, a VPN gateway has to delete IKE SAs from a dead peer. This functionality is enabled, by default.
To disable this feature, set the environment variable to
To re-enable the feature:
VPN Tunnel Sharing
Tunnel test is a proprietary Check Point protocol used to see if VPN tunnels are active. Tunnel testing requires two Security Gateways and uses UDP port 18234. Third party gateways do not support tunnel testing.
VPN Tunnel Sharing provides interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways. There are three available settings:
- One VPN tunnel per each pair of hosts
- One VPN tunnel per subnet pair
- One VPN tunnel per Security Gateway pair
Permanent Tunnels are VPN tunnels that are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel, and identify problems without delay.
Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. Permanent Tunnels can only be established between security gateways. The configuration of Permanent Tunnels takes place on the community level and:
For example, when a link becomes unavailable, an alternative path is added or "injected" to the local routing table on the gateway. If a dynamic routing protocol is then configured, this change is propagated to the network behind the gateway. Route injection can be integrated with MEP functionality, providing an alternative to IP pool NAT in situations where large numbers of static IP addresses are not available.
Several types of alerts can be configured to keep administrators up to date on the status of the VPN tunnels. Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively. The Tracking Options are:
Since various vendors implement IPSec tunnels in a number of different methods, administrators need to cope with different means of implementation of the IPSec framework.
There are three settings for controlling the number of VPN tunnels between peer gateways: