VPN Tunnel Interfaces

Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel. Each peer Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. has one VTI that connects to the VPN tunnel.

The VPN tunnel and its properties are configured by the VPN community that contains the two Security Gateways.

You must configure the VPN community and its member Security Gateways before you can create a VTI.

To learn more about Route Based VPN, see the R81.20 Site to Site VPN Administration Guide > Chapter Route Based VPN.

Note - The name of a VPN Tunnel interface in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. is "vpnt<VPN Tunnel ID>". For example, the name of a VPN Tunnel interface with a VPN Tunnel ID of 5 is "vpnt5".

Procedure:

  1. Create and configure the Security Gateways.

  2. Enable the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. in the objects of the applicable Security Gateways.

  3. Configure the VPN community in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. that includes the two peer Security Gateways.

    You must configure the VPN Community and add the member Security Gateways to it before you configure a VPN Tunnel Interface. This section includes the basic procedure for defining a Site-to-Site VPN Community. To learn more about VPN communities and their definition procedures, see the R81.20 Site to Site VPN Administration Guide.

    Step

    Instructions

    1

    Connect with SmartConsole to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

    2

    From the left navigation panel, click Security Policies.

    3

    In the Access Tools section, click VPN Communities.

    4

    From the top toolbar, click the New () > select Star Community or Meshed Community..

    5

    Configure the VPN community:

    1. Enter the VPN community name.

    2. From the left tree, click Gateways.

      Select the applicable Security Gateways.

    3. From the left tree, click Encrypted Traffic.

      Select Accept all encrypted traffic.

      This automatically adds a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to encrypt all traffic between Security Gateways in a VPN community.

    4. Configure other settings as necessary.

    6

    Publish the SmartConsole session.

  4. Make Route Based VPN the default option.

    Do this procedure one time for each.

    When Domain Based VPN and Route Based VPN are configured for a Security Gateway, Domain Based VPN is active by default. You must do two short procedures to make sure that Route Based VPN is always active.

    The first procedure configures an empty encryption domain group for your VPN peer Security Gateways. You do this step one time for each Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. The second step is to make Route Based VPN the default option for all Security Gateways.

    Step

    Instructions

    1

    In the SmartConsole, click Objects menu > More object types > Network Object > Group > New Network Group.

    2

    Enter a group name.

    3

    Do not add members to this group.

    4

    Click OK.

    Do these steps for each Security Gateway.

    Step

    Instructions

    1

    From the left navigation panel, click Gateways & Servers.

    2

    Double-click the applicable Security Gateway object.

    3

    From the left tree, click Network Management > VPN Domain.

    4

    Select Manually define and then select the empty Group object you created earlier.

    5

    Install the Access Control Policy.

  5. Configure the VTI.

    You can configure the VPN Tunnel Interfaces (VTI) in Gaia PortalClosed Web interface for the Check Point Gaia operating system. or Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

    Important - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

    Step

    Instructions

    1

    In the Gaia Portal, select Network Management > Network Interfaces.

    2

    Click Add > VPN Tunnel.

    To configure an existing VTI interface, select the VTI interface and click Edit.

    3

    In the Add/Edit window, configure these parameters:

    • VPN Tunnel ID - Unique tunnel name (integer from 1 to 99).

      Gaia automatically adds the prefix "vpnt" to the Tunnel ID (example: vnpt10).

    • Remote Peer Name - Alphanumeric character string as configured for the Remote Peer Name in the VPN community.

      You must configure the two peers in the VPN community before you can configure the VTI.

    • VPN Tunnel Type - Select the applicable type:

      • Numbered - Uses a specified, static IPv4 addresses for local and remote connections.

      • Unnumbered - Uses the interface and the remote peer name to get IPv4 addresses.

    • Local Address - Configures the local peer IPv4 address. Applies to the Numbered VTI only.

    • Remote Address - Configures the remote peer IPv4 address. Applies to the Numbered VTI only.

    • Physical Device - Local peer interface name. Applies to the Unnumbered VTI only.

    Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

    • To add a VPN Tunnel Interface (VTI):

      add vpn tunnel <Tunnel ID>
            type
                  numbered local <Local IP address> remote <Remote IP address> peer <Peer Name>
                  unnumbered peer <Peer Name> dev <Name of Local Interface>

    • To see the configuration of the specific VPN Tunnel Interface (VTI):

      show vpn tunnel <Tunnel ID>

    • To see all configured VPN Tunnel Interfaces (VTIs):

      show vpn tunnels

    • To delete a VPN Tunnel Interface (VTI):

      delete vpn tunnel <Tunnel ID>

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

    Parameter

    Description

    <Tunnel ID>

    Configures the unique Tunnel ID (integer from 1 to 99).

    Gaia automatically adds the prefix 'vpnt' to the Tunnel ID.

    Example: vnpt10

    type numbered

    Configures a numbered VTI that uses static IPv4 addresses for local and remote connections.

    type unnumbered

    Configures an unnumbered VTI that uses the interface and the remote peer name to get IPv4 addresses.

    local <Local IP address>

    Configures the VPN Tunnel IPv4 address in dotted decimal format on this Security Gateway or Cluster MemberClosed Security Gateway that is part of a cluster..

    Applies to the Numbered VTI only.

    remote <Remote IP address>

    Configures the VPN Tunnel IPv4 address in dotted decimal format on the VPN peer.

    Applies to the Numbered VTI only.

    peer <Peer Name

    Specifies the name of the remote peer object as configured in the VPN community in SmartConsole.

    dev <Name of Local Interface>

    Specifies the name of the local interface on this Security Gateway or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

    The new VTI is bound to this local interface.

    Applies to the Unnumbered VTI only.

    gaia> add vpn tunnel 20 type numbered local 10.10.10.1 remote 20.20.20.1 peer MyPeer1

    gaia>

    gaia> add vpn tunnel 10 type unnumbered peer MyPeer2 dev eth1

    gaia>

    gaia> show vpn tunnels

      Interface: vpnt20

            Local IP: 10.10.10.1

            Peer Name: MyPeer1

            Remote IP: 20.20.20.1

            Interface type: numbered

      Interface: vpnt10

            Physical device: eth1

            Peer Name: MyPeer2

            Interface type: unnumbered

    gaia>

    gaia> show vpn tunnel 20

    Interface: vpnt20

    Local IP: 10.10.10.1

    Peer Name: MyPeer1

    Remote IP: 20.20.20.1

    Interface type: numbered

    gaia>

    gaia> delete vpn tunnel 20

  6. Configure Route Based VPN Rules.

    To make sure that your security rules work correctly with Route Based VPN traffic, you must add directional matching conditions and allow OSPF traffic.

    This section contains the procedure for defining directional matching rules.

    Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN column in the rule.

    This is because without bi-directional matching, the rule only applies to connections between a community and an encryption domain (Domain Based Routing).

    Name

    Source

    Destination

    VPN

    Service

    Action

    VPN Tunnel

    Any

    Any

    MyIntranet

    Any

    Accept

    The directional rule must contain these directional matching conditions:

    • Community > Community

    • Community > Internal_Clear

    • Internal_Clear > Community

    Name

    Source

    Destination

    VPN

    Service

    Action

    VPN Tunnel

    Any

    Any

    MyIntranet > MyIntranet

    MyIntranet > Internal_Clear

    Internal_Clear > MyIntranet

    Any

    Accept

    Notes:

    • MyIntranet is the name of a VPN Community.

    • Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.

    • It is not necessary to configure bidirectional matching rules if the VPN column contains the value Any.

    Step

    Instructions

    1

    In SmartConsole, click Menu > Global properties> expand VPN > click Advanced.

    2

    Select the Enable VPN Directional Match in VPN Column option and click OK.

    3

    From the left navigation panel, click Gateways & Servers.

    4

    For each VPN member gateway:

    1. Double-click the Security Gateway object.

    2. From the left tree, click Network Management.

    3. Click Get Interfaces > Get Interfaces with Topology.

      This updates the topology to include the newly configured VTIs.

    4. Click Accept.

    5. Click OK.

    Step

    Instructions

    1

    From the left navigation panel, click Security Policies.

    2

    Click Access Control > Policy.

    3

    Right-click the VPN cell in the applicable rule and select Directional Match Condition.

    4

    In the New Directional Match Condition window, select the source (Traffic reaching from) and destination (Traffic leaving to).

    5

    Click OK.

    6

    Repeat Step 3-5 for each set of matching conditions.

    7

    Publish the SmartConsole session.

    One advantage of Route Based VPN is the fact that you can use dynamic routing protocols to distribute routing information between Security Gateways.

    The OSPF (Open Shortest Path First) protocol is commonly used with VTIs.

    To learn about configuring OSPF, see the R81.20 Gaia Advanced Routing Administration Guide.

    Step

    Instructions

    1

    In the Gaia Portal or Gaia Clish, add the applicable VPN Tunnel Interfaces to the OSPF configuration page.

    2

    In SmartConsole, add an Access Control rule that allows traffic to the VPN community (or all communities) that uses the OSPF service:

    Name

    Source

    Destination

    VPN

    Service

    Action

    Allow OSPF for a VPN Community

    Any

    Any

    MyIntranet

    ospf

    Accept

  7. Install the policy and test.

    You must save your configuration to the database and install policies to the Security Gateways before the VPN can be fully functional.

    Step

    Instructions

    1

    Publish the SmartConsole session.

    2

    Install the Access Control policy on the Security Gateways.

    3

    Make sure traffic passes over the VTI tunnel correctly.