Getting Started with Site-to-Site VPN
Step 1 - Enable the IPsec VPN Software Blade on Security Gateways
Site to Site VPN An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. requires two or more Security Gateways with the IPsec VPN Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. enabled. You can enable other Software Blades on these Security Gateways.
Make sure that Trusted Communication is established between all Security Gateways and the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
-
Create the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. objects. -
Create the Trusted Communication (SIC
Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) with the Management Server. -
Enable the IPsec VPN Software Blade.
On the General Properties page, in the Network Security tab, select IPsec VPN.
-
Click OK.
Note - An internal CA certificate for the Security Gateway is created automatically.
Step 2 - Create a VPN Community
You can create a Star VPN Community A named collection of VPN domains, each protected by a VPN gateway. or a Meshed VPN Community. See VPN Communities.
The procedure below shows an example of a Star Community.
Configuring a new VPN community
-
From the left navigation panel, click Security Policies.
-
In the top left section Access Control, click Policy.
-
In the bottom left section Access Tools, click VPN Communities.
-
Click New (
) and select Star Community or Meshed Community. -
Enter a name for the VPN Community.
-
In the Center Gateways area, click the + icon to add one or more Security Gateways (Clusters) to be in the center of the community.
-
In the Satellite Gateways area, click the + icon to add one or more Security Gateways (Clusters) to be around the center Security Gateways (Clusters).
-
Click OK.
The Community uses the default encryption and VPN Routing settings.
-
Optional: Edit more settings for the VPN Community in the VPN Community object.
More VPN Community Settings
In addition to the Security Gateway members, you can edit these settings for the VPN Community in the community object:
-
Encrypted Traffic - Select Accept all encrypted traffic to encrypt and decrypt all traffic between the Security Gateways. If this is not selected, create rules in the Security Policy
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. to allow encrypted traffic between community members. -
Encryption - Select encryption settings that include the Encryption Method and Encryption Suite. See VPN Community Object - Encryption Settings.
-
Tunnel Management - Select settings for VPN tunnels that include Permanent Tunnels and Tunnel Sharing. See Configuring Tunnel Features.
-
VPN Routing -For Star Communities, select how VPN traffic is routed between the center and satellite Security Gateways. By default this is always set to To center only. See Configuring VPN Routing in Domain Based VPN.
-
MEP (Multiple Entry Points) - For Star Communities, select how the entry Security Gateway for VPN traffic is chosen. This only applies when you have multiple center Security Gateways in the community. See Overview of MEP.
-
Excluded Services - Add services that are not to be encrypted, for example Check Point Control Connections. VPN tunnels are not created for the Services included here.
-
Shared Secret - Configure shared secret authentication to use for communication with external Security Gateways that are part of a VPN community. See Configuring a VPN with External Security Gateways Using Pre-Shared Secret.
-
Wire Mode - Select to define internal interfaces and communities as trusted and bypass the Security Gateway for some communication. See Configuring Wire Mode.
-
Advanced - Configure advanced settings related to IKE, IPsec, and NAT. You can also Reset All VPN Properties to revert all VPN Community settings to their default values. See Configuring Advanced IKE Properties.
Step 3 - Configure the VPN Domain for Security Gateways
The VPN Domain defines the networks and IP addresses that are included in the VPN Community. It is also called the Encryption Domain The networks that a Security Gateway protects and for which it encrypts and decrypts VPN traffic.. When you create a Check Point Security Gateway object, the VPN Domain is automatically defined as all IP Addresses behind the Security Gateway, based on the topology information.
You can manually define the VPN domain to include one or more networks behind the Security Gateway. You must have a Network object or a Network Group object that represents the Domain.
Configuring a VPN Domain manually
-
In SmartConsole, from the Gateways & Servers view, open a Security Gateway object.
-
Open the Network Management > VPN Domain page.
-
Select Manually defined and:
-
Browse to the object list and select an object that represents the domain.
-
Browse to the object list and click New > Group or Network to define a new group of hosts or networks.
-
-
Click OK.
Encryption Domain per Community
|
|
Important - This feature requires Security Gateways R80.40 and higher. |
By default, a Security Gateway's Encryption Domain is shared with all the communities it is a part of.
Access to different resources within the Encryption Domain is implemented using the Access Control Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.
In some cases you may need to configure the Encryption Domain in a granular way.
You can configure the VPN domain of a Security Gateway per community, which makes it safer and easier to control the VPN communities that are logically separated.
Example 1
-
Security Gateway A (Partner A) is part of Community-1.
-
Security Gateway B (Partner B) is part of Community-2.
-
Security Gateway C (Corporate Branch) is part of Community 1 and Community 2.
-
The network behind Security Gateway C - 10.2.2.0 is split into 2 networks using the 255.255.255.128 subnet mask.
In this scenario, the administrator limits the access from Security Gateway A in Community 1 to some of the resources behind Security Gateway C, which is also part of Community 1.
To allow access to the required resources from Security Gateway A to resources protected by Security Gateway- C, the administrator configures an Encryption Domain per the specific community. On Security Gateway-C, the administrator must configure two Encryption Domains: one for Community 1 and one for Community 2.
Domains
The access is limited to the specific Encryption Domain: network 10.2.2.0/25.
Configuring the Encryption Domain per Community
-
Open the VPN community.
-
From the left tree, click Gateways.
-
In the Center Gateways section, double-click the center Security Gateway that participates in more than one VPN community (Security Gateway- C in this scenario).
The VPN domain configuration window opens.
-
Select the User defined option.
Select the applicable Network or Group object (or create a new object). Configure the Encryption Domain. In the example, the encryption domain includes the network that we allow partner B to access.
-
Click OK.
Example 2
Using the same setup, you can use the Encryption Domain per Community configuration to allow access between host 1 and host 2 in both directions.
The configuration changes are applied to the Encryption Domain of Security Gateway-C per each relevant community, in this example Communities 1 and 2.
|
|
Note - In previous versions to get this functionality the |
Configuration:
|
Community |
Encryption Domain |
Install On |
|---|---|---|
|
Community-1 |
Network behind Security Gateway-C Host-2 |
Security Gateway-C Security Gateway-A |
|
Community-2 |
Network behind Security Gateway-C Host-1 |
Security Gateway-C Security Gateway-B |
-
Create a new host (Host-2 behind Security Gateway-B) to represent the Encryption Domain of Security Gateway-C to publish for Security Gateway-A.
-
Create a new host (Host-1 behind Security Gateway-A) to represent the Encryption Domain of Security Gateway-C to publish for Security Gateway-B.
-
Create a new Network group to include the current Encryption Domain of Security Gateway-C and the additional host (Host-2) for Community-1.
-
Create a new Network group to include the current Encryption Domain of Security Gateway-C and the additional host (Host-1) for Community-2.
-
For Community-1 change the Encryption Domain for Security Gateway-C, use the new group created in step 3.
-
For Community-2 change the Encryption Domain for Security Gateway-C, use the new group created in step 4.
This type of configuration "tricks" the satellite gateways to think that the destination host is part of Security Gateway-C 's Encryption Domain. Therefore, the satellite gateways encrypt the packets that they send to the center Security Gateway. The center Security Gateway decrypts the packets, re-encrypts them, and then re-routes them to the other satellite gateways.
This is how it works:
Specific VPN Domain for Gateway Communities
If a Security Gateway participates in more than one VPN Community, you can configure a different VPN Domain for the Security Gateway for each VPN Community in which it participates. In SmartConsole, you can configure a specific VPN Domain for a Security Gateway in the Security Gateway object or in the VPN Community object.
|
|
Important - This feature requires Security Gateway versions R80.40 and higher. |
To configure a specific VPN Domain in the Security Gateway Object:
-
Open the Network Management > VPN Domain page.
-
In the line Set Specific Domain for Gateway Communities, click Set.
-
Select the VPN Community for which it is necessary to override the VPN Domain and click Set.
-
Select the applicable option:
-
According to the gateway
This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.
-
User defined
Select the applicable Network or Group object (or create a new object).
This configuration option overrides:
-
The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.
-
The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.
-
The VPN Domain that is configured in the Remote Access VPN
An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. Community object > Participating Gateways page.
-
-
-
Click OK to close the Set Specific VPN Domain for Gateway Communities window.
-
Click OK to close the Communities Specific VPN Domain window.
To configure a specific VPN Domain in the VPN Community Object:
-
In the Objects pane, click VPN Communities.
-
Click the applicable VPN Community.
The VPN Community configuration window opens.
-
In the Gateways pane, double-click the relevant Security Gateway object (or create a new object).
The VPN Domain configuration window opens.
-
Select the applicable option:
-
According to the gateway
This configuration option use the VPN Domain that is configured in the Network Management folder > VPN Domain page > VPN Domain section.
-
User defined
Select the applicable Network or Group object (or create a new object).
This configuration option overrides:
-
The VPN Domain that is configured in the Security Gateway object > Network Management folder > VPN Domain page > VPN Domain section.
-
The VPN Domain that is configured in the Meshed / Star VPN Community object > Gateways page.
-
The VPN Domain that is configured in the Remote Access VPN Community object > Participating Gateways page.
-
-
-
Click OK to close the VPN Domain configuration window.
-
Click OK to close the VPN Community configuration window.
Excluding the VPN Gateway's External IP Addresses from the VPN Domain
VPN Gateway excludes its external IP address from the VPN Domain, you must configure the Check Point VPN Gateway to exclude its own external IP addresses from the VPN Domain.
-
From the left navigation panel, click Gateways & Servers.
-
In the center panel, double-click the VPN Gateway / Cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object. -
From the left tree, expand Network Management and click VPN Domain.
-
Below Advanced, select Exclude gateway's external IP addresses from the VPN Domain.
-
Click OK.
Granular Encryption for Externally Managed Gateways
When you add an externally managed VPN Gateway to a VPN community, the externally managed VPN Gateway may use a different encryption suite than the VPN Community. With Granular Encryption, you can add an externally managed Gateway that uses a different encryption suite to participate in an existing community without the need to change the encryption methods in use or split the VPN community.
|
|
Note - Granular Encryption is supported only for Security Gateway versions R81 and higher. |
Configuring Granular Encryption
-
Open the VPN Community object.
-
From the left tree, click Encryption.
-
Below Override Encryption for Externally Managed Gateways click the + button.
The Granular Encryption window opens.
Example:
-
Configure the Encryption Context. Gateways in the Encryption Context use Granular Encryption.
-
To the right of Internal Gateway, select one:
-
Any - All internally managed Gateways that participate in the VPN community use Granular Encryption to communicate with the External Gateway.
-
Security Gateway object - the selected Security Gateway uses Granular Encryption to communicate with the External Gateway.
Note - Security Gateways that are in the VPN Community appear in the menu. You can add a Security Gateway to the VPN Community in the VPN Community object window > Gateways tab.
-
-
To the right of External Gateway, select an Interoperable Device that represents the External Gateway.
Note - To make a new Interoperable Device, in the Objects pane click New > More > Network Object > More > Interoperable Device.
The Encryption Context is a configuration of an Internal Security Gateway and an Externally Managed Security Gateway.
The default value for the Internal Gateway is * Any. When * Any is selected, all internal Gateways that participate in the VPN community use the same Encryption Suite to establish the VPN connection with the externally managed Gateway.
Note - If Granular Encryption is set for a specific Internal Gateway in addition to the use of * Any in a different Encryption Context, the Granular Encryption settings apply.
-
-
Select the Encryption Method and Encryption Suite to use for the VPN communication between the selected peers.
Step 4 - Make Sure VPN Routing Works
Make sure the VPN works with the routing configured in your network. If VPN does not work, change the routing configuring or change the Link Selection settings as necessary. See Link Selection Overview.
By default, IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. uses the main IPv4 address, defined in the General Properties page of the Security Gateway object, for the VPN tunnel connection.
If the main IPv4 address is an external interface, you do not need to configure additional routing.
If the main IP address is an internal interface, or if you want VPN communication on a different interface, make sure that:
-
The Link Selection settings for the Security Gateway are configured. Choose which Security Gateway links are used by VPN to route traffic correctly. See Link Selection Overview
-
VPN Routing is configured to allow the connections. For more information about how to configure routing in Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS, see the R81.20 Gaia Administration Guide - Chapter Network Management.
Step 5 - Configure the Access Control Rules and install the Access Control Policy
You must configure Access Control rules to allow traffic within VPN Communities.
Configure rules in SmartConsole > Security Policies view > Access Control.
All layers of the Access Control Policy can contain VPN rules.
To make a rule apply to a VPN Community, make sure the VPN column of the Rule Base contains one of these:
-
Any - The rules applies to all VPN Communities and to non-VPN related traffic. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.
-
One or more specified VPN communities - For example, MyIntranet. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column.
Examples:
-
This rule allows encrypted traffic between domains of member Security Gateways of "community_X."
Name
Source
Destination
VPN
Services & Applications
Allow traffic within community
* Any
*Any
* MyCommunity
* Any
-
This rule allows traffic from all VPN Communities to the internal network on all services.
Name
Source
Destination
VPN
Services & Applications
Allow all VPN
* Any
Internal_Network
* Any
* Any
-
This rule allows traffic between two VPN domains with all services.
Name
Source
Destination
VPN
Services & Applications
Site to Site VPN
Local_VPN_Domain
Peer_VPN_Domain
Local_VPN_Domain
Peer_VPN_Domain
Site2Site
* Any
Step 6 - Test the VPN Tunnel
To make sure that a VPN tunnel works:
-
Locate the Access Control rule for the traffic that has to pass through the VPN tunnel.
In the Track column, select Log.
-
From the left navigation panel, click Logs & Monitor > Logs.
-
From the top, click New Tab.
-
From the bottom of the window, click Tunnel and User Monitoring.
Check Point SmartView Monitor opens.
-
Click the Security Gateway to see IPsec VPN traffic and tunnels opened.
A successful connection shows encrypt, decrypt and key install logs.
Alternatively:
-
In SmartConsole, from the left navigation panel, click Logs & Monitor.
-
On the Logs tab, search for VPN to see the applicable logs.
-
Example:
