Site-to-Site VPN Tunnel Between an On-Premises VPN Gateway and a Virtual Gateway in a Cloud

You can configure a Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. tunnel between an on-premises Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and a Virtual Gateway in a Virtual Private Cloud.

R81.20 supports this feature only for:

  • Amazon Web Services (AWS)

  • Microsoft Azure

Configuration Flow

  1. An Administrator configures the required settings in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. - configures a new Site-to-Site VPN TunnelClosed An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line., or deletes an existing Site-to-Site VPN Tunnel.

  2. An Administrator installs the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the on-premises VPN Gateway / VPN ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. automatically.

  3. In addition to the Security Policy, the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates the required one-time configuration instructions (VTI, Dynamic Routing) for the on-premises VPN Gateway / VPN Cluster Members.

  4. The Management Server sends the Security Policy and the one-time configuration instructions to the on-premises VPN Gateway / VPN Cluster Members

  5. The on-premises VPN Gateway / VPN Cluster Members install the Security Policy.

  6. The on-premises VPN Gateway / VPN Cluster Members run the one-time configuration instructions (VTI, Dynamic Routing).

  7. The Management Server deletes these one-time configuration instructions (VTI, Dynamic Routing) from its database.

Prerequisites

  1. Publish the SmartConsole session.

  2. Install the applicable Security Policies on the on-premises VPN Gateway / VPN Cluster, for which you plan to configure (or remove) the Site-to-Site VPN Tunnel with a Virtual Gateway in a Cloud.

Limitations

Important Notes

  • When you configure a new Site-to-Site VPN Tunnel or delete an existing Site-to-Site VPN Tunnel, you must not configure other settings or objects that the procedures below do not mention explicitly.

    If you must make other configuration changes, you must do them before or after the procedures below.

  • If the configuration of a new Site-to-Site VPN Tunnel does not work, then delete the current configuration, install the Security Policy, and configure the required settings again.

  • If it is necessary to change the configuration of an existing Site-to-Site VPN Tunnel (for example, select a different Virtual Gateway in the cloud), then delete the current configuration, install the Security Policy, and configure the required settings.

  • If it is necessary to revert to a Database Revision on the Management Server, you must make sure the Site-to-Site VPN Tunnel configuration in that Database Revision matches the Site-to-Site VPN Tunnel configuration on the on-premises VPN Gateway / VPN Cluster Members.

    For information about Database Revision, see the R81.20 Security Management Administration Guide > Chapter "Preferences and Management Settings" > Section "Database Revisions".

    You must follow the applicable scenario:

    Important - If you do the revert procedure incorrectly or it fails, the Site-to-Site VPN Tunnel configuration on Security Gateway and Management Server does not match anymore. Contact Check Point Support and refer to sk179691.

    Scenario

    State of Cloud VPN Configuration

    How to Revert Completely to a Database Revision

    1. Created a Database Revision on the Management Server without the Site-to-Site VPN Tunnel configuration.

    2. Configured the required settings in SmartConsole for a new Site-to-Site VPN Tunnel.

    3. Installed policy on the on-premises VPN Gateway / VPN Cluster.

    4. Reverted to the Database Revision on the Management Server.

    • Management Server:

      Cloud VPN configuration does not exist "yet" (as if you did not configure anything).

    • VPN Gateway / VPN Cluster Members:

      Cloud VPN configuration exists (because revert occurs only on the Management Server).

    1. Do one of these to remove the VPN tunnel configuration:

    2. Install policy on the on-premises VPN Gateway / VPN Cluster.

    Scenario

    State of Cloud VPN Configuration

    How to Revert Completely to a Database Revision

    1. Created a Database Revision on the Management Server that contains an existing Site-to-Site VPN Tunnel configuration.

    2. Removed an existing Site-to-Site VPN Tunnel configuration.

    3. Installed policy on the on-premises VPN Gateway / VPN Cluster.

    4. Reverted to the Database Revision on the Management Server.

    • Management Server:

      Cloud VPN configuration exists again.

    • VPN Gateway / VPN Cluster Members:

      Cloud VPN configuration does not exist anymore.

    1. Do one of these to restore the VPN tunnel configuration:

      • Add the on-premises VPN Gateway / VPN Cluster object to the VPN Community.

      • Add the Virtual Gateway object to the VPN Community.

    2. Install policy on the VPN Gateway / VPN Cluster.

Configuring a New Site-to-Site VPN Tunnel

Use the cloud provider's user interface to configure:

  • The Data Center

  • The Virtual Gateways

  • The applicable VPN settings

  1. Connect with SmartConsole to the Check Point Management Server that manages the on-premises Check Point Security Gateway.

  2. From the left navigation panel, click Gateways & Servers.

  3. Create and configure the Security Gateway object, if you did not do so yet.

    See the R81.20 Security Management Administration Guide. > Chapter Managing Gateways > Section Creating a New Security Gateway.

  4. Create a new Data Center object for your cloud provider.

    If you already have a Data Center object configured, open it, and run a test on its connection to the cloud.

    See the R81.20 CloudGuard Controller Administration Guide > Chapter Supported Data Centers.

  5. Import the applicable Virtual Gateways (VGW):

    1. In the top right corner, click the Objects pane > Data Centers.

    2. Right-click the applicable Data Center object.

    3. Click Import.

    4. Select and add the applicable Virtual Gateway (VGW) objects.

    5. Close the Data Center window.

  6. Add these objects to the applicable Site to Site VPN community (seeBasic Site to Site VPN Configuration):

    • The on-premises Check Point Security Gateway

    • The imported Virtual Gateways (VGW)

  7. Click OK.

    Important - It is not necessary to configure the VPN community settings. The Virtual Gateway (VGW) controls the VPN community settings for this VPN tunnel.

  8. Configure the applicable Access Control rules.

    See R81.20 Security Management Administration Guide > Chapter Creating an Access Control Policy

  9. Publish the SmartConsole session.

  10. Install the Access Control Policy on the Check Point Security Gateway.

Removing an Existing Site-to-Site VPN Tunnel

  1. In SmartConsole, delete the applicable configuration from the Virtual Gateway or the on-premises Check Point Security Gateway.

  2. Publish the SmartConsole session.

  3. Install the Access Control Policy on the Check Point Security Gateway.