VPN Tunnel Interfaces
Virtual Tunnel Interface (VTI) is a virtual interface that is used for establishing a Route-Based VPN tunnel. Each peer Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. has one VTI that connects to the VPN tunnel.
The VPN tunnel and its properties are configured by the VPN community that contains the two Security Gateways.
You must configure the VPN community and its member Security Gateways before you can create a VTI.
To learn more about Route Based VPN, see the R81 Site to Site VPN Administration Guide > Chapter Route Based VPN.
|
Note - The name of a VPN Tunnel interface in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. is " |
Procedure:
-
Make sure that the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled on the applicable Security Gateways.
-
Create and configure the Security Gateways.
-
Configure the VPN community in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. that includes the two peer Security Gateways.
Configuring VPN communityYou must configure the VPN Community and add the member Security Gateways to it before you configure a VPN Tunnel Interface. This section includes the basic procedure for defining a Site-to-Site VPN Community. To learn more about VPN communities and their definition procedures, see the R81 Site to Site VPN Administration Guide.
Step
Instructions
1
Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
2
From the left navigation panel, click Security Policies.
3
In the Access Tools section, click VPN Communities.
4
From the top toolbar, click the New () > select Star Community or Meshed Community..
5
Configure the VPN community:
-
Enter the VPN community name.
-
From the left tree, click Gateways.
Select the applicable Security Gateways.
-
From the left tree, click Encrypted Traffic.
Select Accept all encrypted traffic.
This automatically adds a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to encrypt all traffic between Security Gateways in a VPN community.
-
Configure other settings as necessary.
6
Publish the SmartConsole session.
-
-
Make Route Based VPN the default option.
Do this procedure one time for each.
Configuring Route Based VPNWhen Domain Based VPN and Route Based VPN are configured for a Security Gateway, Domain Based VPN is active by default. You must do two short procedures to make sure that Route Based VPN is always active.
The first procedure configures an empty encryption domain group for your VPN peer Security Gateways. You do this step one time for each Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.. The second step is to make Route Based VPN the default option for all Security Gateways.
Configuring an empty groupStep
Instructions
1
In the SmartConsole, click Objects menu > More object types > Network Object > Group > New Network Group.
2
Enter a group name.
3
Do not add members to this group.
4
Click OK.
Configuring the Route Based VPN as the default choiceDo these steps for each Security Gateway.
Step
Instructions
1
From the left navigation panel, click Gateways & Servers.
2
Double-click the applicable Security Gateway object.
3
From the left tree, click Network Management > VPN Domain.
4
Select Manually define and then select the empty Group object you created earlier.
5
Install the Access Control Policy.
-
Configure the VTI.
You can configure the VPN Tunnel Interfaces (VTI) in Gaia Portal Web interface for the Check Point Gaia operating system. or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
Configuring VTI in Gaia PortalStep
Instructions
1
In the Gaia Portal, select Network Management > Network Interfaces.
2
Click Add > VPN Tunnel.
To configure an existing VTI interface, select the VTI interface and click Edit.
3
In the Add/Edit window, configure these parameters:
-
VPN Tunnel ID - Unique tunnel name (integer from 1 to 99).
Gaia automatically adds the prefix "
vpnt
" to the Tunnel ID (example:vnpt10
). -
Remote Peer Name - Alphanumeric character string as configured for the Remote Peer Name in the VPN community.
You must configure the two peers in the VPN community before you can configure the VTI.
-
VPN Tunnel Type - Select the applicable type:
-
Numbered - Uses a specified, static IPv4 addresses for local and remote connections.
-
Unnumbered - Uses the interface and the remote peer name to get IPv4 addresses.
-
-
Local Address - Configures the local peer IPv4 address. Applies to the Numbered VTI only.
-
Remote Address - Configures the remote peer IPv4 address. Applies to the Numbered VTI only.
-
Physical Device - Local peer interface name. Applies to the Unnumbered VTI only.
Configuring VTI in Gaia ClishSyntax-
To add a VPN Tunnel Interface (VTI):
-
To see the configuration of the specific VPN Tunnel Interface (VTI):
show vpn tunnel <Tunnel ID>
-
To see all configured VPN Tunnel Interfaces (VTIs):
show vpn tunnels
-
To delete a VPN Tunnel Interface (VTI):
delete vpn tunnel <Tunnel ID>
Important - After you add, configure, or delete features, run the "
save config
" command to save the settings permanently.CLI ParametersParameter
Description
<Tunnel ID>
Configures the unique Tunnel ID (integer from 1 to 99).
Gaia automatically adds the prefix '
vpnt
' to the Tunnel ID.Example:
vnpt10
type numbered
Configures a numbered VTI that uses static IPv4 addresses for local and remote connections.
type unnumbered
Configures an unnumbered VTI that uses the interface and the remote peer name to get IPv4 addresses.
local <Local IP address>
Configures the VPN Tunnel IPv4 address in dotted decimal format on this Security Gateway or Cluster Member Security Gateway that is part of a cluster..
Applies to the Numbered VTI only.
remote <Remote IP address>
Configures the VPN Tunnel IPv4 address in dotted decimal format on the VPN peer.
Applies to the Numbered VTI only.
peer <Peer Name
Specifies the name of the remote peer object as configured in the VPN community in SmartConsole.
dev <Name of Local Interface>
Specifies the name of the local interface on this Security Gateway or Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.
The new VTI is bound to this local interface.
Applies to the Unnumbered VTI only.
Examplegaia> add vpn tunnel 20 type numbered local 10.10.10.1 remote 20.20.20.1 peer MyPeer1
gaia>
gaia> add vpn tunnel 10 type unnumbered peer MyPeer2 dev eth1
gaia>
gaia> show vpn tunnels
Interface: vpnt20
Local IP: 10.10.10.1
Peer Name: MyPeer1
Remote IP: 20.20.20.1
Interface type: numbered
Interface: vpnt10
Physical device: eth1
Peer Name: MyPeer2
Interface type: unnumbered
gaia>
gaia> show vpn tunnel 20
Interface: vpnt20
Local IP: 10.10.10.1
Peer Name: MyPeer1
Remote IP: 20.20.20.1
Interface type: numbered
gaia>
gaia> delete vpn tunnel 20
-
-
Configure Route Based VPN Rules.
Configuring Route Based VPN RulesTo make sure that your security rules work correctly with Route Based VPN traffic, you must add directional matching conditions and allow OSPF traffic.
(A) Defining Directional Matching VPN RulesThis section contains the procedure for defining directional matching rules.
Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN column in the rule.
This is because without bi-directional matching, the rule only applies to connections between a community and an encryption domain (Domain Based Routing).
Name
Source
Destination
VPN
Service
Action
VPN Tunnel
Any
Any
MyIntranet
Any
Accept
The directional rule must contain these directional matching conditions:
-
Community > Community
-
Community > Internal_Clear
-
Internal_Clear > Community
Name
Source
Destination
VPN
Service
Action
VPN Tunnel
Any
Any
MyIntranet > MyIntranet
MyIntranet > Internal_Clear
Internal_Clear > MyIntranet
Any
Accept
Notes:
-
MyIntranet is the name of a VPN Community.
-
Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.
-
It is not necessary to configure bidirectional matching rules if the VPN column contains the value Any.
Enabling the VPN directional matchingStep
Instructions
1
In SmartConsole, click > Global properties> expand VPN > click Advanced.
2
Select the Enable VPN Directional Match in VPN Column option and click OK.
3
From the left navigation panel, click Gateways & Servers.
4
For each VPN member gateway:
-
Double-click the Security Gateway object.
-
From the left tree, click Network Management.
-
Click Get Interfaces > Get Interfaces with Topology.
This updates the topology to include the newly configured VTIs.
-
Click Accept.
-
Click OK.
Configuring a VPN directional matching ruleStep
Instructions
1
From the left navigation panel, click Security Policies.
2
Click Access Control > Policy.
3
Right-click the VPN cell in the applicable rule and select Directional Match Condition.
4
In the New Directional Match Condition window, select the source (Traffic reaching from) and destination (Traffic leaving to).
5
Click OK.
6
Repeat Step 3-5 for each set of matching conditions.
7
Publish the SmartConsole session.
(B) Defining Rules to Allow OSPF TrafficOne advantage of Route Based VPN is the fact that you can use dynamic routing protocols to distribute routing information between Security Gateways.
The OSPF (Open Shortest Path First) protocol is commonly used with VTIs.
To learn about configuring OSPF, see the R81 Gaia Advanced Routing Administration Guide.
-
-
Install the policy and test.
InstructionsYou must save your configuration to the database and install policies to the Security Gateways before the VPN can be fully functional.
Step
Instructions
1
Publish the SmartConsole session.
2
Install the Access Control policy on the Security Gateways.
3
Make sure traffic passes over the VTI tunnel correctly.