Large Scale VPN

A VPN that connects branch offices, worldwide partners, remote clients, and other environments, can reach hundreds or thousands of peers. A VPN on this scale brings new challenges.

Each time a new VPN peer is deployed in production configuration and policy installation is required for all participating VPN Gateways.

Large Scale VPN (LSV) addresses these challenges and facilitates deployment without the need for peer configuration and policy installation.

Configuring LSV

Workflow:

  1. Configure the Certificate Authority.

  2. Configure the Center VPN Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  3. Configure the VPN community.

  4. Configure the LSV profile.

  5. Install the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

This configuration is applied on the central VPN Gateway

  1. Configure the Certificate Authority.

    The CA certificate has to be supplied and saved to the disk in advance.

    Note - In case of SCEP automatic enrollment, you can skip this stage and fetch the CA certificate automatically after configuring the SCEP parameters.

    The CA's Certificate must be retrieved either by downloading it with the CA options in the Certificate Authority object, or by obtaining the CA's certificate from the peer administrator in advance.

    Define the CA object according to the following steps

    1. In Object Explorer, click New > Server > More > Trusted CA or Subordinate CA.

      The Certificate Authority Properties window opens.

    2. Enter a Name for the CA object.

    3. On the OPSEC PKI tab:

      • For automatic enrollment, select Automatically enroll certificate.

      • From the Connect to CA with protocol, select the protocol used to connect with the certificate authority, either SCEP, CMPV1 or CMPV2.

      Note - For entrust 5.0 and later, use CMPV1.

    4. Click Properties:

      • If you chose SCEP as the protocol, in the Properties for SCEP protocol window, enter the CA identifier (such as example.com) and the Certification Authority/Registration Authority URL.

      • If you chose CMPV1 as the protocol, in the Properties for CMP protocol - V1 window, enter the applicable IP address and port number. (The default port is 829).

      • If you chose CMPV2 as the protocol, in the Properties for CMP protocol -V2 window, decide whether to use direct TCP or HTTP as the transport layer.

        Note - If Automatic enrollment is not selected, then enrollment will have to be performed manually.

    5. Choose a method for retrieving CRLs from this CA.

      If the CA publishes CRLs on HTTP server choose HTTP Server(s).

      Certificates issued by the CA must contain the CRL location in an URL in the CRL Distribution Point extension.

      If the CA publishes CRL on LDAP server, choose LDAP Server(s).

      In this case, you must define an LDAP Account Unit as well. See the R81 Security Management Administration Guide for more details about defining an LDAP object.

      In the LDAP Account Unit Properties window, on the General tab, make sure to check the CRL retrieval.

      Certificates issued by the CA must contain the LDAP DN on which the CRL resides in the CRL distribution point extension.

    6. Click Get.

    7. If SCEP is configured, it will try to connect to the CA and retrieve the certificate. If not, browse to where you saved the peer CA certificate and select it.

      The certificate is fetched. Verify the certificate's details. Display and validate the SHA-1 and MD5 fingerprints of the CA certificate.

    8. Click OK.

  2. Configure the certificate for the central VPN Security Gateway.

    The devices participating in the LSV community must all share a signed certificate from the same Certificate Authority signed for the Central VPN Gateway.

    A certificate is automatically issued by the Internal Certificate Authority for all internally managed entities that are VPN-capable. That is, after the administrator enables the IPsec VPN Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. in a Security Gateway or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object (on the General Properties page > on the Network Security tab).

    The process for obtaining a certificate from an OPSEC PKI CA or External Check Point CA is identical.

    To create a PKCS#10 Certificate Request:

    1. Create a Certificate Authority object.

    2. From the left navigation panel, click Gateways & Servers.

    3. Double-click the applicable Security Gateway or Cluster object.

    4. From the left tree. click , click General Properties and make sure to enable the IPsec VPN Software Blade.

    5. From the left tree. click , click IPsec VPN.

    6. In the section Repository of Certificates Available to the Gateway, click Add.

      The Certificate Properties window opens.

    7. In the Certificate Nickname field, enter a text string.

      The nickname is only an identifier and has no bearing on the content of the certificate.

    8. From the drop-down menu CA to enroll from, select the Certificate Authority that issues the certificate.

      Note - The menu shows only trusted Certificate Authorities and subordinate Certificate Authorities that lead directly to a trusted Certificate Authority. If the CA that issues the certificate is a subordinate CA that does not lead directly to a trusted CA, it is not in the menu.

    9. In the section Key pair generation and storage, select the applicable method:

      • Store keys on the Security Management server - Certificate creation is performed entirely between the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and applicable CA. The keys and the certificate are downloaded securely to the Security Gateway (Cluster Members) during policy installation.

      • Store keys on the Module - Management Server directs the Security Gateway (or Cluster Members) to create the keys and supply only the required material for creation of the certificate request. Only the certificate is downloaded to the Security Gateway (Cluster Members) during policy installation.

    10. Click Generate.

      The Generate Certificate Properties window opens.

    11. Enter the applicable DN.

      The CA administrator determines the final DN that appears in the certificate.

      If a Subject Alternate Name extension is required in the certificate, select Define Alternate Name.

      The public key and the DN are then used to DER-encode a PKCS#10 Certificate Request.

      Note - Adding the object's IP address as the Alternate Name extension can be configured as a default setting.

      This configuration also applies for Internal Certificate Authorities.

      1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Menu > Global properties > Advanced > Configure.

      2. Click Certificates and PKI properties.

      3. Select these options:

        • add_ip_alt_name_for_ICA_certs (closer to the top of this page)

        • add_ip_alt_name_for_opsec_certs (closer to the bottom of this page)

      4. Click OK to close the Advanced Configuration window.

      5. Click OK to close the Global properties window.

    12. When the certificate appears in the section Repository of Certificates Available to the Gateway:

      1. Select this certificate.

      2. Click View.

      3. In the Certificate View window:

        1. Click inside the window.

        2. Select the whole text (press the CTRL+A keys, or right-click the mouse and click Select All).

        3. Copy the whole text (press the CTRL+C keys, or right-click the mouse and click Copy).

        4. Paste the text into a plain text editor (like Notepad).

        5. Click OK.

    13. Send the certificate information to the Certificate Authority administrator.

      The CA administrator must now complete the task of issuing the certificate.

      Different CAs provide different ways of doing this, such as an advanced enrollment form (as opposed to the regular form for users).

      The issued certificate may be delivered in various ways, for example, email.

    14. After the certificate arrives from the Certificate Authority administrator, you must save it in the Certificate Authority object:

      1. In SmartConsole, click Objects > Object Explorer (or press the CTRL+E keys).

      2. In the left tree, click Servers.

      3. Double-click the applicable Certificate Authority object.

      4. Click the OPEC PKI tab.

      5. In the Certificate section, click Get.

      6. Browse to the location, where you saved the certificate file.

      7. Select the certificate file and click Open.

      8. If the certificate details are correct, click OK to accept this certificate.

      9. Click OK to close the Certificate Authority Properties window.

      10. Close the Object Explorer window.

    15. Publish the SmartConsole session

    On the OPSEC PKI tab of the Certificate Authority object:

    1. Select the option Automatically enroll certificate.

    2. Select the applicable protocol - scep or cmp.

    Follow these steps:

    1. From the left navigation panel, click Gateways & Servers.

    2. Double-click the applicable Security Gateway or Cluster object.

    3. From the left tree. click , click General Properties and make sure to enable the IPsec VPN Software Blade.

    4. From the left tree. click , click IPsec VPN.

    5. In the section Repository of Certificates Available to the Gateway, click Add.

      The Certificate Properties window opens.

    6. In the Certificate Nickname field, enter a text string.

      The nickname is only an identifier and has no bearing on the content of the certificate.

    7. From the drop-down menu CA to enroll from, select the Certificate Authority that issues the certificate.

      Note - The menu shows only trusted CAs and subordinate CAs that lead directly to a trusted CA. If the CA that issues the certificate is a subordinate CA that does not lead directly to a trusted CA, it is not in the menu.

    8. In the section Key pair generation and storage, select the applicable method:

      • Store keys on the Security Management server - Certificate creation is performed entirely between the Management Server and applicable CA. The keys and the certificate are downloaded securely to the Security Gateway (Cluster Members) during policy installation.

      • Store keys on the Module - Management Server directs the Security Gateway (or Cluster Members) to create the keys and supply only the required material for creation of the certificate request. Only the certificate is downloaded to the Security Gateway (Cluster Members) during policy installation.

    9. Click Generate and select Automatic enrollment.

      The Generate Keys and Get Automatic Enrollment Certificate window opens.

      • Supply the Key Identifier and your secret Authorization code.

      • Click OK.

    10. When the certificate appears in the section Repository of Certificates Available to the Gateway:

      1. Select this certificate.

      2. Click View.

      3. In the Certificate View window, click Copy to Clipboard or Save to File.

    11. Send the request to CA administrator.

      Different Certificate Authorities provide different means for doing this. For example, an advanced enrollment form on their website. The issued certificate can be delivered in various ways, such as by email. After you receive the certificate, save it to disk.

    12. From the left tree. click , click IPsec VPN.

    13. In the section Repository of Certificates Available to the Gateway:

      1. Select the applicable certificate.

      2. Click Complete.

    14. Browse to the folder where you stored the issued certificate, select the certificate, and examine the certificate details.

    15. Click OK to close the Security Gateway or Cluster object.

    16. Publish the SmartConsole session

    When enrolling through a Subordinate CA:

    • Supply the password of the Subordinate CA which issues the certificate (not the CA at the top of the hierarchy).

    • The Subordinate CA must lead directly to a trusted CA.

  3. Configure the VPN community.

    1. From the left navigation panel, click Security Policies.

    2. In the top left section Access Control, click Policy.

    3. In the bottom left section Access Tools, click VPN Communities.

    4. Click New () and select Star Community.

    5. Enter a name for the VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway..

    6. In the Center Gateways area, click the + icon to add one or more Security Gateways (Clusters) to be in the center of the community.

    7. In the Satellite Gateways area, click the + icon to add one or more Security Gateways (Clusters) to be around the center Security Gateways (Clusters).

    8. Click OK.

      The Community uses the default encryption and VPN Routing settings.

    9. Optional: Edit more settings for the VPN Community in the community object.

  4. Configure the LSV profile.

    1. Edit the VPN Community object.

    2. From the left tree, click Gateways.

    3. In the Satellite Gateways section, click the + icon > New () > Large Scale VPN.

      The New Large Scale VPN Profile window opens.

    4. In the Certificate Authority section, select the applicable CA object.

    5. Optional: Configure the VPN domain for the LSV profile

      You can limit the number of IP addresses used in an encryption domain of each satellite VPN Gateway and restrict the VPN access to specific group of networks.

    Important - If the Encryption Domain of the LSV gateways overlaps (the same or partial Encryption Domain is configured for two or more peer devices), the default behavior is to use the VPN connection of the peer the connected last. The kernel parameter "lsv_prefer_new_peer" on Security Gateways (Cluster Members) controls this behavior. The default value of this kernel parameter is 1.

  5. Install the Security Policy.

Monitoring LSV Peers and Tunnels

You can monitor LSV peers on a Security Gateway with the vpn lsv command.

  1. Connect to the command line on the Security Gateway (each Cluster MemberClosed Security Gateway that is part of a cluster.).

  2. Log in to the Expert mode.

  3. Run:

    vpn lsv

    Output:

    Select an option.
**********     Select Option     **********
(1)       List all LSV peers
(2)       Show LSV peer's details
(3)       Remove an LSV peer
(4)       Remove all LSV peers
(Q)       Quit
*******************************************