Getting Started with Site to Site VPN

Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. requires two or more Security Gateways with the IPsec VPN Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. enabled.

You can enable other Software Blades on these Security Gateways.

Make sure that Trusted Communication is established between all Security Gateways and the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Do these steps in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  1. Install and configure the Security Gateways:

    1. Install the required Security Gateways.

    2. Create the new Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. objects.

    3. Establish the Secure Internal Communication.

    4. Get the interfaces with topology.

    See the:

  2. From the left navigation panel, click Gateways & Servers.

  3. Open each Security Gateway object.

  4. Enable the IPsec VPN Software Blade:

    1. On the General Properties page, click the Network Security tab.

    2. Select IPsec VPN.

  5. Configure the VPN Domain:

    The VPN Domain (Encryption DomainClosed The networks that a Security Gateway protects and for which it encrypts and decrypts VPN traffic.) defines the networks and IP addresses that are included in the VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway..

    1. From the left tree, click Network Management > VPN Domain.

    2. Select one of these:

      • All IP Addresses behind the Gateway based on Topology information

        This is the default.

        The VPN Domain is automatically defined as all IP Addresses behind the Security Gateway, based on the topology configuration of the Security Gateway interfaces.

      • User-defined

        You can manually configure the VPN Domain to include one or more networks behind the Security Gateway.

        Select the applicable object (Network, Network Group, Address Range).

        In this picker window, you can click New to create a new required object.

  6. Click OK.

Notes:

A VPN Community object determines settings for encryption and tunnels between the member gateways.

You can create a Star VPN Community or a Meshed VPN Community.

For basic explanation and examples, see VPN Communities.

The basic use case is to configure a VPN Community between Check Point Security Gateways with the same Management Server (locally managed Security Gateways).

To configure a VPN Community with externally managed VPN Gateways, see VPN with External VPN Gateways.

Procedure:

  1. From the top toolbar, click Objects > Object Explorer.

  2. From the left tree, click VPN Communities.

  3. Create a new required Site to Site VPN Community object.

    Click New > VPN Community > Star Community.

    1. Enter the name for this VPN Community.

    2. On the Gateways page:

    3. On the Encrypted Traffic page:

      Select Accept all encrypted traffic, if it is necessary to encrypt all traffic between the Security Gateways.

      Select the applicable option:

      • Both center and satellite gateways

      • Satellite gateways only

      If you do not need to encrypt all traffic between the Security Gateways, then create the applicable Access Control rules in the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. (see the next step).

    4. On the VPN Routing page , select To center only.

    5. Click OK.

    6. Close the Object Explorer window.

    For information about other options, such as Encryption, Shared Secret, and Advanced, see IPsec and IKE.

    For information about the MEP option, see Multiple Entry Point (MEP) VPNs.

    Click New > VPN Community > Meshed Community.

    1. Enter the name for this VPN Community.

    2. On the Gateways page:

      Add the applicable Security Gateway objects.

    3. On the Encrypted Traffic page:

      Select Accept all encrypted traffic, if it is necessary to encrypt all traffic between the Security Gateways.

      If you do not need to encrypt all traffic between the Security Gateways, then create the applicable Access Control rules in the Security Policy (see the next step).

    4. Click OK.

    5. Close the Object Explorer window.

    For information about other options, such as Encryption, Shared Secret, and Advanced, see IPsec and IKE.

If you did not select Accept all encrypted traffic on the Encrypted Traffic page of the VPN Community, then you must configure Access Control rules to allow traffic within VPN Communities.

For more information about Access Control policy, see the R82 Security Management Administration Guide.

  1. Configure the required Access Control rules.

    Configure rules in SmartConsole > Security Policies view > Access Control.

    All layers of the Access Control Policy can contain VPN rules.

    To make a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. apply to a VPN Community, make sure the VPN column of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. contains one of these:

    • Any - The rules applies to all VPN Communities and to non-VPN related traffic. If you configure a new VPN Community after the rule was created, the rule also applies to the new VPN Community.

    • One or more specified VPN communities - For example, MyIntranet. Right-click in the VPN column of a rule and select Specific VPN Communities. The rule applies to the communities shown in the VPN column.

  2. Install the Access Control Policy on the Security Gateways that participate in this VPN Community.

Example Rules:

This rule allows encrypted traffic between domains of member Security Gateways of the specific VPN Community "MyCommunity":

Name

Source

Destination

VPN

Services & Applications

Allow traffic within community

* Any

*Any

* MyCommunity

* Any

This rule allows traffic from all VPN Communities to the internal network on all services:

Name

Source

Destination

VPN

Services & Applications

Allow all VPN

* Any

Internal_Network

* Any

* Any

This rule allows traffic between two VPN Domains with all services:

Name

Source

Destination

VPN

Services & Applications

Site to Site VPN

Local_VPN_Domain

Peer_VPN_Domain

Local_VPN_Domain

Peer_VPN_Domain

Site2Site

* Any

To make sure that a VPN tunnel works:

  1. Locate the Access Control rule for the traffic that has to pass through the VPN tunnel.

    In the Track column, select Log.

  2. From the left navigation panel, click Logs & Events > Logs.

  3. From the top, click New Tab.

  4. From the bottom of the window, click Tunnel and User Monitoring.

    Check Point SmartView Monitor opens.

  5. Click the Security Gateway to see IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. traffic and tunnels opened.

    A successful connection shows encrypt, decrypt and key install logs.

    Alternatively:

    1. In SmartConsole, from the left navigation panel, click Logs & Events.

    2. On the Logs tab, search for VPN to see the applicable logs.

Example:

Note - For advanced VPN Gateway configuration, see Advanced VPN Settings.