Introduction to Site to Site VPN

IPsec VPN

The IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. solution lets the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. encrypt and decrypt traffic to and from other Security Gateways and clients. Use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to easily configure VPN connections between Security Gateways and remote devices.

For Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways.

The VPN tunnel guarantees:

  • Authenticity - Uses standard authentication methods

  • Privacy - All VPN data is encrypted

  • Integrity - Uses industry-standard integrity assurance methods

IKE and IPsec

The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is a protocol that supports secure IP communications that are authenticated and encrypted on private or public networks.

VPN Components

Understanding the Terminology

  • VPN - Virtual Private Network. A secure, encrypted connection between networks and remote clients on a public infrastructure, to give authenticated remote users and sites secured access to an organization's network and resources.

  • Virtual Tunnel Interface -Virtual Tunnel Interface. A virtual interface that is a member of an existing, Route Based, VPN tunnel.

  • VPN Peer - A gateway that connects to a different VPN gateway using a Virtual Tunnel Interface.

  • VPN Domain - A group of computers and networks connected to a VPN tunnel by one VPN Gateway that handles encryption and protects the VPN Domain members.

  • VPN Community - A named collection of VPN domains, each protected by a VPN Gateway.

  • VPN Security Gateway - The Security Gateway that manages encryption and decryption of traffic between members of a VPN Domain, typically located at one (Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway.) or both (Site to Site VPN) ends of a VPN tunnel.

  • Site to Site VPN - An encrypted tunnel between two Security Gateways, typically of different geographical sites.

  • Remote Access VPN - An encryption tunnel between a Security Gateway and Remote Access clients, such as Endpoint Security VPN, and communities.

  • Remote Access Community - A group of computers, appliances, and devices that access, with authentication and encryption, the internal protected network from physically remote sites.

  • Star Topology - A "hub and spoke" virtual private network community, with Security Gateways defined as Satellites (spokes) that create tunnels only with the central Security Gateway ("hub").

  • Meshed Topology - A VPN community with a VPN Domain that creates a tunnel to other VPN Domains.

  • Domain-based VPN - A method to route encrypted traffic with parameters defined by Security Gateways.

  • Route-based VPN - A routing method for participants in a VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway., defined by the VPN TunnelClosed An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. Interfaces (VTI).

  • IKE (Internet Key Exchange) - An Encryption key management protocol that enhances IPSec by providing additional features, flexibility, and ease of configuration.

  • IPsec - A set of secure VPN protocols that manage encryption keys and encrypted packet traffic, to create a standard for authentication and encryption services.

Site to Site VPN

The basis of Site to Site VPN is the encrypted VPN tunnel. Two Security Gateways negotiate a link and create a VPN tunnel and each tunnel can contain more than one VPN connection.

One Security Gateway can maintain more than one VPN tunnel at the same time.

Item

Description

A, B

Security Gateways

2

VPN tunnel

3

Internal network in VPN domain

4

Host 4

5

Host 5

In this sample VPN deployment, Host 4 and Host 5 securely send data to each other. The Security Gateways perform IKE negotiation and create a VPN tunnel. They use the IPsec protocol to encrypt and decrypt data that is sent between Host 4 and Host 5.

Host 4 sends

packet
to Host 5

Security Gateways "A" & "B"

create VPN tunnel

Security Gateway "A"

encrypts data

 

 

 

 

Host 5 receives

unencrypted data

Security Gateway "B"

decrypts data

Encrypted data is sent

through VPN tunnel

VPN Communities

A VPN Domain is a collection of internal networks that use Security Gateways to send and receive VPN traffic. Define the resources that are included in the VPN Domain for each Security Gateway.

Then join the Security Gateways into a VPN Community- collection of VPN tunnels and their attributes. Network resources of different VPN Domains can securely communicate with each other through VPN tunnels that terminate at the Security Gateways in the VPN Communities.

VPN Communities are based on Star and Meshed topologies:

  • In a Star VPN Community, each satellite Security Gateway has a VPN tunnel to the central Security Gateway, but not to other Security Gateways in the community.

  • In a Meshed VPN Community, there are VPN tunnels between each pair of Security Gateway.

Meshed Topology

Star Topology

Item

Description

1

Security Gateway

2

Satellite Security Gateways

3

Central Security Gateway

Item

Description

1

London Security Gateway

2

New York Security Gateway

3

London - New York Meshed VPN Community

4

London company partner (external network)

5

London Star VPN Community

6

New York company partner (external network)

7

New York Star VPN Community

This deployment is composed of a Mesh community for London and New York Security Gateways that share internal networks. The Security Gateways for external networks of company partners do not have access to the London and New York internal networks. However, the Star VPN Communities let the company partners access the internal networks of the sites that they work with.

Routing VPN Traffic

Configure the Security Gateway to route VPN traffic based on VPN Domains or based on the routing settings of the operating system.

Note - For each VPN Security Gateway, you must configure an existing Security Gateway as a default gateway.

The VPN traffic is routed according to the VPN Domains that are defined in SmartConsole. Use domain based routing to let satellite Security Gateways in a star-based topology send VPN traffic to each other. The central Security Gateway creates a VPN tunnel to each satellite Security Gateway and the traffic is routed to the correct VPN domain.

VPN traffic is routed according to the routing settings (static or dynamic) of the Security Gatewayoperating system. The Security Gateway uses a VTI (VPN Tunnel Interface) to send the VPN traffic as if it were a physical interface. The VTIs of Security Gateways in a VPN community connect and can support dynamic routing protocols.

The Link Selection feature gives you granular control of the VPN traffic in the network. Use this feature to enable the Security Gateway to:

  • Find the best possible route for VPN traffic

  • Select the interfaces that are used for VPN traffic to internal and external networks

  • Configure the IP addresses that are used for VPN traffic

  • Use route probing to select available VPN tunnels

  • Use Load Sharing for Link Selection to equally distribute VPN traffic to VPN tunnels

IPv6 Support and Limitations

This release includes limited IPv6 support for IPsec VPN communities.

  • IPv6 is supported for Site to Site VPN only (Main IP to Main IP).

    The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.

  • IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic.

    You can configure the encryption method only for IPv4 traffic.

  • VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel.

    IPv4 traffic inside an IPv6 tunnel is not supported.

These VPN features are not supported for IPv6:

  • Remote Access VPN

  • CRL fetch for the Internal Certificate Authority

  • Multiple Entry Points (MEP)

  • Route-based VPN (VTI)

  • Wire Mode VPN

  • Security Gateways with a Dynamic IP address (DAIP).

  • Route Injection Mechanism (RIM)

  • Traditional mode Firewall Policies

  • IKE Denial of Service protection

  • IKE Aggressive Mode

  • Traditional Mode VPN

  • Migration from Traditional VPN mode to Simplified VPN mode

  • Tunnel Management (permanent tunnels)

  • Directional VPN Enforcement

  • Link Selection

  • GRE Tunnels

  • Tunnel View in SmartView Monitor

  • VPN Overview page

  • The vpn_route.conf configuration file (see Configuration in the VPN Configuration File 'vpn_route.conf')