Tunnel Management

Overview of Tunnel Management

The VPN tunnel transports data securely. You can manage the types of tunnels and the number of tunnels with these features:

• Permanent Tunnels - Keeps VPN tunnels active to allow real-time monitoring capabilities.

• VPN Tunnel Sharing - Provides greater interoperability and scalability between Security Gateways. It also controls the number of VPN tunnels created between peer Security Gateways.

See the status of all VPN tunnels in SmartView Monitor. For details see Monitoring Tunnels in the R82 Logging and Monitoring Administration Guide.

Permanent Tunnels

As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay.

Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. A VPN tunnel is monitored by periodically sending "tunnel test" packets. As long as responses to the packets are received the VPN tunnel is considered "up." If no response is received within a given time period, the VPN tunnel is considered "down." Permanent Tunnels can only be established between Check Point Security Gateways. The configuration of Permanent Tunnels takes place on the community level and:

• Can be specified for an entire community. This option sets every VPN tunnel in the community as permanent.

• Can be specified for a specific Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. Use this option to configure specific Security Gateways to have permanent tunnels.

• Can be specified for a single VPN tunnel. This feature allows configuring specific tunnels between specific Security Gateways as permanent.

Permanent Tunnels in a MEP Environment

In a Multiple Entry Point (MEP) environment, VPN tunnels that are active are rerouted from the predefined primary Security Gateway to the backup Security Gateway if the primary Security Gateway becomes unavailable. When a Permanent Tunnel is configured between Security Gateways in a MEP environment where RIM is enabled, the satellite Security Gateways see the center Security Gateways as "unified." As a result, the connection will not fail but will fail over to another center Security Gateway on a newly created permanent tunnel. For more information on MEP see Multiple Entry Point (MEP) VPNs.

Tunnel Testing for Permanent Tunnels

Check Point uses a proprietary protocol to test if VPN tunnels are active, and supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways, and uses UDP port 18234. Check Point tunnel testing protocol does not support 3rd-party Security Gateways.

Terminating Permanent Tunnels

Once a Permanent Tunnel is no longer required, the tunnel can be shut down. Permanent Tunnels are shut down by deselecting the configuration options to make them active and re-installing the policy.

Dead Peer Detection

In addition to Tunnel Testing, Dead Peer Detection (DPD) is a different method to test if VPN tunnels are active. Dead Peer Detection does support 3rd party Security Gateways and supports permanent tunnels with interoperable devices based on IKEv1/IKEv2 DPD (IKEv1 DPD is based on RFC 3706). It uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.

The tunnel testing mechanism is the recommended keepalive mechanism for Check Point to Check Point VPN gateways because it is based on IPsec traffic and requires an IPsec established tunnel. DPD is based on IKE encryption keys only.

DPD has two modes:

• DPD responder mode

• Permanent tunnel mode based on DPD

Dead Peer Detection Responder Mode

In this mode, the Check Point gateway the IKEv1 DPD Vendor ID to peers, from which the DPD Vendor ID was received.

To enable DPD Responder Mode:

1. On each Security Gateway, run this command:

   ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1

2. To prevent a problem, where the Check Point Security Gateway deletes IKE SAs:

   Note - The DPD mechanism is based on IKE SA keys. In some situations, the Check Point Security Gateway deletes IKE SAs, and a VPN peer, usually a 3rd Party gateway, sends DPD requests and does not receive a response. As a result, the VPN peer concludes that the Check Point Security Gateway is down. The VPN peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point Security Gateway to be dropped by the remote peer.

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Menu > Global properties > Advanced > Configure.

   2. Click VPN Advanced Properties > VPN IKE properties.

   3. Select keep_IKE_SAs.

   4. Click OK.

   5. Install the Access Control Policy.

To disable DPD Responder Mode:

On each Security Gateway, run this command:

ckp_regedit -d SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload

Permanent Tunnel Mode Based on Dead Peer Detection

DPD can monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnels are supported.

To configure DPD for a permanent tunnel, the permanent tunnel must be in the VPN community. After you configure the permanent tunnel, configure Permanent Tunnel mode Based on DPD. There are different possibilities for permanent tunnel mode:

• tunnel_test (default) - The permanent tunnel is monitored by a tunnel test (as in earlier versions). It works only between Check Point Security Gateways. Keepalive packets are always sent.

• dpd - The active DPD mode. A peer receives DPD requests at regular intervals (10 seconds). DPD requests are only sent when there is no traffic from the peer.

• passive - The passive DPD mode. Peers do not send DPD requests to this peer. Tunnels with passive peers are monitored only if there is IPsec traffic and incoming DPD requests.

  Note: To use this mode for only some gateways, enable the forceSendDPDPayload registry key on Check Point remote peers.

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in Database Tool (GuiDBEdit Tool) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

1. In Database Tool (GuiDBEdit Tool), go to Network Objects > network_objects > <Name of Security Gateways object> > VPN.

2. For the Value, select a permanent tunnel mode.

3. Save all the changes.

4. Install the Access Control Policy.

Optional Configuration:

• IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.

  Edit the property in Database Tool (GuiDBEdit Tool) > Network Objects > network_objects > <Name of Security Gateways object> > VPN.

• Delete IKE SAs for dead peer - Based on RFC 3706, a VPN Gateway has to delete IKE SAs from a dead peer. This functionality is enabled, by default.

  • To disable the feature, add this line to the $CPDIR/tmp/.CPprofile.sh file and then reboot:

    DPD_DONT_DEL_SA=0 ; export DPD_DONT_DEL_SA

    Note - It is not supported to change the value of this environment variable in the current shell session with the "export DPD_DONT_DEL_SA=0" command.

  • To enable the feature (if you disabled it), remove the line with "DPD_DONT_DEL_SA" from the $CPDIR/tmp/.CPprofile.sh file and then reboot.

    Note - It is not supported to change the value of this environment variable in the current shell session with the "export DPD_DONT_DEL_SA=1"command.

VPN Tunnel Sharing

For a VPN community, the VPN tunnel sharing configuration is set on the Tunnel Management page of the Community Properties window.

For a specific Security Gateway, the configuration is set on the VPN Advanced page of the Security Gateway properties window.

Tunnel test is a proprietary Check Point protocol used to see if VPN tunnels are active. Tunnel testing requires two Security Gateways and uses UDP port 18234. Third party gateways do not support tunnel testing.

VPN Tunnel An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. Sharing provides interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways.

There are three available settings:

• One VPN tunnel per each pair of hosts

• One VPN tunnel per subnet pair

• One VPN tunnel per Security Gateway pair

In case of a conflict between the tunnel properties of a VPN community and a Security Gateway object that is a member of that same community, the "stricter" setting is followed. For example, a Security Gateway that was set to One VPN Tunnel per each pair of hosts and a community that was set to One VPN Tunnel per subnet pair, would follow One VPN Tunnel per each pair of hosts.

Configuring Tunnel Features

To configure Tunnel Management options:

1. In SmartConsole, click Object Explorer (Ctrl+E)

2. Click New > VPN Community and choose Star Community or Meshed community.

3. Click Tunnel Management. and configure the tunnel settings:

   • Permanent Tunnels

   • Tracking Options

   • VPN Tunnel Sharing

Permanent Tunnels

In the Star Community or Meshed community object, on the Tunnel Management page, select Set Permanent Tunnels.

These are the options:

• On all tunnels in the community

• On all tunnels of specific Security Gateways

• On specific tunnels in the community

To configure all tunnels as permanent, select On all tunnels in the community. Clear this option to terminate all Permanent Tunnels in the community.

To configure on all tunnels of specific Security Gateways:

1. Select On all tunnels of specific gateways and click Select Gateways.

   The Select Gateway window opens.

   To terminate Permanent Tunnels connected to a specific Security Gateway, select the Security Gateway object and click Remove.

2. To configure the Tracking options for a specific Security Gateway, select a Security Gateway object and click Gateway Tunnel Properties.

To configure on specific tunnels in the community:

1. Select On specific tunnels in the community and click Select Permanent Tunnels.

   The Select Permanent Tunnels window opens.

2. Double click in the white cell that intersects the Security Gateways where a permanent tunnel is required.

   The Tunnel Properties window opens.

3. Click Set these tunnels to be permanent tunnels.

   To terminate the Permanent Tunnel between these two Security Gateways, clear Set these tunnels to be permanent tunnels.

4. Click OK.

Advanced Permanent Tunnel Configuration

You can configure advanced VPN settings globally. In addition, you can configure DPD thresholds per community.

To configure advanced VPN settings globally:

1. In SmartConsole, click Menu > Global properties.

2. Click Advanced > Configure.

3. Click VPN Advanced Properties > Tunnel Management to see the attributes that may be configured to customize the amount of tunnel tests sent and the intervals in which they are sent:

   • life_sign_timeout - Set the amount of time the tunnel test or DPD runs without a response before the peer host is declared 'down.'

   • life_sign_transmitter_interval - Set the time between tunnel tests or DPD.

   • life_sign_retransmissions_count - When a tunnel test does not receive a reply, another test is resent to confirm that the peer is 'down.' The Life Sign Retransmission Count is set to how many times the tunnel test is resent without receiving a response.

   • life_sign_retransmissions_interval - Set the time between the tunnel tests that are resent after it does not receive a response from the peer.

   • cluster_status_polling_interval - (applicable for High Availability Clusters only) - Set the time between tunnel tests between a primary Security Gateway and a backup Security Gateway. The tunnel test is sent by the backup Security Gateway. When there is no reply, the backup Security Gateway will become active.

4. Click OK.

5. If you changed the existing setting, then install the Access Control Policy.

To configure DPD thresholds for each:

You can configure the DPD thresholds "life_sign_timeout" and "life_sign_transmitter" for each VPN Community A named collection of VPN domains, each protected by a VPN gateway..

1. Close all SmartConsole windows connected to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the VPN Community object

2. Connect with the d Database Tool (GuiDBEdit Tool) to the Security Management Server / Domain Management Server that manages the VPN Community object.

3. In the left upper pane , click the Tables tab > Managed Objects > communities.

4. In the right upper pane, click VPN Community object.

5. In the lower pane, configure the applicable value for the attribute "life_sign_timeout":

   1. Scroll down to the "life_sign_timeout".

   2. Right click the number in the Value column > click Edit.

   3. Enter the applicable number of seconds:

      • Minimum: 5 seconds

      • Maximum: 3,600 seconds

      • Default: 40 seconds.

   4. Click OK.

6. In the lower pane, configure the applicable value for the attribute "life_sign_transmitter_interval":

   1. Scroll down to the "life_sign_transmitter_interval".

   2. Right click the number in the Value column > click Edit.

   3. Enter the applicable number of seconds:

      • Minimum: 5 seconds

      • Maximum: 600 seconds

      • Default: 10 seconds

   4. Click OK.

7. At the top, click the File menu > click Save All.

8. Close the Database Tool (GuiDBEdit Tool).

9. In SmartConsole, install the Access Control Policy on all Security Gateways that participate in this VPN Community.