VPN with External VPN Gateways

Configuring Site to Site VPN with External VPN Gateways Using Certificates

This section applies to typical configurations of a VPN with External Security Gateways, and assumes that the peers work with certificates.

If this is not the case, see Configuring Site to Site VPN with External VPN Gateways Using Pre-Shared Secret.

To configure Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. with an externally managed VPN peer, you and the peer administrator must choose the same Certificate Authority (CA) for communication between the two VPN peers.

Even if each of the peer VPN Gateways uses a Check Point Internal CA (ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.), if they are not managed by the same Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. then their ICAs are different.

Example - A Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. located at a headquarters office and a peer Check Point Security Gateway located at a branch office are managed separately. Each peer Security Gateway uses a different Check Point ICA and has different parameters for encryption. The administrators of the two networks must agree on a CA for communication between the two peers.

Note - Configuring a VPN with PKI and certificates is more secure than with pre-shared secrets.

  1. Get the certificate of the CA that issued the certificate for the peer VPN Security Gateways. Request this from the peer administrator.

    If the peer Security Gateway uses the Internal Certificate Authority, then to obtain the Certificate Authority certificate file, connect with a web browser to this portal:

    • In R81.10 and higher:

      http://<IP address of Management Server that manages the peer Security Gateway>:18268

    • In R81 and lower:

      http://<IP address of Management Server that manages the peer Security Gateway>:18265

  2. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., configure the Certificate Authority object for the Certificate Authority that issued the certificate for the peer.

    See Enrolling with a Certificate Authority.

  3. Configure a Certificate Authority to issue certificates for your side in case the Certificate issued by ICA is not applicable for the required VPN tunnel.

    You may have to export the CA certificate and supply it to the peer administrator.

  4. Define the Network ObjectClosed Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies.(s) of the Security Gateway(s) that are internally managed:

    • In the General Properties page of the Security Gateway object, select IPsec VPN.

    • In the Network Management page, define the Topology.

    • In the VPN Domain page, define the VPN Domain.

      If the VPN domain does not contain all the IP addresses behind the Security Gateway,then configure the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.

  5. If the ICA certificate is not applicable for this VPN tunnel, then generate a certificate from the applicable Certificate Authority on the IPsec VPN page.

  6. Define the Network Object(s) of the externally managed Security Gateway(s).

    • If it is not a Check Point Security Gateway, define an Interoperable Device:

      In Object Explorer, click New > Network Object > More > Interoperable Device.

    • If it is a Check Point Security Gateway, define an Externally Managed VPN Gateway:

      In Object Explorer, click New > Network Object > Gateways and Servers > More > Externally Managed VPN Gateway.

  7. Set the attributes of the peer Security Gateway.

    • For an externally managed Check PointSecurity Gateway:

      In the General Properties page of the Security Gateway object, select IPsec VPN.

    • Define the Topology.

    • Define the VPN Domain with the VPN Domain information obtained from the peer administrator. If the VPN Domain does not contain all the IP addresses behind the Security Gateway, define the VPN domain manually by defining a group or network of machines and setting them as the VPN Domain.

    • For an Externally Managed Check Point Security Gateway:

      On the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. page, define the Matching Criteria. Specify that the peer must present a certificate signed by its own Certificate Authority. If possible, enforce details that appear in the certificate.

  8. Define the VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway..

    If you are configuring a Meshed VPN Community rather than a Star VPN Community, ignore the difference between the Center Security Gateways and the Satellite Security Gateways.

    • Agree with the peer administrator about the various IKE properties and set them in the Encryption page and the Advanced page of the VPN Community object.

    • Define the Center Security Gateways.

      In most cases these are internal.

      If no other VPN Community is defined for them, decide whether to mesh the Center Security Gateways.

      If they are already in a VPN Community, do not mesh the Center Security Gateways.

    • Define the Satellite Security Gateways. In most cases these are external.

  9. Click OK.

  10. Publish the SmartConsole session.

  11. Define the applicable Access Control rules.

  12. Add the VPN Community in the VPN column, the services in the Service & Applications column, the Action, and the applicable Track option.

  13. Install the Access Control Policy on all Security Gateways that participate in the VPN Community.

Configuring Site to Site VPN with External VPN Gateways Using Pre-Shared Secret

Administrators of the peer VPN Security Gateways must coordinate with each other and agree on all details. The administrators must manually supply details such as the IP address and the VPN domain topology. These details cannot be detected automatically.

There are many possible scenarios for VPN with external Security Gateways. The next procedure is meant for typical cases and assumes that the peers work with pre-shared secrets. If the peers do not work with pre-shared secrets, see Configuring a VPN with External Security Gateways Using Certificates".

Note - It is more secure to configure a VPN with public key infrastructure (PKI) and certificates than with pre-shared secrets.

  1. Define the Network Object(s) of the Security Gateways that are locally managed.

    • In the General Properties page of the Security Gateway object, in the Network Security tab, select IPsec VPN.

    • In the Network Management page, define the Topology.

    • In the Network Management > VPN Domain page, define the VPN Domain.

      If the VPN domain does not contain all IP addresses behind the Security Gateway, define the VPN Domain manually by defining a group or network of machines and setting them as the VPN Domain.

  2. Define the Network Object(s) of the externally managed Security Gateway(s).

    • If it is not a Check Point Security Gateway, define an Interoperable Device:

      In Object Explorer, click New > Network Object > More > Interoperable Device.

    • If it is a Check Point Security Gateway, define an Externally Managed VPN Gateway:

      In Object Explorer, click New > Network Object > Gateways and Servers > More > Externally Managed VPN Gateway.

  3. Set the attributes of the peer Security Gateway.

    • In the Topology page, define the Topology and the VPN Domain with the VPN Domain information obtained from the peer administrator.

    • If the VPN Domain does not contain all the IP addresses behind the Security Gateway, configure the VPN Domain manually by defining a group or network of machines and setting them as the VPN Domain.

  4. Define the VPN Community.

    If you are configuring a Mesh VPN Community rather than a Star VPN Community, ignore the difference between the Center Security Gateways and the Satellite Security Gateways.

    • Agree with the peer administrator about the IKE properties. Set the IKE properties in the Encryption page and the Advanced page of the VPN Community object.

    • Define the Center Security Gateways.

      These are usually the locally managed Security Gateways.

      If there is no another VPN Community defined for them, decide whether to mesh the central Security Gateways.

      If the Center Security Gateways are already in a VPN Community, do not mesh them.

    • Define the Satellite Security Gateways.

      These are usually the external Security Gateways.

  5. Publish the changes in SmartConsole.

  6. Agree on a pre-shared secret with the administrator of the external VPN Community members. Then, in the Shared Secret page of the VPN Community, select Use only Shared Secret for all external members. For each external member, enter the pre-shared secret.

  7. Define the applicable Access Control rules in the Access Control Policy.

    Add the VPN Community in the VPN column, the services in the Services & Applications column, the desired Action, and the applicable Track option.

  8. Install the Access Control Policy on all Security Gateways that participate in this VPN Community.