Configuring Advanced Site to Site Settings

In the VPN > Site to Site Advanced page you can configure global advanced options that define how the appliance connects to remote sites.

The configuration options on this page answer these configuration questions:

  • When to open a connection with a remote site - See "Configuring a Local Encryption Domain" below. In addition, the remote site's encryption domain is configured per site. See the VPN > Site to Site VPN Sites page.

  • How the appliance connects to remote sites - See "Configuring the Appliance's Outgoing Interfaces for VPN usage below.

Configuring a Local Encryption Domain

In domain based VPN, traffic is encrypted when it originates in one encryption domain and is transmitted to a different domain.

The local encryption domain defines:

  • The internal networks that encrypted traffic from remote sites and networks can get access.

  • That traffic from the encryption domain to remote sites is encrypted.

By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain if necessary.

To configure a local encryption domain manually:

  1. Click the automatically according to topology link.

  2. Select Define local network topology manually.

  3. Click Select to show the full list of available networks and select the applicable checkboxes.

  4. Click New if the existing list does not contain the necessary networks required.

    For information on how to create a new network object, see the Users & Objects > Network Objects page.

  5. Click Apply.

    The Site to Site Local Encryption Domain window opens and shows the services you selected.

Configuring the Appliance's Interfaces

Link Selection is a method used to:

  • Specify which interface is used for incoming and outgoing VPN traffic.

  • Determine the best possible path for the traffic.

In addition, with the Link Selection mechanisms, the administrator can select which source IP addresses are used for VPN traffic.

The default configuration to select an outgoing interface and source IP address is for the device to determine them automatically. Alternatively, you can change the default settings and select other means to determine:

  • The appliance's outgoing interface

  • The appliance's source IP address

To configure the appliance's outgoing interfaces and source IP address for VPN:

  1. In the Link Selection > Outgoing interface selection section, select a method to specify the outgoing interface:

    • According to the routing table – The OS's routing table finds the interface link with the lowest metric (highest priority) through which to send traffic based on the remote site's IP addresses.

    • Route based probing – This method also consults the routing table for the link with the lowest metric. But, before choosing an interface link to send traffic, all routing possibilities are examined. This is to make sure that the link is active. The gateway selects the best match (highest prefix length) active route with the lowest metric (highest priority). This method is recommended when there is more than one external interface.

  2. In the Source IP address selection section, select an option to configure the source IP address used by the Security Gateway, when it initiates or responds to VPN traffic. This IP address is normally used by the remote sites to connect to this Security Gateway:

    • Automatically chosen according to outgoing interface.

    • Manually configured – Enter an IP address that is always used as the source IP address of a VPN tunnel.

Tunnel Health Monitoring

Dead Peer Detection (DPD) is an additional keepalive mechanism supported by the Check Point Security Gateway to test if VPN tunnels are active. DPD uses IPsec traffic to minimize the number of messages required to confirm the availability of a peer and requires an IPsec established tunnel. The DPD mechanism is based on IKE encryption keys only.

The feature also allows you to monitor permanent tunnels based on DPD for both IKEv1 and IKEv2.

In active mode, a peer that is configured as DPD receives DPD Hello requests at regular intervals if there is no incoming IPSec traffic for 10 seconds.

To test if a VPN tunnel is active:

Select a Tunnel health monitoring method

  • Tunnel test (Check Point Proprietary) – Works only between Check Point gateways.

  • DPD (Dead Peer Detection)

In DPD responder mode, the Check Point gateway sends the IKEv1 Vendor ID to peers from which the DPD Vendor ID was received and answers incoming DPD packets.

To enable DPD responder mode:

Select the checkbox.