Configuring VPN
This section describes how to configure these VPN configuration scenarios:
-
Remote access VPN
-
Site to site VPN using a preshared secret
-
Site to site VPN using a certificate
|
Note - VPN does not work with pure IPv6, only with dual stack. |
Configuring Remote Access VPN
Introduction
Use these options for remote access:
-
Check Point VPN clients
-
Check Point Mobile clients
-
Check Point SSL VPN
-
L2TP VPN client
Prerequisites
-
In VPN > Blade Control, make sure:
-
To set the Remote Access control to On.
-
To select the Allow traffic from Remote Access users (by default) option.
-
To select the applicable connection methods.
For more details, see Configuring the Remote Access Blade.
-
-
If the gateway uses a dynamic IP address, we recommend you use the DDNS feature. See Configuring DDNS and Access Service.
-
For the Check Point VPN client or Mobile client method, make sure that the applicable client is installed on the hosts. Click How to connect for more information.
Remote Access Configuration
These are the methods to configure remote access users:
-
Local users
-
RADIUS users
-
AD users
To allow only specified users to connect with a remote access client, set group permissions for the applicable user type. Select the arrow next to the Add option and select the relevant group option. See Configuring Remote Access Users.
To configure local users:
For new users:
-
Go to VPN > Remote Access Users.
-
Click Add to add local users.
-
Make sure that the Remote Access permissions checkbox is selected.
For more information, see Configuring Remote Access Users.
For existing users:
-
Go to VPN > Remote Access Users.
-
Click Edit to make sure that the Remote Access permissions checkbox is selected.
For more information, see Configuring Remote Access Users.
To configure RADIUS users:
-
Go to VPN > Authentication Servers.
-
Click Configure to add a RADIUS server. See Configuring Remote Access Authentication Servers.
-
Click permissions for RADIUS users to set access permissions.
To configure AD users:
-
Go to VPN > Authentication Servers and click New to add an AD domain. See Configuring Remote Access Authentication Servers.
-
Click permissions for Active Directory users to set access permissions.
L2TP VPN Client configuration
For L2TP VPN Client configuration, click L2TP Pre-shared key to enter the key after you enable the L2TP VPN client method.
Advanced Options
For more information on advanced Remote Access options, for example Office Mode network, see Configuring Advanced Remote Access Options.
Monitoring
To make sure Remote Access is working:
Use the configured client to connect to an internal resource from a remote host.
Configuring Site to Site VPN with a Preshared Secret
Introduction
In this Site to Site VPN configuration method a preshared secret is used for authentication.
Prerequisites
-
Make sure the Site to Site VPN blade is set to On and Allow traffic from remote sites (by default) is selected. See Configuring the Site to Site VPN Blade.
-
The peer device that you connect to must be configured and connected to the network. If it is a DAIP gateway, its host name must be resolvable.
Configuration
Enter a host name or IP address and enter the preshared secret information. For more information, see Configuring VPN Sites.
Monitoring
To make sure the VPN is working:
-
Send traffic between the local and peer gateway.
-
Go to VPN > VPN Tunnels to monitor the tunnel status. See Viewing VPN Tunnels.
Configuring Site to Site VPN with a Certificate
Introduction
In this Site to Site VPN configuration method a certificate is used for authentication.
Prerequisites
-
Make sure the Site to Site VPN blade is set to On and Allow traffic from remote sites (by default) is selected. See Configuring the Site to Site VPN Blade.
-
The peer device that you connect to must be configured and connected to the network. If it is a DAIP gateway, its host name must be resolvable.
-
You must reinitialize certificates with your IP address or resolvable host name. Make sure the certificate is trusted on both sides.
-
VPN encryption settings must be the same on both sides (the local gateway and the peer gateway). This is especially important when you use the Custom encryption option.
Configuration
-
Reinitialize certificates - Use the Reinitialize certificates option described in Managing Installed Certificates. Make sure this is done on both the local and peer gateway (if they both use locally managed Check Point appliances).
-
Trust CAs on the local and peer gateways - Use one of these procedures:
-
Exchange CAs between gateways
-
Sign a request using one of the gateway's CAs.
-
Authenticate by using a 3rd party CA.
-
Authenticate with an existing 3rd party certificate.
-
-
Use certificate authentication to create the VPN site.
-
Follow the instructions in Configuring VPN Sites.
-
To make sure the specified certificate is used, enter the peer gateway's certificate information in Advanced > Certificate Matching.
-
Trust Procedures
Exchange CAs between gateways:
Click Add to add the Trusted CA of the peer gateway. This makes sure the CA is uploaded on both the local and peer gateways. See Managing Trusted CAs.
Sign a request using one of the gateway's CAs:
You create a request from one gateway that must be signed by the peer gateway's CA:
-
Use the New Signing Request option in Managing Installed Certificates.
-
Export this request using the Export option.
-
Use the peer gateway's internal CA to sign the request on the peer gateway.
If the peer gateway is a locally managed Check Point gateway, go to VPN > Trusted CAs and use the Sign a Request option. For more information, see Managing Trusted CAs.
-
Upload the signed request to the local gateway.
-
Go to VPN > Installed Certificates.
-
Select the installed certificate that you asked the remote peer to sign.
-
Upload the certificate with the Upload Signed Certificate option. See Managing Installed Certificates.
-
-
Make sure that the CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.
To authenticate by using a 3rd party CA:
You create a signing request from each peer gateway. Follow the steps above in Sign a request using one of the gateway's CAs to sign it with a 3rd party CA.
Note that a 3rd party CA can issue *.crt
, *.p12
, or *.pfx
certificate files.
-
Upload the certificate using the appropriate upload option.
-
Go to VPN > Installed Certificates.
-
Select the installed certificate that you asked the remote peer to sign.
-
Upload the certificate with the Upload Signed Certificate or Upload P12 Certificate option. See Managing Installed Certificates.
-
-
Make sure that the 3rd party CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.
To authenticate with an existing 3rd party certificate:
-
Create a P12 certificate for the local and peer gateway.
-
Upload the P12 certificate using the Upload P12 Certificate option on each gateway.
-
Make sure that the 3rd party CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.
Monitoring
To make sure the VPN is working:
-
Pass traffic between the local and peer gateway.
-
Go to VPN > VPN Tunnels to monitor the tunnel status. See Viewing VPN Tunnels.