Scribd
Upload
53 views16 pages

Setting Up Site-To-site VPN R80.x

This document provides instructions for setting up site-to-site VPNs in Check Point R80.x products. It discusses site-to-site VPN settings, creating VPN communities, encryption methods, and access rules. An example of setting up VPN with a third-party Fortinet gateway is also included. Common troubleshooting skills for site-to-site VPN issues are listed.

Uploaded by

Dneto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views16 pages

Setting Up Site-To-site VPN R80.x

This document provides instructions for setting up site-to-site VPNs in Check Point R80.x products. It discusses site-to-site VPN settings, creating VPN communities, encryption methods, and access rules. An example of setting up VPN with a third-party Fortinet gateway is also included. Common troubleshooting skills for site-to-site VPN issues are listed.

Uploaded by

Dneto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Site to Site VPN in R80.

x
Author: Danny Drake

Table of Contents
SITE TO SITE VPN IN R80.X............................................................................................................................................. 1
INTRODUCTION ............................................................................................................................................................. 2
SITE TO SITE VPN SETTINGS ........................................................................................................................................... 3
VPN WITH A THIRD PARTY .......................................................................................................................................... 13
COMMON SKS FOR TROUBLESHOOTING S2S VPNS ..................................................................................................... 16

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 1


Check Point for Beginners – CP4B – Series
Introduction
This document is a tutorial for beginners. It provides step by step instructions and
examples of setting up Site to Site VPN with Check Point R80.x products. It also
includes an example of setting up a S2S VPN with a third-party Gateway (Fortinet).

Some experience with R80.x SmartConsole is assumed, as well as basic understanding


of IPSec and principles of Site to Site VPNs.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 2


Check Point for Beginners – CP4B – Series
Site to Site VPN Settings
1. First thing you want to do is create the network/host objects you’ll need to use on
both ends of the VPN tunnel. i.e.

2. Then open the gateway object you are installing the VPN tunnel on and enable the
IPSec VPN blade.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 3


Check Point for Beginners – CP4B – Series
3. Select the to open the Network Management options. Select VPN domain.
Unless you want all interfaces to be part of the tunnel you need to manually define
the VPN domain. Click the manually define radial and select the internal network
you are coming from (created in step 1).

4. If your GWs external IP is different from the IP on the interface you are using for
your tunnel you will need to select the link manually. Open the drop down under
IPSec VPN and select Link Selection. Then select the Selected address from
topology table radial and select the interface you want to use.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 4


Check Point for Beginners – CP4B – Series
5. For 3rd party GWs you will need to create it as an interoperable device, and select
the link selection within the topology tab. The click the manually defined radial and
select the inside network on the other end of the tunnel.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 5


Check Point for Beginners – CP4B – Series
6. Next you will need to create the VPN community. Click on the security policies tab
on the left pane. The select VPN Community at the bottom left.

7. There are two types of communities you could create; a Mesh community,
consisting of multiple gateways all being able to connect VPN to each other; or a

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 6


Check Point for Beginners – CP4B – Series
Star community, which is one central GW with remote GWs VPN back to it. Select
new, and your choice of community.

8. Give it a name and select your participating GWs

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 7


Check Point for Beginners – CP4B – Series
9. You can choose to accept all internal traffic if the participating GWs without the
need for an access rule.

10. Next, choose the encryption method. This is where most of your troubleshooting
with 3rd party GWs will take place. The Encryption methods must be identical on
both ends. Use Aggressive mode if you are connecting to a 3rd party that does not
support Main mode. Use Perfect Forward Secrecy for extreme security needs as it
will affect performance.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 8


Check Point for Beginners – CP4B – Series
11. You can choose to create permanent tunnels if you wish.

12. Decide how the tunnel routes. Whether the satellites can go through the center or
just to it only.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 9


Check Point for Beginners – CP4B – Series
13. MEP (Multiple Entry Points) is used for load balancing if you are expecting heavy
load on your tunnel.

14. You can choose certain traffic that will not be encrypted over the tunnel to increase
performance.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 10


Check Point for Beginners – CP4B – Series
15. When connecting to a 3rd party you will need a Shared Secret. This password
must be identical on both ends of the tunnel.

16. Wired mode simulates the GWs being connected together via wired connection,
bypassing the GW completely.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 11


Check Point for Beginners – CP4B – Series
17. In the advanced settings you can configure when IKE phase 1 and 2 are auto-
renegotiated. You will also want to disable NAT here. NAT can cause issues
accessing internal assets if you are connecting by IP.

18. Next, you will create an Access Rule to allow the VPN traffic. You will add the
network/host objects in the destination and source. Choose the VPN community
you created, then allow and log the traffic.

19. Publish and install policy on participating GWs


©2019 Check Point Software Technologies Ltd. All rights reserved | P. 12
Check Point for Beginners – CP4B – Series
VPN with a Third Party
1. An example of configuring on a Fortinet for the 3rd party. The IPSec wizard. Name,
select type of VPN, and NAT configuration.

2. Configure IP, interface, and authentication methods.

3. Configure the source and destination subnets. Click create.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 13


Check Point for Beginners – CP4B – Series
4. Preconfigured templates

5. Configure the encryption method here.

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 14


Check Point for Beginners – CP4B – Series
©2019 Check Point Software Technologies Ltd. All rights reserved | P. 15
Check Point for Beginners – CP4B – Series
Common SKs for troubleshooting S2S VPNs

sk34467 - Debugging Site-to-Site VPN


sk60318 - How to Troubleshoot VPN Issues in Site to Site
sk108600 - VPN Site-to-Site with 3rd party

©2019 Check Point Software Technologies Ltd. All rights reserved | P. 16


Check Point for Beginners – CP4B – Series

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy