Support Center > Search Results > SecureKnowledge Details
How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes
Solution

Important Clarification: 

Using VTIs seems the most reasonable approach for Check Point.

VTI Interfaces are not, however, necessarily the only way to setup a VPN Tunnel with Amazon VPC.


The following document describes how to set up a VPN between a Check Point Security Gateway (or cluster) and Amazon VPC using static routes. These instructions refer to a Check Point gateway running R77.10 or above using the Gaia operating system.

Important:

  • Note that the use of Virtual Tunnel Interfaces (VTIs) disabled CoreXL upto R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN). Refer to sk61701.

  • QoS is not supported on Virtual Tunnel Interface (VTI). Refer to sk34086.

  • The following procedure is currently not supported on the Centrally Managed SMB appliances (1100, 1200R, 1400). Contact Check Point Support to get a Hotfix for this issue. Refer to sk111840.

  • VTIs are not currently supported on:

    • Check Point 41000/61000 Security System
    • VSX

 

AWS Configuration

  1. In the VPC Dashboard, click "VPN Connections", and then click "Create VPN Connection".

    • Provide a Name Tag.
    • Select the Virtual Private Gateway.
    • Select "New" under Customer Gateway:
      • Under "IP Address", specify the external IP address of your Check Point Security Gateway (or cluster external virtual IP).
      • Under "BGP ASN", keep the default value
    • Under "Routing Options" choose "Static"
    • Under "Static IP Prefix" provide your on premise encryption domain in CIDR notation (multiple blocks can be separated by a comma)
    • In the following document we will be using the following notation:
      • VPC subnets: 10.10.255.0/24 10.10.254.0/24
      • On premise encryption domain: 192.168.0.0/24 and 192.168.1.0/24
  2. After creating the VPN Connection object, click "Download Configuration". Choose "Generic" as the Vendor.

 

Check Point OS Configuration

Note: If this section is skipped, then occasionally, Security Gateway might lose the VPN tunnel due to the AWS SLA.

Log in to the Gaia Portal of your Security Gateway.

  1. Navigate to the "Network Interfaces" tab. Create a new "VPN Tunnel" interface, also known as VTI:

    In the downloaded configuration file, refer to the "IPSec Tunnel #1" section.

    • Under "VPN Tunnel ID", select any unique value (such as 1)
    • Under "Peer", provide a name to identify the VPC tunnel peer (such as AWS_VPC_Tun1)
    • Under "VPN Tunnel Type" select "Numbered"
      • Under "Local Address": provide the "Inside IP Address" of the "Customer Gateway" as specified in the configuration file. (This relates to a single gateway configuration.)
      • Under "Remote Address": provide the "Inside IP Address" of the "Virtual Private Gateway" as specified in the configuration file.
    • Repeat the steps above to create another VPN Tunnel interface using the values provided under the "IPsec Tunnel #2" section:

      • Under "VPN Tunnel ID", select a different value from the one you selected above (such as 2)
      • Under "Peer", provide a name to identify the 2nd VPC tunnel peer (such as AWS_VPC_Tun2)

        Member 1 Member 2

      VTI #1

      VPN Tunnel ID

      1

      Same as Member 1

      VTI #1

      Peer

      AWS_VPC_Tun1 Same as Member 1

      VTI #1

      Local Address

      Any unique address * Any unique address *

      VTI #1

      Remote Address

      As provided in the configuration
      file for IPSec Tunnel #1
      Same as Member 1

      VTI #2

      VPN Tunnel ID

      2 Same as Member 1

      VTI #2

      Peer

      AWS_VPC_Tun2 Same as Member 1

      VTI #2

      Local Address

      Any unique address * Any unique address *

      VTI #2

      Remote Address

      As provided in the configuration
      file for IPSec Tunnel #2
      Same as Member 1

      * Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.

      Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.

  2. Navigate to the IPv4 Static Routes tab, and define the VPN static routes (repeat this step for each subnet in your VPC you wish to tunnel traffic to):

    • Click "Add".
    • Specify the VPC subnet.
    • Click "Add Gateway" and choose "IP Address".
    • Provide the IP address for the first VPN Tunnel peer (as specified in the configuration file under "Next hop"), and give it the higher priority (1).
    • Click "Add Gateway" and choose "IP Address" again.
      • Provide the IP address for the second VPN Tunnel peer, and give it the lower priority (2).
    • Tick the "Ping" checkbox, and click "Save".

      If running in a cluster, repeat this step on other members as well.

 

SmartDashboard Configuration

  1. Enabling Dead Peer Detection

    Note: Enabling Dead Peer Detection is optional but recommended.

    Enabling DPD (R77.10 and above): See sk97746 for more information.

  2. Enabling TCP MSS Clamping:

    Note: Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.

    Enabling TCP MSS Clamping (R77.20 and above): See sk101219 for more information.

  3. Defining new network objects:

    1. In SmartDashboard, create a new Interoperable Device:

      • Under "Name", provide the Peer used for the first VTI (e.g., AWS_VPC_Tun1).
        VTI name needs to exactly match the host name inside of SmartDashboard.
      • Under "IPv4 Address", use the "Outside IP" of the "Virtual Private Gateway" of IPSec Tunnel #1.
      • Repeat this step for IPSec Tunnel #2.
    2. Create an empty simple group to serve as a VPN domain placeholder:

  4. Fetching the VPN Tunnel interfaces:

    (Note: If you have not done so already, enable the IPsec VPN blade on your gateway)

    • Open your gateway or cluster object, and navigate to the Topology tab.

    • Re-fetch the interface configuration.

      Note: For clusters, define the newly added interfaces as Cluster interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":

    • In the Topology tab, under VPN Domain, choose "Manually defined", and select the empty simple group you created earlier.
    • Note: If you already had a VPN domain configured, you may keep your current configuration, but make sure that hosts and networks that are to be utilized, or served by, the new VPN connection - will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").
  5. Creating the VPN community:

    • Navigate to the IPsec VPN tab. Click "Communities", and create a new Star Community by clicking "New..." and then "Star Community".

    • Add your gateway or cluster as the Center Gateway, and add the Interoperable Devices as Satellite Gateways.

    • Under Star Community Properties:

      • Under "Encryption", choose "IKEv1 only". Under "Encryption Suite", choose "Custom", click "Custom Encryption..." and select the encryption properties, as defined in the configuration file.

      • Set Tunnel Management to "One VPN tunnel per Gateway pair". Refer to sk113561.

      • Under "Advanced Settings" --> "Shared Secret", configure the pre-shared secret.
    • Under "Advanced Settings" > "Advanced VPN Properties", set the following:

      • IKE SA lifetime (renegotiation time)
      • IPsec SA lifetime (renegotiation time
      • IPsec Perfect Forward Secrecy
  6. Creating firewall rules (required when specifying a community inside the VPN column):

    Open Global Properties, and navigate to VPN > Advanced.

    Check the "Enable VPN Directional Match in VPN Column" checkbox.

    For every firewall rule related to VPN traffic, add the following directional match rules in the VPN column:

    • Internal_clear > AWS VPN community
    • AWS VPN community > AWS VPN community
    • AWS VPN community > Internal_clear

    To create a directional match rule, right-click the VPN cell for the rule and click "Edit Cell". In the VPN Match Conditions window, choose "Match traffic in this direction only". To add directions, click "Add".

    Note: Globally enabling directional match rules in SmartDashboard will not affect previously configured and functioning VPN rules. Those will continue to function as expected.

  7. Install the policy.

 

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment