Support Center > Search Results > SecureKnowledge Details
How to configure IPsec VPN between on-premises Check Point Security Gateway and Amazon Web Services VPC using static routes and Numbered VTI Technical Level


  • The use of Virtual Tunnel Interfaces (VTIs) disabled CoreXL up to R80.10.
    Supported by default starting from R80.10 (due to integrated MultiCore VPN). Refer to sk61701.

  • QoS is not supported on Virtual Tunnel Interface (VTI). Refer to sk34086.

  • This procedure is currently not supported on the Centrally Managed SMB appliances (1100, 1200R, 1400). Contact Check Point Support to get a Hotfix for this issue. Refer to sk111840.

  • VTIs are not  supported on:

    • 40000/60000 Scalable Chassis and Maestro R81 and lower
    • VSX R80.40 and lower

Table of Contents:

  1. AWS Configuration
  2. Check Point OS Configuration
  3. SmartDashboard Configuration


Part 1 - AWS Configuration

  1. In the VPC Dashboard, click "VPN Connections", and then click "Create VPN Connection".

    • Provide a Name Tag.
    • Select the Virtual Private Gateway.
    • Select "New" under Customer Gateway:
      • Under "IP Address", specify the external IP address of your Check Point Security Gateway (or cluster external virtual IP).
      • Under "BGP ASN", keep the default value
    • Under "Routing Options" choose "Static"
    • Under "Static IP Prefix" provide your on premise encryption domain in CIDR notation (multiple blocks can be separated by a comma)
    • In the following document we will be using the following notation:
      • VPC subnets:
      • On premise encryption domain: and
  2. After creating the VPN Connection object, click "Download Configuration". Choose "Generic" as the Vendor.


Part 2 - Check Point OS Configuration on the Security Gateway

Note: If this section is skipped, then occasionally, Security Gateway might lose the VPN tunnel due to the AWS SLA.

Log in to the Gaia Portal of your Security Gateway.

  1. Navigate to the "Network Interfaces" tab. Create a new "VPN Tunnel" interface, also known as VTI:

    In the downloaded configuration file, refer to the "IPSec Tunnel #1" section.

    • Under "VPN Tunnel ID", select any unique value (such as 1)
    • Under "Peer", provide a name to identify the VPC tunnel peer (such as AWS_VPC_Tun1)
    • Under "VPN Tunnel Type" select "Numbered"
      • Under "Local Address": provide the "Inside IP Address" of the "Customer Gateway" as specified in the configuration file. (This relates to a single gateway configuration.)
      • Under "Remote Address": provide the "Inside IP Address" of the "Virtual Private Gateway" as specified in the configuration file.
    • Repeat the steps above to create another VPN Tunnel interface using the values provided under the "IPsec Tunnel #2" section:

      • Under "VPN Tunnel ID", select a different value from the one you selected above (such as 2)
      • Under "Peer", provide a name to identify the 2nd VPC tunnel peer (such as AWS_VPC_Tun2)

        Member 1 Member 2

      VTI #1

      VPN Tunnel ID


      Same as Member 1

      VTI #1


      AWS_VPC_Tun1 Same as Member 1

      VTI #1

      Local Address

      Any unique address * Any unique address *

      VTI #1

      Remote Address

      As provided in the configuration
      file for IPSec Tunnel #1
      Same as Member 1

      VTI #2

      VPN Tunnel ID

      2 Same as Member 1

      VTI #2


      AWS_VPC_Tun2 Same as Member 1

      VTI #2

      Local Address

      Any unique address * Any unique address *

      VTI #2

      Remote Address

      As provided in the configuration
      file for IPSec Tunnel #2
      Same as Member 1

      * Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.

      Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.

  2. Navigate to the IPv4 Static Routes tab, and define the VPN static routes (repeat this step for each subnet in your VPC you wish to tunnel traffic to):

    • Click "Add".
    • Specify the VPC subnet.
    • Click "Add Gateway" and choose "IP Address".
    • Provide the IP address for the first VPN Tunnel peer (as specified in the configuration file under "Next hop"), and give it the higher priority (1).
    • Click "Add Gateway" and choose "IP Address" again.
      • Provide the IP address for the second VPN Tunnel peer, and give it the lower priority (2).
    • Tick the "Ping" checkbox, and click "Save".

      If running in a cluster, repeat this step on other members as well.


Part 3 - SmartConsole Configuration

  1. Optional: Enable Dead Peer Detection.

    Note: Enabling Dead Peer Detection is optional, but recommended.

    See sk97746.

  2. Enable TCP MSS Clamping:

    Note: Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.

    See sk101219.

  3. Defining new network objects:

    1. In SmartConsole, create a new Interoperable Device:

      • Under "Name", provide the Peer used for the first VTI (e.g., AWS_VPC_Tun1).
        VTI name needs to exactly match the host name inside of SmartDashboard.
      • Under "IPv4 Address", use the "Outside IP" of the "Virtual Private Gateway" of IPSec Tunnel #1.
      • Repeat this step for IPSec Tunnel #2.
    2. Create an empty Simple Group object to serve as a VPN domain placeholder.

  4. Fetching the VPN Tunnel interfaces:

    (Note: If you have not done so already, enable the IPsec VPN blade on your gateway)

    1. Open your Security Gateway or Cluster object.

    2. From the left tree, navigate to the Network Management page.

    3. From the top toolbar, click Get Interfaces > Get Interfaces Without Topology.

      Note: For clusters, define the newly added interfaces as "Cluster" interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":

    4. From the left tree, click VPN Domain.

    5. Select "Manually defined", and select the empty Simple Group object you created earlier.

      Note: If you already had a VPN domain configured, you may keep your current configuration, but make sure that hosts and networks that are to be utilized, or served by, the new VPN connection - will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").

    6. Click OK.
  5. Creating the VPN community:

    1. In the top right pane Objects, click "VPN Communities".
      Create a new Star community.

    2. Add your Security Gateway or Cluster object as the Center Gateway.
      Add the Interoperable Devices as Satellite Gateways.

    3. Configure the Star Community Properties:

      1. On the "Encryption" page, choose "IKEv1 only". Under "Encryption Suite", choose "Custom", click "Custom Encryption..." and select the encryption properties, as defined in the configuration file.

      2. On the "Tunnel Management" page, select "One VPN tunnel per Gateway pair". Refer to sk113561.

      3. On the "Advanced Settings" > "Shared Secret" page, configure the pre-shared secret.

    4. On the "Advanced Settings" > "Advanced VPN Properties" page, configure:

      • IKE SA lifetime (renegotiation time)
      • IPsec SA lifetime (renegotiation time
      • IPsec Perfect Forward Secrecy

    5. Click OK.
  6. Creating firewall rules (required when specifying a community inside the VPN column):

    1. Open Global Properties, and navigate to VPN > Advanced.

      Select "Enable VPN Directional Match in VPN Column".

      Click OK.

    2. For every firewall rule related to VPN traffic, add the following directional match rules in the VPN column:

      • Internal_clear > AWS VPN community
      • AWS VPN community > AWS VPN community
      • AWS VPN community > Internal_clear

      To create a directional match rule, right-click the VPN cell for the rule and click "Edit Cell". In the VPN Match Conditions window, choose "Match traffic in this direction only". To add directions, click "Add".

      Note: Globally enabling directional match rules in SmartConsole will not affect previously configured and functioning VPN rules. Those will continue to function as expected.

  7. Install the policy.


Related solutions:

Give us Feedback
Please rate this document