This article describes how to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes. These instructions refer to a Check Point Security Gateway running R77.10 or higher on Gaia OS.
Table of Contents
Known Limitations
Prerequisites
Method of Operation
Example Environment
Configuration:
Amazon Web Services (AWS)
Check Point Gaia OS
Check Point SmartConsole
Related Solutions
Known Limitations
Prerequisites
It is assumed that the reader is familiar with general AWS concepts and services such as:
The AWS VPN implementation provides redundancy through the setup of two VPN tunnels. In this solution, we set up two VPN tunnels between your on-premises Check Point Gateway and Amazon VPC. To detect when a tunnel goes down and to route traffic through the second tunnel, we use BGP.
Example Environment
When you do the configuration steps, make sure to replace the IP addresses in the example environment to reflect your environment.
Name
Value
Customer Gateway
198.51.100.10
Addresses behind the customer gateway
192.168.0.0/16
VPC CIDR
10.0.0.0/16
Configuration
Amazon Web Services (AWS) Configuration
In the VPC Dashboard, go to Virtual Private Gateways and create a new Virtual Private Gateway:
Attach the Virtual Private Gateway to your VPC.
Go to the VPN Connections > select Create VPN Connection.
Select the Virtual Private Gateway created in the previous step .
Below Customer Gateway, select New.
Below IP Address, enter the Customer Gateway public IP address.
Below BGP ASN, enter an ASN or leave the default value.
For each relevant route table in your VPC, go to the Route Propagation tab > select Propagate.
Below VPN Connections, select the newly created VPN connection > click Download Configuration:
Below Vendor, select Generic.
Below Platform, select Generic.
Below Software, select Vendor Agnostic.
Click Yes, Download.
Open the downloaded file and enter the necessary details into the tables. These parameters are used later in Check Point setup.
Tunnel 1
Name
Example
TUN1-IKE-SA-PRE-SHARED-KEY
O7X4GgkHgGeeT_.j5CiljBEEF1lXPJ6y
TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY
52.21.15.173
TUN1-INSIDE-CUSTOMER-GATEWAY
169.254.44.170
TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY
169.254.44.169
Tunnel 2:
Name
Example
TUN2-IKE-SA-PRE-SHARED-KEY
SDFeVGmEedr7_xjTBcawdutE_tTWmetS
TUN2-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY
52.21.218.247
TUN2-INSIDE-CUSTOMER-GATEWAY
169.254.44.182
TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY
169.254.44.181
Common to both tunnels:
Name
Example
CUSTOMER-GATEWAY-IP-ADDRESS
198.51.100.10
CUSTOMER-GATEWAY-ASN
65000
VIRTUAL-PRIVATE-GATEWAY-ASN
7224
NEIGHBOR-HOLD-TIME
30
IPSEC-DPD-INTERVAL
10
IPSEC-DPD-RETRIES
3
TCP-MSS-ADJUSTMENT
1387
TUNNEL-INTERFACE-MTU
1436
Check Point Gaia OS Configuration
Set up of virtual tunnel interface and initial BGP setup:
Connect with SSH to your Security Gateway.
If you use the none default shell, change to clish by running: clish
Run these commands, replace the variables surrounded by {} with the values you filled in the above table:
set as {CUSTOMER-GATEWAY-ASN}
AWS_VPC_Tun1 and AWS_VPC_Tun2 are the names of the interoperable devices in SmartConsole(make sure they match when you create the VTI or when you create the peer's gateway in SmartConsole)
add vpn tunnel 1 type numbered local {TUN1-INSIDE-CUSTOMER-GATEWAY} remote {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun1
add vpn tunnel 2 type numbered local {TUN2-INSIDE-CUSTOMER-GATEWAY} remote {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun2
set interface vpnt1 state on
set interface vpnt1 mtu {TUNNEL-INTERFACE-MTU}
set interface vpnt2 state on
set interface vpnt2 mtu {TUNNEL-INTERFACE-MTU} set as 65000 set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} on
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
save config
Allow import of routes advertised by AWS:
In Gaia Portal, go to Advanced Routing > Inbound Route Filters > click Add > Add BGP Policy (Based on AS):
Below Add BGP Policy, select a value between 512 and 1024 and enter {VIRTUAL-PRIVATE-GATEWAY-ASN} as the AS Number:
To advertise local routes over BGP to AWS, open the Gaia Portal.
Note: You can redistribute routes from different sources such as static routes, routes obtained through dynamic routing protocols, or local interface information. These steps demonstrate how to distribute local interface routes. For more information, see the Gaia Advanced Routing Administration Guide.
In Advanced Routing > Route Redistribution >click Add Redistribution From > select Interface:
Below To Protocol, select {VIRTUAL-PRIVATE-GATEWAY-ASN}.
Below Interface, select one of the internal interfaces. This advertises a route to the subnet connected to that interface.
Click Save.
SmartConsole Configuration
In SmartConsole, create a simple empty group to serve as a VPN domain placeholder:
In SmartConsole, create a new Interoperable Device.
Below Name, provide the exact Peer used for the first VTI (e.g. AWS_VPC_Tun1).
Below IPv4 Address, use {TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY}:
In the Topology tab, below the VPN domain section, select User defined and select the empty group object you created before:
Repeat this step for IPSec Tunnel #2.
Go to your on-premises gateway network object. Note - If you have not done so already, enable the IPsec VPN Software Blade on your gateway.
Open your gateway or cluster object > navigate to the Topology tab.
Re-fetch the interface configuration.
In the Topology tab, below VPN Domain section, select "Manually defined", and select the empty simple group you created before.
Note - If you already had a VPN domain configured, you can keep your current configuration. But make sure that hosts and networks that you want to use, or served by, the new VPN connection will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").
Navigate to New > More -> click VPN Communities, and create a new Star Community.
Add your gateway or cluster to the Center Gateways, and add the Interoperable Devices to Satellite Gateways:
In the Encryption view, below Encryption Method, select IKEv1 for IPv4 and IKEv2 for IPv6.
Below the Encryption Suite section, select Custom > click Custom Encryption.
Below IKE Security Associations (Phase 1) Properties:
Below Perform key exchange encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).
Below Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).
- Set Renegotiate IKE security associations every to 480 minutes (notice the measurement unit). - Set Renegotiate IPsec security associations every to 3600 seconds.
Create a Firewall Security rule that allows traffic between the on-site and VPC and define the VPN community under the VPN tab.
OPTIONAL: If you want to limit the scope of such rules to only traffic going over the VPN tunnel between the on-premises network and the VPC, do these steps:
In the File -> Global Properties, go to VPN > Advanced.
Select the checkbox Enable VPN Directional Match in VPN Column.
Note: Globally enabling directional match rules will not affect previously configured and functioning VPN rules.
For every firewall rule related to VPN traffic, add these directional match rules in the VPN column of the rule:
Internal_clear -> AWS VPN community
AWS VPN community -> AWS VPN community
AWS VPN community -> Internal_clear
18. Install the policy on the Security Gateway.
Enable the Dead Peer Detection
Note - Enabling Dead Peer Detection is optional, but we recommend to enable it.
To enable the DPD (on R77.10 and higher), see sk97746.
Enable TCP MSS Clamping
Note - Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.
To enable TCP MSS Clamping (on R77.20 and higher), see sk101219.
After performing all above steps, save and install the Security policy.
Known Limitations
This solution requires the use of VTIs (Virtual Tunnel Interfaces)
The use of VTIs disabled CoreXL up to R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN)