The following document describes how to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes.
These instructions refer to a Check Point Security Gateway running R77.10 or above on Gaia OS.

Table of Contents

• Known Limitations
• Prerequisites
• Method of operation
• Example environment
• Configuration:
  • Amazon Web Services (AWS)
  • Check Point Gaia OS
  • Check Point SmartDashboard
• Related solutions

Known Limitations

• This solution requires the use of VTIs (Virtual Tunnel Interfaces)
• The use of VTIs disabled CoreXL upto R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN). 
• VTIs are not currently supported on:
  
  • Check Point 40000/60000 Security System
  • VSX

Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

• EC2 (Elastic Compute Cloud)
  
  
• VPC (Virtual Private Cloud)

For additional information on AWS VPC and VPNs, refer to:

• Amazon Virtual Private Cloud Network Administrator Guide
• Amazon Virtual Private Cloud Network Administrator Guide - Your Customer Gateway

Method of operation

The AWS VPN implementation provides redundancy through the set-up of 2 VPN tunnels. In this solution we will be setting up 2 VPN tunnels between your on-premises Check Point gateway and Amazon VPC. We will be using BGP to detect when a tunnel goes down and to route traffic through the second tunnel.

Example environment

To best explain the configuration steps, we will be using the following example environment.

Make sure to replace the IP addresses in the example environment to reflect your environment when you follow the configuration steps below.

Configuration

• Amazon Web Services (AWS) Configuration

   

  1. In the VPC Dashboard, go to Virtual Private Gateways and create a new Virtual Private Gateway:

     

  2. Attach the Virtual Private Gateway to your VPC.
     
     
  3. Go to the VPN connections section and select Create VPN Connection:
     
     

      

     • Select the Virtual Private Gateway you created in the previous step .
       
       
     • Under Customer Gateway, select New.
       
       
     • Under IP Address, enter the Customer Gateway public IP address.
       
       
     • Under BGP ASN, enter an ASN or leave the default value.
       
       
     • Under Routing Option, select Dynamic (requires BGP).
       
       
     • Click Yes, Create.
     
     
     
  4. For each relevant route table in your VPC, go to the Route Propagation tab and select Propagate.
     
     
     
     
  5. Under VPN Connections select the newly created VPN connection and click on Download Configuration:
     
     
     
     
     • Under Vendor, select Generic.
       
       
     • Under Platform, select Generic.
       
       
     • Under Software, select Vendor Agnostic.
       
       
     • Click Yes, Download.
     
     
     
  6. Open the downloaded file and fill the following table.
     We will use these parameters later as we set up the Check Point side.
     

     Tunnel 1

     Name	Example
     TUN1-IKE-SA-PRE-SHARED-KEY	O7X4GgkHgGeeT_.j5CiljBEEF1lXPJ6y
     TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY	52.21.15.173
     TUN1-INSIDE-CUSTOMER-GATEWAY	169.254.44.170
     TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY	169.254.44.169

     
     Tunnel 2:

     Name	Example
     TUN2-IKE-SA-PRE-SHARED-KEY	SDFeVGmEedr7_xjTBcawdutE_tTWmetS
     TUN2-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY	52.21.218.247
     TUN2-INSIDE-CUSTOMER-GATEWAY	169.254.44.182
     TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY	169.254.44.181

     Common to both tunnels:

     Name	Example
     CUSTOMER-GATEWAY-IP-ADDRESS	198.51.100.10
     CUSTOMER-GATEWAY-ASN	65000
     VIRTUAL-PRIVATE-GATEWAY-ASN	7224
     NEIGHBOR-HOLD-TIME	30
     IPSEC-DPD-INTERVAL	10
     IPSEC-DPD-RETRIES	3
     TCP-MSS-ADJUSTMENT	1387
     TUNNEL-INTERFACE-MTU	1436

  
  
  

• Check Point Gaia OS Configuration

  Set up of virtual tunnel interface and initial BGP setup:

  • Connect with SSH to your Security Gateway.
    
    
  • If you are using the none default shell, change to clish by running: clish
    
    
  • Run the following commands, replacing variables surrounded by {} with the values you filled in the above table:
    
    set as {CUSTOMER-GATEWAY-ASN}
    
    
  • AWS_VPC_Tun1 and AWS_VPC_Tun2 are the names of the interoperable devices in smart dashboard (make sure they match when you create the VTI or when you create the peer's gateway in smart dashboard)
    
    add vpn tunnel 1 type numbered local {TUN1-INSIDE-CUSTOMER-GATEWAY} remote {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun1
    
    add vpn tunnel 2 type numbered local {TUN2-INSIDE-CUSTOMER-GATEWAY} remote {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun2
    
    set interface vpnt1 state on
    
    set interface vpnt1 mtu {TUNNEL-INTERFACE-MTU}
    
    set interface vpnt2 state on
    
    set interface vpnt2 mtu {TUNNEL-INTERFACE-MTU}
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} on
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
    
    set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
    
    save config
    
    

  Allow import of routes advertised by AWS:

  • In Gaia Portal, go to Advanced Routing -> Inbound Route Filters and click Add -> Add BGP Policy (Based on AS):
    
    
    
    
    
  • Under Add BGP Policy, select a value between 512 and 1024 and enter {VIRTUAL-PRIVATE-GATEWAY-ASN} as the AS Number:
    
    
    
    
  • Click Save.
    Refer to Gaia Advanced Routing Administration Guide for other alternatives such as routemaps.

  
  Advertise local routes to AWS:

  • To advertise local routes over BGP to AWS, Open the Gaia Portal.
    
    Note: You can redistribute routes from different sources such as static routes, routes obtained through dynamic routing protocols or just local interface information. The following steps will demonstrate how to distribute local interface routes. For more information refer to Gaia Advanced Routing Administration Guide.
    
    
  • In Advanced Routing -> Route Redistribution, click Add Redistribution From and select Interface:
    
    
    
    
  • Under To Protocol, select {VIRTUAL-PRIVATE-GATEWAY-ASN}.
    
    Under Interface, select one of the internal interfaces - this will advertise a route to the subnet connected to that interface.
    
    
    
    
  • Click Save.
  
  
  

• SmartDashboard Configuration

  1. In SmartDashboard, create a simple empty group to serve as a VPN domain placeholder:
     
     
     
     
     
     
  2. In SmartDashboard, create a new Interoperable Device:
     
     
     
     
  3. Under Name, provide the exact Peer used for the first VTI (e.g. AWS_VPC_Tun1).
     
     Under IPv4 Address, use {TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY}:
     
     
     
     
  4. In the Topology tab, under VPN domain section, select Manually defined and select the empty group object you created above:
     
     
     
     
  5. Repeat this step for IPSec Tunnel #2.
     
     
  6. Go to your on-premises gateway network object.
     Note: if you have not done so already, enable the IPsec VPN blade on your gateway.
     
     
  7. Open your gateway or cluster object, and navigate to the Topology tab.
     
     
  8. Re-fetch the interface configuration.
     
     
  9. In the Topology tab, under VPN Domain section, select "Manually defined", and select the empty simple group you created earlier.
     
     Note: if you already had a VPN domain configured, you may keep your current configuration, but make sure that hosts and networks that are to be utilized, or served by, the new VPN connection - will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").
     
     
  10. Navigate to the IPsec VPN tab. Click Communities, and create a new Star Community by clicking New... and then Star Community:
      
      
      
      
  11. Add your gateway or cluster to the Center Gateways, and add the Interoperable Devices to Satellite Gateways:
      
      
      
      
  12. In the Encryption view, under Encryption Method, select IKEv1 for IPv4 and IKEv2 for IPv6.
      
      Under Encryption Suite section, select Custom and click Custom Encryption...:
      
      
      
      
  13. Under IKE Security Associations (Phase 1) Properties:
      
      
      • Under Perform key exchange encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).
        
        
      • Under Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).
      
      
      Under IPsec Security Associations (Phase 2) Properties:
      
      
      • Under Perform IPsec data encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).
        
        
      • Under Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).
      
      
      
      
      
  14. Under Tunnel Management, select Set Permanent Tunnels:
      
      
      
      
  15. Go to Advanced Settings -> Shared Secret view and configure the pre-shared secret as found in the configuration file you downloaded from AWS.
      
      
      
      
  16. Under Advanced Settings -> Advanced VPN Properties:
      
      - Set Renegotiate IKE security associations every to 480 minutes .
      - Select the Use Perfect Forward Secrecy checkbox and select Group 2 (1024 bit).
      - Set Renegotiate IPsec security associations every to 3600 seconds.
      
      
      
      
  17. In the firewall security policy, add Firewall rules to allow traffic between the on-premises network and the VPC. If you want to limit the scope of such rules to only traffic going over the VPN tunnel between the on-premises network and the VPC do the following:
      
      
      1. In the Global Properties, go to VPN -> Advanced.
      2. Check the box "Enable VPN Directional Match in VPN Column...":
         
         
      
      Note: Globally enabling directional match rules will not affect previously configured and functioning VPN rules.
      
      For every firewall rule related to VPN traffic, add the following directional match rules in the VPN column of the rule:
      
      
      • Internal_clear -> AWS VPN community
        
        
      • AWS VPN community -> AWS VPN community
        
        
      • AWS VPN community -> Internal_clear
        
        
      
      
      
  18. Install the policy on the Security gateway.
      
      
  19. Enable the Dead Peer Detection
      
      Note: Enabling Dead Peer Detection is optional, but recommended.
      
      For enabling the DPD (on R77.10 and above), refer to sk97746.
      
      
  20. Enable TCP MSS Clamping
      
      Note: Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.
      
      For enabling TCP MSS Clamping (on R77.20 and above), refer to sk101219.
      
      
  21. After performing all above steps, save and install the Security policy.

Related solutions:

• sk100726 - How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes
• sk119601 - BGP over VTI tunnels are not "established" after upgrade to R80.10