Support Center > Search Results > SecureKnowledge Details
How to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes Technical Level
Solution

This article describes how to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes.
These instructions refer to a Check Point Security Gateway running R77.10 or higher on Gaia OS.

 

Table of Contents

  • Known Limitations
  • Prerequisites
  • Method of Operation
  • Example Environment
  • Configuration:
    • Amazon Web Services (AWS)
    • Check Point Gaia OS
    • Check Point SmartDashboard
  • Related Solutions
  • Known Limitations

Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

  • EC2 (Elastic Compute Cloud)

  • VPC (Virtual Private Cloud)

For more information about AWS VPC and VPNs, see:


Method of Operation

The AWS VPN implementation provides redundancy through the setup of two VPN tunnels. In this solution, we set up two VPN tunnels between your on-premises Check Point Gateway and Amazon VPC. To detect when a tunnel goes down and to route traffic through the second tunnel, we use BGP.

 

Example Environment

When you do the configuration steps, make sure to replace the IP addresses in the example environment to reflect your environment.

Name Value
Customer Gateway 198.51.100.10
Addresses behind the customer gateway 192.168.0.0/16
VPC CIDR 10.0.0.0/16

Configuration

  • Amazon Web Services (AWS) Configuration

     

    1. In the VPC Dashboard, go to Virtual Private Gateways and create a new Virtual Private Gateway:

    2. Attach the Virtual Private Gateway to your VPC.

    3. Go to the VPN Connections > select Create VPN Connection.

       

      1. Select the Virtual Private Gateway created in the previous step .

      2. Below Customer Gateway, select New.

      3. Below IP Address, enter the Customer Gateway public IP address.

      4. Below BGP ASN, enter an ASN or leave the default value.

      5. Below Routing Option, select Dynamic (requires BGP).

      6. Click Yes, Create.


    4. For each relevant route table in your VPC, go to the Route Propagation tab > select Propagate.



    5. Below VPN Connections, select the newly created VPN connection > click Download Configuration:



      1. Below Vendor, select Generic.

      2. Below Platform, select Generic.

      3. Below Software, select Vendor Agnostic.

      4. Click Yes, Download.


    6. Open the downloaded file and enter the necessary details into the tables.
      These parameters are used later in Check Point setup.

      Tunnel 1

      Name Example
      TUN1-IKE-SA-PRE-SHARED-KEY O7X4GgkHgGeeT_.j5CiljBEEF1lXPJ6y
      TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY 52.21.15.173
      TUN1-INSIDE-CUSTOMER-GATEWAY 169.254.44.170
      TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY 169.254.44.169

      Tunnel 2:

      Name Example
      TUN2-IKE-SA-PRE-SHARED-KEY SDFeVGmEedr7_xjTBcawdutE_tTWmetS
      TUN2-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY 52.21.218.247
      TUN2-INSIDE-CUSTOMER-GATEWAY 169.254.44.182
      TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY 169.254.44.181

      Common to both tunnels:

      Name Example
      CUSTOMER-GATEWAY-IP-ADDRESS 198.51.100.10
      CUSTOMER-GATEWAY-ASN 65000
      VIRTUAL-PRIVATE-GATEWAY-ASN 7224
      NEIGHBOR-HOLD-TIME 30
      IPSEC-DPD-INTERVAL 10
      IPSEC-DPD-RETRIES 3
      TCP-MSS-ADJUSTMENT 1387
      TUNNEL-INTERFACE-MTU 1436

    Check Point Gaia OS Configuration

    Set up of virtual tunnel interface and initial BGP setup:

    1. Connect with SSH to your Security Gateway.

    2. If you use the none default shell, change to clish by running: clish

    3. Run these commands, replace the variables surrounded by {} with the values you filled in the above table:

      set as {CUSTOMER-GATEWAY-ASN}

    4. AWS_VPC_Tun1 and AWS_VPC_Tun2 are the names of the interoperable devices in SmartDashboard (make sure they match when you create the VTI or when you create the peer's gateway in SmartDashboard)

      add vpn tunnel 1 type numbered local {TUN1-INSIDE-CUSTOMER-GATEWAY} remote {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun1

      add vpn tunnel 2 type numbered local {TUN2-INSIDE-CUSTOMER-GATEWAY} remote {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun2

      set interface vpnt1 state on

      set interface vpnt1 mtu {TUNNEL-INTERFACE-MTU}

      set interface vpnt2 state on

      set interface vpnt2 mtu {TUNNEL-INTERFACE-MTU}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10

      save config

    Allow import of routes advertised by AWS:

    1. In Gaia Portal, go to Advanced Routing > Inbound Route Filters > click  Add > Add BGP Policy (Based on AS):




    2. Below Add BGP Policy, select a value between 512 and 1024 and enter {VIRTUAL-PRIVATE-GATEWAY-ASN} as the AS Number:



    3. Click Save.
      For other alternatives such as routemaps, see the Gaia Advanced Routing Administration Guide.
    1. To advertise local routes over BGP to AWS, open the Gaia Portal.

      Note: You can redistribute routes from different sources such as static routes, routes obtained through dynamic routing protocols, or local interface information. These steps demonstrate how to distribute local interface routes. For more information, see the Gaia Advanced Routing Administration Guide.

    2. In Advanced Routing > Route Redistribution > click Add Redistribution From > select Interface:



    3. Below To Protocol, select {VIRTUAL-PRIVATE-GATEWAY-ASN}.

      Below Interface, select one of the internal interfaces. This advertises a route to the subnet connected to that interface.



    4. Click Save.


  • SmartDashboard Configuration

    1. In SmartDashboard, create a simple empty group to serve as a VPN domain placeholder:





    2. In SmartDashboard, create a new Interoperable Device.



    3. Below Name, provide the exact Peer used for the first VTI (e.g. AWS_VPC_Tun1).

      Below IPv4 Address, use {TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY}:



    4. In the Topology tab, below the VPN domain section, select Manually defined and select the empty group object you created before:



    5. Repeat this step for IPSec Tunnel #2.

    6. Go to your on-premises gateway network object.
      Note - If you have not done so already, enable the IPsec VPN Software Blade on your gateway.

    7. Open your gateway or cluster object > navigate to the Topology tab.

    8. Re-fetch the interface configuration.

    9. In the Topology tab, below VPN Domain section, select "Manually defined", and select the empty simple group you created before.

      Note - If you already had a VPN domain configured, you can keep your current configuration. But make sure that hosts and networks that you want to use, or served by, the new VPN connection will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").

    10. Navigate to the IPsec VPN tab > click Communities, and create a new Star Community > click New > Star Community.



    11. Add your gateway or cluster to the Center Gateways, and add the Interoperable Devices to Satellite Gateways:



    12. In the Encryption view, below Encryption Method, select IKEv1 for IPv4 and IKEv2 for IPv6.

      Below the Encryption Suite section, select Custom > click Custom Encryption.



    13. Below IKE Security Associations (Phase 1) Properties:

      1. Below Perform key exchange encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).

      2. Below Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).


      Below IPsec Security Associations (Phase 2) Properties:

      1. Below Perform IPsec data encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).

      2. Below Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).




    14. Below Tunnel Management, select Set Permanent Tunnels:



    15. Go to Advanced Settings > Shared Secret view and configure the pre-shared secret as found in the configuration file you downloaded from AWS.



    16. Below Advanced Settings > Advanced VPN Properties:

      - Set Renegotiate IKE security associations every to 480 minutes (notice the measurement unit).
      - Select the Use Perfect Forward Secrecy checkbox and select Group 2 (1024 bit).
      - Set Renegotiate IPsec security associations every to 3600 seconds.



    17. In the Firewall Security Policy, add Firewall rules to allow traffic between the on-premises network and the VPC. If you want to limit the scope of such rules to only traffic going over the VPN tunnel between the on-premises network and the VPC, do these steps:

      1. In the Global Properties, go to VPN > Advanced.
      2. Select the checkbox Enable VPN Directional Match in VPN Column.


      Note: Globally enabling directional match rules will not affect previously configured and functioning VPN rules.

      For every firewall rule related to VPN traffic, add these directional match rules in the VPN column of the rule:

      • Internal_clear -> AWS VPN community

      • AWS VPN community -> AWS VPN community

      • AWS VPN community -> Internal_clear



    18. Install the policy on the Security Gateway.

    19. Enable the Dead Peer Detection

      Note - Enabling Dead Peer Detection is optional, but we recommend to enable it.

      To enable the DPD (on R77.10 and higher), see sk97746.

    20. Enable TCP MSS Clamping

      Note - Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.

      To enable TCP MSS Clamping (on R77.20 and higher), see sk101219.

    21. After performing all above steps, save and install the Security policy.

Known Limitations

  • This solution requires the use of VTIs (Virtual Tunnel Interfaces)
  • The use of VTIs disabled CoreXL up to R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN)
  • VTIs are not currently supported on:
    • Check Point 40000/60000 Security System
    • VSX

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment