Support Center > Search Results > SecureKnowledge Details
Amazon Web Services (AWS) VPN BGP
Solution

The following document describes how to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes.
These instructions refer to a Check Point Security Gateway running R77.10 or above on Gaia OS.

 

Table of Contents

  • Known Limitations
  • Prerequisites
  • Method of operation
  • Example environment
  • Configuration:
    • Amazon Web Services (AWS)
    • Check Point Gaia OS
    • Check Point SmartDashboard
  • Related solutions

 

Known Limitations

  • This solution requires the use of VTIs (Virtual Tunnel Interfaces)
  • The use of VTIs disabled CoreXL upto R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN). 
  • VTIs are not currently supported on:
    • Check Point 40000/60000 Security System
    • VSX

 

Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

  • EC2 (Elastic Compute Cloud)

  • VPC (Virtual Private Cloud)

For additional information on AWS VPC and VPNs, refer to:


Method of operation

The AWS VPN implementation provides redundancy through the set-up of 2 VPN tunnels. In this solution we will be setting up 2 VPN tunnels between your on-premises Check Point gateway and Amazon VPC. We will be using BGP to detect when a tunnel goes down and to route traffic through the second tunnel.

 

Example environment

To best explain the configuration steps, we will be using the following example environment.

Make sure to replace the IP addresses in the example environment to reflect your environment when you follow the configuration steps below.

Name Value
Customer Gateway 198.51.100.10
Addresses behind the customer gateway 192.168.0.0/16
VPC CIDR 10.0.0.0/16

Configuration

  • Amazon Web Services (AWS) Configuration

     

    1. In the VPC Dashboard, go to Virtual Private Gateways and create a new Virtual Private Gateway:

    2. Attach the Virtual Private Gateway to your VPC.

    3. Go to the VPN connections section and select Create VPN Connection:

       

      • Select the Virtual Private Gateway you created in the previous step .

      • Under Customer Gateway, select New.

      • Under IP Address, enter the Customer Gateway public IP address.

      • Under BGP ASN, enter an ASN or leave the default value.

      • Under Routing Option, select Dynamic (requires BGP).

      • Click Yes, Create.


    4. For each relevant route table in your VPC, go to the Route Propagation tab and select Propagate.



    5. Under VPN Connections select the newly created VPN connection and click on Download Configuration:



      • Under Vendor, select Generic.

      • Under Platform, select Generic.

      • Under Software, select Vendor Agnostic.

      • Click Yes, Download.


    6. Open the downloaded file and fill the following table.
      We will use these parameters later as we set up the Check Point side.

      Tunnel 1

      Name Example
      TUN1-IKE-SA-PRE-SHARED-KEY O7X4GgkHgGeeT_.j5CiljBEEF1lXPJ6y
      TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY 52.21.15.173
      TUN1-INSIDE-CUSTOMER-GATEWAY 169.254.44.170
      TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY 169.254.44.169


      Tunnel 2:

      Name Example
      TUN2-IKE-SA-PRE-SHARED-KEY SDFeVGmEedr7_xjTBcawdutE_tTWmetS
      TUN2-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY 52.21.218.247
      TUN2-INSIDE-CUSTOMER-GATEWAY 169.254.44.182
      TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY 169.254.44.181

      Common to both tunnels:

      Name Example
      CUSTOMER-GATEWAY-IP-ADDRESS 198.51.100.10
      CUSTOMER-GATEWAY-ASN 65000
      VIRTUAL-PRIVATE-GATEWAY-ASN 7224
      NEIGHBOR-HOLD-TIME 30
      IPSEC-DPD-INTERVAL 10
      IPSEC-DPD-RETRIES 3
      TCP-MSS-ADJUSTMENT 1387
      TUNNEL-INTERFACE-MTU 1436


  • Check Point Gaia OS Configuration

    Set up of virtual tunnel interface and initial BGP setup:

    • Connect with SSH to your Security Gateway.

    • If you are using the none default shell, change to clish by running: clish

    • Run the following commands, replacing variables surrounded by {} with the values you filled in the above table:

      set as {CUSTOMER-GATEWAY-ASN}

    • AWS_VPC_Tun1 and AWS_VPC_Tun2 are the names of the interoperable devices in smart dashboard (make sure they match when you create the VTI or when you create the peer's gateway in smart dashboard)

      add vpn tunnel 1 type numbered local {TUN1-INSIDE-CUSTOMER-GATEWAY} remote {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun1

      add vpn tunnel 2 type numbered local {TUN2-INSIDE-CUSTOMER-GATEWAY} remote {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun2

      set interface vpnt1 state on

      set interface vpnt1 mtu {TUNNEL-INTERFACE-MTU}

      set interface vpnt2 state on

      set interface vpnt2 mtu {TUNNEL-INTERFACE-MTU}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}

      set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10

      save config

    Allow import of routes advertised by AWS:

    • In Gaia Portal, go to Advanced Routing -> Inbound Route Filters and click Add -> Add BGP Policy (Based on AS):




    • Under Add BGP Policy, select a value between 512 and 1024 and enter {VIRTUAL-PRIVATE-GATEWAY-ASN} as the AS Number:



    • Click Save.
      Refer to Gaia Advanced Routing Administration Guide for other alternatives such as routemaps.
    • To advertise local routes over BGP to AWS, Open the Gaia Portal.

      Note: You can redistribute routes from different sources such as static routes, routes obtained through dynamic routing protocols or just local interface information. The following steps will demonstrate how to distribute local interface routes. For more information refer to Gaia Advanced Routing Administration Guide.

    • In Advanced Routing -> Route Redistribution, click Add Redistribution From and select Interface:



    • Under To Protocol, select {VIRTUAL-PRIVATE-GATEWAY-ASN}.

      Under Interface, select one of the internal interfaces - this will advertise a route to the subnet connected to that interface.



    • Click Save.


  • SmartDashboard Configuration

    1. In SmartDashboard, create a simple empty group to serve as a VPN domain placeholder:





    2. In SmartDashboard, create a new Interoperable Device:



    3. Under Name, provide the exact Peer used for the first VTI (e.g. AWS_VPC_Tun1).

      Under IPv4 Address, use {TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY}:



    4. In the Topology tab, under VPN domain section, select Manually defined and select the empty group object you created above:



    5. Repeat this step for IPSec Tunnel #2.

    6. Go to your on-premises gateway network object.
      Note: if you have not done so already, enable the IPsec VPN blade on your gateway.

    7. Open your gateway or cluster object, and navigate to the Topology tab.

    8. Re-fetch the interface configuration.

    9. In the Topology tab, under VPN Domain section, select "Manually defined", and select the empty simple group you created earlier.

      Note: if you already had a VPN domain configured, you may keep your current configuration, but make sure that hosts and networks that are to be utilized, or served by, the new VPN connection - will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").

    10. Navigate to the IPsec VPN tab. Click Communities, and create a new Star Community by clicking New... and then Star Community:



    11. Add your gateway or cluster to the Center Gateways, and add the Interoperable Devices to Satellite Gateways:



    12. In the Encryption view, under Encryption Method, select IKEv1 for IPv4 and IKEv2 for IPv6.

      Under Encryption Suite section, select Custom and click Custom Encryption...:



    13. Under IKE Security Associations (Phase 1) Properties:

      • Under Perform key exchange encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).

      • Under Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).


      Under IPsec Security Associations (Phase 2) Properties:

      • Under Perform IPsec data encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).

      • Under Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).




    14. Under Tunnel Management, select Set Permanent Tunnels:



    15. Go to Advanced Settings -> Shared Secret view and configure the pre-shared secret as found in the configuration file you downloaded from AWS.



    16. Under Advanced Settings -> Advanced VPN Properties:

      - Set Renegotiate IKE security associations every to 480 minutes .
      - Select the Use Perfect Forward Secrecy checkbox and select Group 2 (1024 bit).
      - Set Renegotiate IPsec security associations every to 3600 seconds.



    17. In the firewall security policy, add Firewall rules to allow traffic between the on-premises network and the VPC. If you want to limit the scope of such rules to only traffic going over the VPN tunnel between the on-premises network and the VPC do the following:

      1. In the Global Properties, go to VPN -> Advanced.
      2. Check the box "Enable VPN Directional Match in VPN Column...":


      Note: Globally enabling directional match rules will not affect previously configured and functioning VPN rules.

      For every firewall rule related to VPN traffic, add the following directional match rules in the VPN column of the rule:

      • Internal_clear -> AWS VPN community

      • AWS VPN community -> AWS VPN community

      • AWS VPN community -> Internal_clear



    18. Install the policy on the Security gateway.

    19. Enable the Dead Peer Detection

      Note: Enabling Dead Peer Detection is optional, but recommended.

      For enabling the DPD (on R77.10 and above), refer to sk97746.

    20. Enable TCP MSS Clamping

      Note: Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.

      For enabling TCP MSS Clamping (on R77.20 and above), refer to sk101219.

    21. After performing all above steps, save and install the Security policy.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment