This article describes how to set up a VPN between a Check Point Security Gateway and Amazon VPC using dynamic routes.
These instructions refer to a Check Point Security Gateway running R77.10 or higher on Gaia OS.

 

Table of Contents

• Known Limitations
• Prerequisites
• Method of Operation
• Example Environment
• Configuration:
  • Amazon Web Services (AWS)
  • Check Point Gaia OS
  • Check Point SmartConsole
• Related Solutions
• Known Limitations

Prerequisites

It is assumed that the reader is familiar with general AWS concepts and services such as:

• EC2 (Elastic Compute Cloud)
  
  
• VPC (Virtual Private Cloud)

For more information about AWS VPC and VPNs, see:

• Amazon Virtual Private Cloud Network Administrator Guide
• Amazon Virtual Private Cloud Network Administrator Guide - Your Customer Gateway

Method of Operation

The AWS VPN implementation provides redundancy through the setup of two VPN tunnels. In this solution, we set up two VPN tunnels between your on-premises Check Point Gateway and Amazon VPC. To detect when a tunnel goes down and to route traffic through the second tunnel, we use BGP.

 

Example Environment

When you do the configuration steps, make sure to replace the IP addresses in the example environment to reflect your environment.

Name	Value
Customer Gateway	198.51.100.10
Addresses behind the customer gateway	192.168.0.0/16
VPC CIDR	10.0.0.0/16

Configuration

• Amazon Web Services (AWS) Configuration

   

  1. In the VPC Dashboard, go to Virtual Private Gateways and create a new Virtual Private Gateway:

     

  2. Attach the Virtual Private Gateway to your VPC.
     
     
  3. Go to the VPN Connections > select Create VPN Connection.
     
     

      

     1. Select the Virtual Private Gateway created in the previous step .
        
        
     2. Below Customer Gateway, select New.
        
        
     3. Below IP Address, enter the Customer Gateway public IP address.
        
        
     4. Below BGP ASN, enter an ASN or leave the default value.
        
        
     5. Below Routing Option, select Dynamic (requires BGP).
        
        
     6. Click Yes, Create.
     
     
     
  4. For each relevant route table in your VPC, go to the Route Propagation tab > select Propagate.
     
     
     
     
  5. Below VPN Connections, select the newly created VPN connection > click Download Configuration:
     
     
     
     
     1. Below Vendor, select Generic.
        
        
     2. Below Platform, select Generic.
        
        
     3. Below Software, select Vendor Agnostic.
        
        
     4. Click Yes, Download.
     
     
     
  6. Open the downloaded file and enter the necessary details into the tables.
     These parameters are used later in Check Point setup.
     

     Tunnel 1

     Name	Example
     TUN1-IKE-SA-PRE-SHARED-KEY	O7X4GgkHgGeeT_.j5CiljBEEF1lXPJ6y
     TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY	52.21.15.173
     TUN1-INSIDE-CUSTOMER-GATEWAY	169.254.44.170
     TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY	169.254.44.169

     Tunnel 2:

     Name	Example
     TUN2-IKE-SA-PRE-SHARED-KEY	SDFeVGmEedr7_xjTBcawdutE_tTWmetS
     TUN2-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY	52.21.218.247
     TUN2-INSIDE-CUSTOMER-GATEWAY	169.254.44.182
     TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY	169.254.44.181

     Common to both tunnels:

     Name	Example
     CUSTOMER-GATEWAY-IP-ADDRESS	198.51.100.10
     CUSTOMER-GATEWAY-ASN	65000
     VIRTUAL-PRIVATE-GATEWAY-ASN	7224
     NEIGHBOR-HOLD-TIME	30
     IPSEC-DPD-INTERVAL	10
     IPSEC-DPD-RETRIES	3
     TCP-MSS-ADJUSTMENT	1387
     TUNNEL-INTERFACE-MTU	1436

  
  

  Check Point Gaia OS Configuration

  Set up of virtual tunnel interface and initial BGP setup:

  1. Connect with SSH to your Security Gateway.
     
     
  2. If you use the none default shell, change to clish by running: clish
     
     
  3. Run these commands, replace the variables surrounded by {} with the values you filled in the above table:
     
     set as {CUSTOMER-GATEWAY-ASN}
     
     
  4. AWS_VPC_Tun1 and AWS_VPC_Tun2 are the names of the interoperable devices in SmartConsole(make sure they match when you create the VTI or when you create the peer's gateway in SmartConsole)
     
     add vpn tunnel 1 type numbered local {TUN1-INSIDE-CUSTOMER-GATEWAY} remote {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun1
     
     add vpn tunnel 2 type numbered local {TUN2-INSIDE-CUSTOMER-GATEWAY} remote {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} peer AWS_VPC_Tun2
     
     set interface vpnt1 state on
     
     set interface vpnt1 mtu {TUNNEL-INTERFACE-MTU}
     
     set interface vpnt2 state on
     
     set interface vpnt2 mtu {TUNNEL-INTERFACE-MTU}
     set as 65000
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} on
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN1-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} on
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} holdtime {NEIGHBOR-HOLD-TIME}
     
     set bgp external remote-as {VIRTUAL-PRIVATE_GATEWAY-ASN} peer {TUN2-INSIDE-VIRTUAL-PRIVATE-GATEWAY} keepalive 10
     
     save config
     
     

  Allow import of routes advertised by AWS:

  1. In Gaia Portal, go to Advanced Routing > Inbound Route Filters > click  Add > Add BGP Policy (Based on AS):
     
     
     
     
     
  2. Below Add BGP Policy, select a value between 512 and 1024 and enter {VIRTUAL-PRIVATE-GATEWAY-ASN} as the AS Number:
     
     
     
     
  3. Click Save.
     For other alternatives such as routemaps, see the Gaia Advanced Routing Administration Guide.

  
  Advertise local routes to AWS:

  1. To advertise local routes over BGP to AWS, open the Gaia Portal.
     
     Note: You can redistribute routes from different sources such as static routes, routes obtained through dynamic routing protocols, or local interface information. These steps demonstrate how to distribute local interface routes. For more information, see the Gaia Advanced Routing Administration Guide.
     
     
  2. In Advanced Routing > Route Redistribution > click Add Redistribution From > select Interface:
     
     
     
     
  3. Below To Protocol, select {VIRTUAL-PRIVATE-GATEWAY-ASN}.
     
     Below Interface, select one of the internal interfaces. This advertises a route to the subnet connected to that interface.
     
     
     
     
  4. Click Save.
  
  
  

• SmartConsole Configuration

  1. In SmartConsole, create a simple empty group to serve as a VPN domain placeholder:
     
      
     
     
     
     
  2. In SmartConsole, create a new Interoperable Device.
     
     
     
     
  3. Below Name, provide the exact Peer used for the first VTI (e.g. AWS_VPC_Tun1).
     
     Below IPv4 Address, use {TUN1-OUTSIDE-VIRTUAL-PRIVATE-GATEWAY}:
     
     
     
     
  4. In the Topology tab, below the VPN domain section, select User defined and select the empty group object you created before:
     
     
     
     
  5. Repeat this step for IPSec Tunnel #2.
     
     
  6. Go to your on-premises gateway network object.
     Note - If you have not done so already, enable the IPsec VPN Software Blade on your gateway.
     
     
  7. Open your gateway or cluster object > navigate to the Topology tab.
     
     
  8. Re-fetch the interface configuration.
     
     
  9. In the Topology tab, below VPN Domain section, select "Manually defined", and select the empty simple group you created before.
     
     Note - If you already had a VPN domain configured, you can keep your current configuration. But make sure that hosts and networks that you want to use, or served by, the new VPN connection will not be declared in the VPN domain, particularly if the VPN domain is automatically derived ("Based on Topology information").
     
     
  10. Navigate to New > More -> click VPN Communities, and create a new Star Community.
      
      
      
  11. Add your gateway or cluster to the Center Gateways, and add the Interoperable Devices to Satellite Gateways:
      
      
      
      
  12. In the Encryption view, below Encryption Method, select IKEv1 for IPv4 and IKEv2 for IPv6.
      
      Below the Encryption Suite section, select Custom > click Custom Encryption.
      
      
      
      
  13. Below IKE Security Associations (Phase 1) Properties:
      
      
      1. Below Perform key exchange encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).
         
         
      2. Below Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).
      
      
      Below IPsec Security Associations (Phase 2) Properties:
      
      
      1. Below Perform IPsec data encryption with, select AES-128 (this should match the configuration file you downloaded from AWS).
         
         
      2. Below Perform data integrity with, select SHA1 (this should match the configuration file you downloaded from AWS).
      
      Select the Use Perfect Forward Secrecy checkbox and select Group 2 (1024 bit).
  14. Below Tunnel Management, select Set Permanent Tunnels:
      
      
      
      
  15. Go to Advanced Settings > Shared Secret view and configure the pre-shared secret as found in the configuration file you downloaded from AWS.
      
      
      
      
  16. Below Advanced Settings > Advanced VPN Properties:
      
      - Set Renegotiate IKE security associations every to 480 minutes (notice the measurement unit).
      - Set Renegotiate IPsec security associations every to 3600 seconds.
      
      
      
      
  17. Create a Firewall Security rule that allows traffic between the on-site and VPC and define the VPN community under the VPN tab.

OPTIONAL:  If you want to limit the scope of such rules to only traffic going over the VPN tunnel between the on-premises network and the VPC, do these steps:

1. In the File -> Global Properties, go to VPN > Advanced.
2. Select the checkbox Enable VPN Directional Match in VPN Column.
   
   

Note: Globally enabling directional match rules will not affect previously configured and functioning VPN rules.

For every firewall rule related to VPN traffic, add these directional match rules in the VPN column of the rule:

• Internal_clear -> AWS VPN community
  
  
• AWS VPN community -> AWS VPN community
  
  
• AWS VPN community -> Internal_clear
  

18. Install the policy on the Security Gateway.



Enable the Dead Peer Detection

Note - Enabling Dead Peer Detection is optional, but we recommend to enable it.

To enable the DPD (on R77.10 and higher), see sk97746.

1. 1. Enable TCP MSS Clamping
      
      Note - Enabling TCP MSS Clamping is required in most instances. Dependent on your ISP type, the MSS value supplied by AWS may work correctly. However, internal testing has shown one may need to tune the Check Point MSS function as low as 1380 bytes.
      
      To enable TCP MSS Clamping (on R77.20 and higher), see sk101219.
      
      
   2. After performing all above steps, save and install the Security policy.

Known Limitations

• This solution requires the use of VTIs (Virtual Tunnel Interfaces)
• The use of VTIs disabled CoreXL up to R80.10. Supported by default in R80.10 (due to integrated MultiCore VPN)
• VTIs are not currently supported on:

• • Check Point 40000/60000 Security System
  • VSX version R80.40 and lower

Related solutions:

• sk100726 - How to configure IPsec VPN between on-premises Check Point Security Gateway and Amazon Web Services VPC using static routes and Numbered VTI
• sk113840 - How to configure IPsec VPN between on-premises Check Point Security Gateway (R81 and lower) and Amazon Web Services VPC using static routes without VTI
• sk119601 - BGP over VTI tunnels are not "established" after upgrade to R80.10