Support Center > Search Results > SecureKnowledge Details
How To Setup a Site-to-Site VPN with Cisco Remote Gateway Technical Level
Solution

VPN Setup

Part 1: Configuring the Cisco Gateway Object

To create the Cisco Gateway Object:

  1. Right-click: Network Objects > Interoperable Device.

  2. In the General Properties dialog box, enter a name for the Security Gateway, IP address and description (optional).

    Note - Use the external routable IP address of the Cisco peer for the IP address.



  3. Click OK.

Part 2: VPN Community Setup

  1. Select the IPSec VPN tab.
  2. Right-click New >Star Community.

Part 3: VPN Community Configuration

To configure the VPN:

  1. Name the VPN Community.



  2. Click Center Gateways.
  3. Click Add.
  4. Select the local Check Point Security Gateway object.
  5. Click OK.



  6. Click Satellite Gateways.
  7. Click Add.
  8. Select the Cisco peer gateway object that you named in Part 1.
  9. Click OK.



  10. Click VPN Properties.

    Note - You can change the Phase 1 and Phase 2 properties here. Note the values you select, because the peer will need to match these values.

Part 4: To Configure VPN Tunnel

You can define the Tunnel setup in the Tunnel Management option. It is recommended to share one VPN tunnel per subnet pair. This shares your network on either side of the VPN, makes the phase 2 negotiation easier, and requires fewer tunnels to be built for the VPN.

You can restrict access on the VPN through your security rulebase. (Part 9)

Note - Permanent tunnels can only be set up between Check Point gateways.

  1. Click Tunnel Management to configure the tunnel.

Part 5: To Configure the Shared Secrets

  1. Click Advanced Settings.
  2. Click Shared Secret.
  3. Select Use only Shared Secret for all External members.
  4. Select your peer gateway in the list.
  5. Click Edit to edit the shared secret.
Note - Remember this secret because the peer will need it to set up the VPN on the other end.


Part 6: To Modify Phase 1 and Phase 2 Advanced Settings

  1. Click Advanced VPN Properties.

    Keep note of these values to ensure they match on the peer gateway side of the configuration.

    Note - It is recommended to select Disable NAT inside the VPN community so that resources behind the two peer gateways can access each other at their real IP addresses.



  2. Click OK to exit back to the SmartDashboard. Note - You may see this message: "At least one of the VPN Community members does not have the VPN domain defined. Are you sure you want to continue?"

  3. Click Yes to view your defined VPN community.

Part 7: Defining the VPN Domain

Make sure you have Network Objects to represent the local networks and the Cisco peer networks that share with with your network.

To Define the VPN Domain:

  1. Right-click Networks.
  2. Select Network.
  3. In the Network Properties window, enter the properties of the Cisco peer internal network.



    Note: When many networks are shared on the two sides of the tunnel, it is recommended to create different groups to represent the domains on each side of the VPN tunnel.

To create a Group:

  1. Right click Groups.
  2. Select Groups>Simple Group.



    This example shows one shared network, and there is one object in the group. There is no limit to the number of networks that can be shared. Important - Adding groups within a group can impact network performance. Make sure the group is "flat".



  3. Add a second group for the Peer Device:

Part 8: VPN Domain Configuration

Setting the VPN domains for each gateway:

  1. Open the Properties for your local Check Point gateway object.
  2. In the VPN Domain area, click Topology.
  3. Select Manually defined.
  4. From the list, select <local VPN domain group object>.



  5. Click OK and open the Properties for the Cisco gateway.
  6. Select the group/network that represents the VPN domain.



  7. Click OK.

Part 9: Rules for Traffic

After you set up the objects, the VPN, and the community, set up Rules to control flow of traffic to allow and restrict access to the VPN.

Setting a Rule

To setup a Rule:

  1. Right-click above the number in the rule column where you want the rule to be set.
  2. Select Add Rule>Below.



    In this example , the Rule allows any service across the tunnel in both directions:

Part 10: Setting VPN Community in the Rule

To set the VPN community in the VPN column of the Rule:

  1. Right-click the Any Traffic icon.
  2. Select Edit Cell.
  3. Select Only connections encrypted in specific VPN Communities.
  4. Click Add.
  5. Select the VPN community.
  6. Click OK.
  7. Click OK again.



    The Rule appears in the VPN column.

Final Step

  1. Install the policy to the local Check Point gateway.
    The VPN tunnel is configured.
  2. After the Cisco remote peer sets up its VPN to match, a secure communication with the remote site is established.

 

Refer to this document:

How To Set Up a Site To Site VPN with a Cisco Remote Gateway

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment