There are two main phases that should take place to configure the Route-Based VPN using BGP on Check Point 600 / 1100 appliances.
- Establish the S2S VPN Connection through VTI interface (can be configured through the appliance's WebGUI)
- Configure the BGP Parameters for connection establishment with the remote BGP Peer to exchange Routing tables / information (which can only be done VIA CLI / SSH Commands)
Phase 1 - set the VPN and VTI
A. Create VTI;
- From the Appliance's WebGUI go to Device > Local Network > New > VPN Tunnel (VTI).
- In the "New VTI" pop-up window enter the following:
- Pick a Random VPN Tunnel ID (that will be identical on the remote peer).
- Peer (Enter the same name that will be used for the VPN Site's Name).
- Enter a Random Local IP Address (For example 172.20.20.197).
- Enter a Random Remote IP address (For example 172.20.20.198).
- Click "Apply".
B. Configure the VPN;
- From the Appliance's WebGUI go to VPN > Site to Site > VPN Sites > New.
- In the "New VPN Site" pop-up window enter the following:
- Site Name must be the same as the VTI's "Peer Name"
- Enter remote peers IP address / Host Name
- Set the required Authentication
- Under "Remote Site Encryption Domain", set the Encryption Domain to "Encrypt According to routing Table" (make sure the other VPN Site's Settings are set as required).
- Click "Apply".
Phase 2 - Configure the BGP
From the Check Point 600 / 1100 appliance SSH / Command Line:
- Set local AS.
#set as <local 1100 AS>
- Set local ID.
#set router-id <LOCAL VTI IP address>
- Define remote AS. Run:
#set bgp external remote-as <Peer's AS number> on
#set bgp external remote-as <Peer's AS Number> local-address (Local VTI address) on
#set bgp external remote-as <Peer's AS Number> peer (Peer's VTI Address) on
- Check the peer, this should show you the link is established.
#show bgp peers
(Make sure they are established and you can ping each side's VTI addresses)
- Define routemap ID:
#set routemap [Enter random Peer name:"Peer123"] id 10 on
#set routemap [Enter random Peer name:"Peer123"] id 10 allow
- Define what route list to export and import. Run:
#set bgp external remote-as [Peer's AS number] export-routemap (Enter Local random name:"cp1100") preference 10 on
#set bgp external remote-as [Peer's AS number] import-routemap (Peer name you choose:"Peer123") preference 5 on
- Check if the routemaps are being shared, you should see the import and export with their preference:
#show bgp routemap
- Define interface to share over BGP:
#set routemap [Local Name: "cp1100"] id 10 on
#set routemap [Local Name: "cp1100"] id 10 match interface LAN1
If the internal network is connected to a different lan port or switch you can enter a different interface name ; LAN2 / LAN4 ....
#set routemap [Local Name: "cp1100"] id 10 match protocol direct
- Make sure the routing table is being updated.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated