configuring a site-to-site vpn

8/3/2019 Configuring a Site-To-Site VPN

1/9

Configuring Site-to-Site VPNs betweenEmbedded NGX Gateways

This document describes how to configure Site-to-Site Virtual Private Networks (VPNs) between Check PointEmbedded NGX gateways.

Note: This document is relevant for Embedded NGX 7.0. It is recommended to use the latestEmbedded NGX firmware.

Note: The Embedded NGX screens that appear in this document relate to Safe@Office gateways.

OverviewA Site-to-Site VPN consists of two or more Site-to-Site VPN gateways that can communicate with each other in a bi-directional relationship. They are designed to handle secure communications between a companys internaldepartments and its branch offices.

How Do Site-to-Site VPNs Work?

The following figure describes a typical Site-to-Site VPN, when hosts on Sites A and B are installed with EmbeddedNGX UTM appliances:

Figure 1: Typical Site-to-Site VPN

The Site-to-Site VPN works as follows:

1. The Site A and Site B security administrators each configure their Embedded NGX UTM appliance as a VPN

gateway that will communicate with the other VPN gateways IP address and authenticate using either a pre-

shared secret or certificates.

2. The Site A VPN gateway initiates a connection to the Site B VPN gateway, authenticates, and initiates a

download topology request.

3. The Site B VPN Server acts as a topology server and sends the Site B VPN topology information to the Site A

VPN gateway. The topology information consists of the Site B VPN gateway's IP address and the networks

behind it. It is possible to view the VPN topology information on the gateway side, by surfing to:

http://my.firewall/vpntopo.html.

4. When the host on Site A generates "interesting" packets, the Site A VPN gateway intercepts the packets, encrypts

them, and routes them to the Site B VPN gateway.
http://my.firewall/vpntopo.htmlhttp://my.firewall/vpntopo.html


2/9

2

Note: If a "Route All Traffic" topology is selected, then the Site A VPN topology is automaticallyset to 0.0.0.0 (meaning, all destination networks). As a result, all packets going through the VPNClient will be encrypted and routed over the VPN tunnel to the Site B VPN gateway.

5. The Site B VPN Server decrypts the packet.

6. The Site B VPN Server delivers the decrypted packets to the destination host on Site B. The packets appear to

have been sent directly from the original host on Site A.

Site-to-Site VPN Considerations

Before configuring encryption between branch offices, a security administrator must answer the following questions:

Which VPN gateways will encrypt data, and what are the VPN topologies?

A VPN gateway performs encryption on behalf of its VPN topology. That is, the gateway encrypts all data

packets originating from within its encryption domain and sent to other networks outside of the encryption

domain. (Within the encryption domain, data packets are not encrypted.)

The security administrator must plan the encryption relationship between network entities. That is, the

administrator must decide which gateways should encrypt data to each other, and for which networks. The

security administrator must then ensure that each gateway is configured with its own VPN topology, as well as the

topology of the other VPN sites.

Note: The Embedded NGX VPN gateway can automatically download the remote VPN sitetopology when negotiating with other Check Point Embedded NGX gateways. If desired, advancedusers can manually configure which remote networks should be included in the VPN topology,according to their business security policy.

What are the encryption keys?

A VPN connection is encrypted using IPSec. In order to establish an IPSec VPN tunnel, the VPN peers

authenticate to each other and negotiate for encryption keys during IKE key exchange. The IKE parameters must

be shared between VPN peers.

Note: The Embedded NGX VPN gateway can automatically negotiate for the encryption keys. Whendoing VPN between Embedded NGX-based VPN gateways, the following settings will be used bydefault:

AES-256 Encryption

SHA-1 Integrity

Diffie-Hellman group 2

PFS disabled

Phase-1 lifetime -1440 minutes, phase-2 lifetime 600 seconds

Advanced users can also manually modify the IKE settings according to their business securitypolicy. Manual configuration is also the best option when configuring IPSec VPNs to non-CheckPoint-based products.


3/9

3

Which connection will be encrypted and how?

The Embedded NGX UTM appliance can connect with several other gateways over a secured VPN connection,

and each such connection can use different encryption parameters. The security administrator must thereforedecide which connections to encrypt and which encryption parameters to use. For example, it is possible to use

pre-shared secrets or certificates for authentication, and it is possible to use automatic VPN topology download.

The Embedded NGX UTM appliance is interoperable with other IKE and IPSec software implementations;

however, the automatic VPN topology download can be used between Check Point products only.

Workflow

To configure a Site-to-Site VPN

1. Add a topology download user and give the user's authentication details to the other gateway's administrator.

See Adding a Topology Download User, page 3.

Likewise, you will receive user authentication details from the other gateway's administrator.

2. Add the other Embedded NGX gateway as a Site-to-Site VPN site.

See Adding a Site-to-Site VPN Site, page 5.

Likewise, the other gateway's administrator will add your Embedded NGX gateway as a Site-to-Site VPN site.

3. Test the connection to the other gateway's VPN site.

See Testing the Configuration, page 9.

Likewise, the other gateway's administrator will test the connection to your VPN site.

Adding a Topology Download User

A topology download user has the same attributes as a remote access VPN user.

To add a topology download user

1. ClickUsers in the main menu, and click the Internal Users tab.

The Internal Users page appears.


4/9

4

2. ClickNew User.

The Account Wizard opens displaying the Set User Details dialog box.

3. In the Username field, type a username.

4. In the Password and Confirm password fields, type a password.

Use five to 25 characters (letters or numbers) for the new password.

5. ClickNext.

The Set User Permissions dialog box appears.

The options that appear on the page are dependant on the software and services you are using.

6. Select the VPN Remote Access check box.

7. ClickFinish.

The new user is saved.


5/9

5

Adding a Site-to-Site VPN Site

Note: The following procedure explains how to add a Site-to-Site VPN site, where the topology isdownloaded automatically, and shared secret authentication is used. For information on additionalconfigurations, refer to the Check Point Safe@Office User Guide.

To add a Site-to-Site VPN site

1. ClickVPN in the main menu, and click the VPN Sites tab.

The VPN Sites page appears with a list of VPN sites.

2. ClickNew Site.

The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. ClickSite-to-Site VPN.

4. ClickNext.


6/9

6

The VPN Gateway Address dialog box appears.

5. In the Gateway Address field, type the IP address of the other Embedded NGX gateway.

6. ClickNext.

The VPN Network Configuration dialog box appears.

7. ClickDownload Configuration.

This option will automatically configure your VPN settings, by downloading the network topology definition

from the remote VPN gateway.

8. ClickNext.


7/9

7

The Authentication Method dialog box appears.

9. ClickShared Secret.

10. ClickNext.

The Authentication dialog box appears.

11. In the Topology User field, type the username of the topology download user that you added in the previous task.

12. In the Topology Password field, type the password of the topology download user that you added in the previous

task.

13. In the Use Shared Secret field, type the shared secret used for secure communications with the VPN site.


8/9

8

14. ClickNext.

The Security Methods dialog box appears.

15. Complete the fields as desired.

For information, refer to the User Guide.16. ClickNext.

The Connect dialog box appears.

17. To test the VPN connection, select the Try to Connect to the VPN Gateway check box.

18. ClickNext.

If you selected the check box, the Connecting screen appears, and then the Contacting VPN Site screen appears.


9/9

9

The Site Name dialog box appears.

19. Type a name for the other gateway's VPN site.

20. ClickNext.

The VPN Site Created screen appears.

21. ClickFinish.

The VPN Sites page reappears. The new site appears in the VPN Sites list.

Testing the Configuration

To test the configuration

1. Ping the IP address of the computer behind the other VPN site.

2. Surf tohttp://my.firewall/vpntopo.htmland view the VPN topology information table.

3. In the Embedded NGX Portal, clickReports in the main menu, and click the VPN Tunnels tab to see the VPN

tunnels graphically displayed.

4. Click the Event Log tab, and locate logs indicating that the VPN tunnel was established.
http://my.firewall/vpntopo.htmlhttp://my.firewall/vpntopo.htmlhttp://my.firewall/vpntopo.html

configuring a site-to-site vpn

Documents