Professional Documents
Culture Documents
TheCheckPointVPNSolution
TheCheckPointVPNSolution
InThisSection:
VPNComponents
UnderstandingtheTerminology
SitetoSiteVPN
RemoteAccessVPN
IPv6SupportandLimitations
SmartDashboardToolbar
TheIPsecVPNSoftwareBladeletstheSecurityGatewayencryptanddecrypttraffictoandfromothergatewaysandclients.
UseSmartDashboardtoeasilyconfigureVPNconnectionsbetweenSecurityGatewaysandremotedevices.Youcanconfigure
StarandMeshtopologiesforlargescaleVPNnetworksthatincludethirdpartygateways.TheVPNtunnelguarantees:
AuthenticityUsesstandardauthenticationmethods
PrivacyAllVPNdataisencrypted
IntegrityUsesindustrystandardintegrityassurancemethods
IKEandIPsec
TheCheckPointVPNsolutionusesthesesecureVPNprotocolstomanageencryptionkeys,andsendencryptedpackets.IKE
(InternetKeyExchange)isastandardkeymanagementprotocolthatisusedtocreatetheVPNtunnels.IPsecisprotocolthat
supportssecureIPcommunicationsthatareauthenticatedandencryptedonprivateorpublicnetworks.
VPNComponents
VPNiscomposedof:
VPNendpoints,suchasSecurityGateways,SecurityGatewayclusters,orremoteclients(suchaslaptopcomputersor
mobilephones)thatcommunicateusingaVPN.
VPNtrustentities,suchasaCheckPointInternalCertificateAuthority(ICA).TheICAispartoftheCheckPointsuite
usedforcreatingSICtrustedconnectionbetweenSecurityGateways,authenticatingadministratorsandthirdparty
servers.TheICAprovidescertificatesforinternalSecurityGatewaysandremoteaccessclientswhichnegotiatetheVPN
link.
VPNManagementtools,suchasSecurityManagementServerandSmartDashboard.SmartDashboardisthe
SmartConsoleusedtoaccesstheSecurityManagementServer.TheVPNManagerispartofSmartDashboard.
SmartDashboardenablesorganizationstodefineanddeployIntranet,andremoteAccessVPNs.
UnderstandingtheTerminology
AnumberoftermsareusedwidelyinSecureVPNimplementation,namely:
VPNVirtualPrivateNetwork.Asecure,encryptedconnectionbetweennetworksandremoteclientsonapublic
infrastructure,togiveauthenticatedremoteusersandsitessecuredaccesstoanorganization'snetworkandresources.
VirtualTunnelInterfaceVirtualTunnelInterface.Avirtualinterfacethatisamemberofanexisting,RouteBased,VPN
tunnel.
VPNPeerAgatewaythatconnectstoadifferentgatewayusingaVirtualTunnelInterface.
VPNDomainAgroupofcomputersandnetworksconnectedtoaVPNtunnelbyoneVPNgatewaythathandles
encryptionandprotectstheVPNDomainmembers.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
1/7
07/06/2016
TheCheckPointVPNSolution
VPNCommunityAnamedcollectionofVPNdomains,eachprotectedbyaVPNgateway.
VPNSecurityGatewayThegatewaythatmanagesencryptionanddecryptionoftrafficbetweenmembersofaVPN
Domain,typicallylocatedatone(RemoteAccessVPN)orboth(SitetoSiteVPN)endsofaVPNtunnel.
SitetoSiteVPNAnencryptedtunnelbetweentwogateways,typicallyofdifferentgeographicalsites.
RemoteAccessVPNAnencryptiontunnelbetweenaSecurityGatewayandremoteaccessclients,suchasEndpoint
SecurityVPN,andcommunities.
RemoteAccessCommunityAgroupofcomputers,appliances,anddevicesthataccess,withauthenticationand
encryption,theinternalprotectednetworkfromphysicallyremotesites.
StarTopologyA"hubandspoke"virtualprivatenetworkcommunity,withgatewaysdefinedasSatellites(spokes)that
createtunnelsonlywiththecentralgateway("hub").
MeshedtopologyAVPNcommunitywithaVPNDomainthatcreatesatunneltootherVPNDomains.
DomainbasedVPNAmethodtorouteencryptedtrafficwithparametersdefinedbySecurityGateways.
RouteBasedVPNAroutingmethodforparticipantsinaVPNcommunity,definedbytheVirtualTunnelInterfaces
(VTI).
IKE(InternetKeyExchange)AnEncryptionkeymanagementprotocolthatenhancesIPSecbyprovidingadditional
features,flexibility,andeaseofconfiguration.
IPSecAsetofsecureVPNprotocolsthatmanageencryptionkeysandencryptedpackettraffic,tocreateastandardfor
authenticationandencryptionservices.
SitetoSiteVPN
ThebasisofSitetoSiteVPNistheencryptedVPNtunnel.TwoSecurityGatewaysnegotiatealinkandcreateaVPNtunneland
eachtunnelcancontainmorethanoneVPNconnection.OneSecurityGatewaycanmaintainmorethanoneVPNtunnelatthe
sametime.
SampleSitetoSiteVPNDeployment
Item
Description
SecurityGateway
VPNtunnel
InternalnetworkinVPNdomain
Host1
Host6
InthissampleVPNdeployment,Host1andHost6securelysenddatatoeachother.TheFirewallsdoIKEnegotiationand
createaVPNtunnel.TheyusetheIPsecprotocoltoencryptanddecryptdatathatissentbetweenHost1andHost6.
VPNWorkflow
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
2/7
07/06/2016
TheCheckPointVPNSolution
Host1sendspacket
toHost6
FirewallsA&Bcreate
VPNtunnel
Host6receives
unencrypteddata
FirewallAencrypts
data
FirewallBdecrypts
data
Encrypteddataissent
throughVPNtunnel
VPNCommunities
AVPNDomainisacollectionofinternalnetworksthatuseSecurityGatewaystosendandreceiveVPNtraffic.Definethe
resourcesthatareincludedintheVPNDomainforeachSecurityGateway.ThenjointheSecurityGatewaysintoaVPN
communitycollectionofVPNtunnelsandtheirattributes.NetworkresourcesofdifferentVPNDomainscansecurely
communicatewitheachotherthroughVPNtunnelsthatterminateattheSecurityGatewaysintheVPNcommunities.
VPNcommunitiesarebasedonStarandMeshtopologies.InaMeshcommunity,thereareVPNtunnelsbetweeneachpairof
SecurityGateway.InaStarcommunity,eachsatelliteSecurityGatewayhasaVPNtunneltothecentralSecurityGateway,but
nottootherSecurityGatewaysinthecommunity.
Note:GlobalVPNCommunitiesarenotsupportedinsupportedinthisrelease.
MeshTopology
Item
StarTopology
Description
SecurityGateway.ForStartopology,thecentralSecurityGateway.
ForStartopology,satelliteSecurityGateways.
SampleCombinationVPNCommunity
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
3/7
07/06/2016
TheCheckPointVPNSolution
Item
Description
LondonSecurityGateway
NewYorkSecurityGateway
LondonNewYorkMeshcommunity
Londoncompanypartner(externalnetwork)
LondonStarcommunity
NewYorkcompanypartner(externalnetwork)
NewYorkStarcommunity
ThisdeploymentiscomposedofaMeshcommunityforLondonandNewYorkSecurityGatewaysthatshareinternalnetworks.
TheSecurityGatewaysforexternalnetworksofcompanypartnersdonothaveaccesstotheLondonandNewYorkinternal
networks.TheStarVPNcommunitiesletthecompanypartnersaccesstheinternalnetworks.
RoutingVPNTraffic
ConfiguretheSecurityGatewaytorouteVPNtrafficbasedonVPNdomainsorbasedontheroutingsettingsoftheoperating
system.
NoteForeachVPNgateway,youmustconfigureanexistinggatewayasadefaultgateway.
DomainBasedVPN
TheVPNtrafficisroutedaccordingtotheVPNdomainsthataredefinedinSmartDashboard.Usedomainbasedroutingtolet
satelliteSecurityGatewayssendVPNtraffictoeachother.ThecenterSecurityGatewaycreatesVPNtunnelstoeachsatellite
andthetrafficisroutedtothecorrectVPNdomain.
RouteBasedVPN
VPNtrafficisroutedaccordingtotheroutingsettings(staticordynamic)oftheSecurityGatewayoperatingsystem.The
SecurityGatewayusesaVTI(VPNTunnelInterface)tosendtheVPNtrafficasifitwereaphysicalinterface.TheVTIsof
SecurityGatewaysinaVPNcommunityconnectandcansupportdynamicroutingprotocols.
GranularRoutingControl
TheLinkSelectionfeaturegivesyougranularcontroloftheVPNtrafficinthenetwork.UsethisfeaturetoenabletheSecurity
Gatewayto:
FindthebestpossiblerouteforVPNtraffic
SelecttheinterfacesthatareusedforVPNtraffictointernalandexternalnetworks
ConfiguretheIPaddressesthatareusedforVPNtraffic
UserouteprobingtoselectavailableVPNtunnels
UseLoadSharingforLinkSelectiontoequallydistributeVPNtraffictoVPNtunnels
RemoteAccessVPN
Ifemployeesremotelyaccesssensitiveinformationfromdifferentlocationsanddevices,systemadministratorsmustmakesure
thatthisaccessdoesnotbecomeasecurityvulnerability.CheckPoint'sRemoteAccessVPNsolutionsletyoucreateaVPN
tunnelbetweenaremoteuserandtheinternalnetwork.TheMobileAccessSoftwareBladeextendsthefunctionalityofRemote
Accesssolutionstoincludemanyclientsanddeployments.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
4/7
07/06/2016
TheCheckPointVPNSolution
ClientBasedvs.Clientless
CheckPointremoteaccesssolutionsuseIPsecandSSLencryptionprotocolstocreatesecureconnections.AllCheckPoint
clientscanworkthroughNATdevices,hotspots,andproxiesinsituationswithcomplextopologies,suchasairportsorhotels.
Thesearethetypesofinstallationsforremoteaccesssolutions:
ClientbasedClientapplicationinstalledonendpointcomputersanddevices.Clientsareusuallyinstalledona
manageddevice,suchasacompanyownedcomputer.Theclientsuppliesaccesstomosttypesofcorporateresources
accordingtotheaccessprivilegesoftheuser.
ClientlessUsersconnectthroughawebbrowseranduseHTTPSconnections.Clientlesssolutionsusuallysupply
accesstowebbasedcorporateresources.
OndemandclientUsersconnectthroughawebbrowserandaclientisinstalledwhennecessary.Theclientsupplies
accesstomosttypesofcorporateresourcesaccordingtotheaccessprivilegesoftheuser.
UsingRemoteAccessVPN
ThissectionexplainshowtouseaVPNtunneltoconnectaclientbasedremotecomputertoaninternalnetwork.Formore
aboutusingMobileAccesstoconnectremotedevicestointernalresources,seeRemoteAccesstotheNetwork.
NoteForeachVPNgateway,youmustconfigureanexistinggatewayasadefaultgateway.
VPNConnectivityModes
TheIPsecVPNSoftwareBladeletstheFirewallovercomeconnectivitychallengesforremoteclients.UseVPNconnectivity
modestomakesurethatremoteuserscanconnecttotheVPNtunnels.Thesearesomeexamplesofconnectivitychallenges:
TheIPaddressesofaremoteaccessclientmightbeunknown
TheremoteaccessclientcanbeconnectedtoahotelLANwithinternalIPaddresses
Itisnecessaryfortheremoteclienttouseprotocolsthatarenotsupported
OfficeMode
RemoteuserscanbeassignedthesameornonroutableIPaddressesfromthelocalISP.OfficeModesolvestheserouting
problemsandencapsulatestheIPpacketswithanavailableIPaddressfromtheinternalnetwork.Remoteuserscansend
trafficasiftheyareintheofficeanddonothaveVPNroutingproblems.
VisitorMode
RemoteuserscanberestrictedtouseHTTPandHTTPStrafficonly.VisitorModeletstheseuserstunnelallprotocolswitha
regularTCPconnectiononport443.
SampleRemoteAccessVPNWorkflow
UseSmartDashboardtoenableandconfiguretheSecurityGatewayforremoteaccessVPNconnections.Thenaddtheremote
userinformationtotheSecurityManagementServer:createandconfigureanLDAPAccountUnitorentertheinformationin
theSmartDashboarduserdatabase.YoucanalsoconfiguretheFirewalltoauthenticatetheremoteusers.DefinetheFirewall
accesscontrolandencryptionrules.CreatetheLDAPgrouporusergroupobjectthatisusedfortheFirewallrules.Thencreate
andconfiguretheencryptionsettingsfortheVPNcommunityobject.AddtheaccessrulestotheFirewallRuleBasetoallow
VPNtraffictotheinternalnetworks.
Enableremoteaccess
VPN
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
5/7
07/06/2016
TheCheckPointVPNSolution
ConfigureLDAP
AccountUnit
LDAP
Configureuser
authentication
ManageUsers?
Smart
Dashboard
Configureusersin
SmartDashboard
database
CreateLDAPuser
groupobject
Configureuser
authentication
Createuser
groupobject
CreateVPNCommunity
ConfigurerulesforVPN
accessinFirewallRule
Base
Installpolicy
IPv6SupportandLimitations
ThisreleaseincludeslimitedIPv6supportforIPsecVPNcommunities:
IPv6issupportedforSitetoSiteVPNonly(MainIPtoMainIP).TheMainIPaddressforbothSecurityGatewaysmustbe
definedasanIPv6Address.YoucandefineotherIPaddressesthatareIPv4orIPv6.
IPv6supportsIKEv2encryptiononly.IKEv2isautomaticallyalwaysusedforIPv6traffic.Theencryptionmethod
configurationappliestoIPv4trafficonly.
VPNtunnelingonlysupportsIPv4insideanIPv4tunnel,andIPv6insideanIPv6tunnel.IPv4trafficinsideanIPv6
tunnelisnotsupported.
TheseVPNfeaturesarenotsupportedforIPv6:
VSX
RemoteAccessVPN
CRLfetchfortheinternalCertificateAuthority
MultipleEntryPoints(MEP)
RoutebasedVPN(VTI)
WireModeVPN
GatewayswithadynamicIPaddress.
RouteInjectionMechanism(RIM)
TraditionalmodeFirewallPolicies
IKEDenialofServiceprotection
IKEAggressiveMode
GatewayswithDynamicIPaddresses
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
6/7
07/06/2016
TheCheckPointVPNSolution
TraditionalModeVPN
MigrationfromTraditionalmodetoSimplifiedmode
TunnelManagement(permanenttunnels)
DirectionalVPNEnforcement
LinkSelection
GRETunnels
TunnelViewinSmartViewMonitor
VPNOverviewpage
vpn_route.confconfigurationfile
SmartDashboardToolbar
YoucanusetheSmartDashboardtoolbartodotheseactions:
Icon
Description
OpentheSmartDashboardmenu.Wheninstructedtoselectmenuoptions,clickthis
buttontoshowthemenu.
Forexample,ifyouareinstructedtoselectManage>UsersandAdministrators,
clickthisbuttontoopentheManagemenuandthenselecttheUsersand
Administratorsoption.
Savecurrentpolicyandallsystemobjects.
Openapolicypackage,whichisacollectionofPoliciessavedtogetherwiththesame
name.
RefreshpolicyfromtheSecurityManagementServer.
OpentheDatabaseRevisionControlwindow.
Changeglobalproperties.
VerifyRuleBaseconsistency.
InstallthepolicyonSecurityGatewaysorVSXGateways.
OpenSmartConsole.
TopofPage
2016CheckPointSoftwareTechnologiesLtd.Allrightsreserved.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
7/7