Checkpoint – Creating a basic Route Based VPN between 2 Check Point Firewalls

Creating a basic Route Based VPN between 2 Check Point Firewalls | Checkpoint.

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces.

In this example both Firewalls are managed by the same manager. The gateways are :

  • Site A – External 192.168.1.1 Inside 10.1.1.1
  • Site B – External 192.168.2.1 Inside 10.1.2.1

In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.

Virtual Tunnel Interfaces (VTI’s)

VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.

Steps

Create Object

  1. Create a Group Object called Empty containing no objects within SmartDashboard

Site A

  1. Create the VTI by running the command on Site A’s CLI :
    1.vpn shell i a n 22.22.22.1 22.22.22.2 SiteB
  2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
  3. Within the Gateway Object under Topology use the “Get” icon to retrive your new VPN Tunnel Interface (VTI).

Site B

  1. Create the VTI by running the command on Site B’s CLI :
    1.vpn shell i a n 22.22.22.2 22.22.22.1 SiteA
  2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
  3. Within the Gateway Object under Topology use the “Get” icon to retrive your new VPN Tunnel Interface (VTI).

General

  1. Create a new Meshed Site-2-Site Community within the VPN Community Tab.
  2. Under General select Accept All Encrypted Traffic
  3. Under Paricitpating Gateways add both Site A and Site B.
  4. Push the Policy to both gateways.

Add Static Routes

  1. On Site A add the following commands via the CLI :
    1.route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save
  2. On Site B add the following commands via the CLI :
    1.route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save

Additional Notes :

Below shows you the syntax used to create the VTIs :

1.[Expert@fw]# vpn shell i a n
2.Usage: /interface/add/numbered <LocalIP> <RemoteIP> <PeerName> [IfName]
3.LocalIP  - The local IP of the tunnel
4.RemoteIP - The remote IP of the tunnel
5.PeerName - The peer to attach to this interface
6.IfName   - The name of the interface to be used

Additional Resources :

For further information on Route Based Check Point VPNs along with how to create a Route Based VPN between a Cisco device and Check Point device please see here

This entry was posted in CheckPoint. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s