Configuring IPSec VPN in Checkpoint

Configuring IPSec VPN in CheckPoint enhances secure communication between networks. This process involves several steps, including enabling IPSec on firewalls and creating VPN community objects.

This article explains the process of IPSec configuration on Check Point with example images to guide users through each step. Mastering these configurations ensures robust security for data transmission across your network.

As a part of our Checkpoint certification training this article is based on learning practical skills by showing the tutorial and steps of IPSec VPN configuration in CheckPoint.

Task

● Overview of site-to-site VPN

● Configure new security gateway with hostname of Branch-firewall and give an IP address of 172.11.5.1 and set an IP address of eth 1 interface is 172.11.6.1 and integration  with SM

● Create vpn tunnel for both firewalls with secret key authentication and use vpn communities as star type and peer IP would be for dc-SG is 172.11.2.1 and for Branch_SG is 172.11.6.1 and interesting traffic would be the same

Explanation

IPsec VPN software blade is used for encrypt and decrypt traffic to and from external networks and clients use smart Dashboard to easily configure VPN connections between security gateways and remote devices the VPN tunnel guarantees

1. Authentication: Uses standard authentication methods like pre-shared and certificate-based

2. Privacy: all VPN data is encrypted

3. Integrity: uses industry-standard integrity assurance methods

Train for Checkpoint CCSA CertificationWe will send the de32best deals and offers to your email.send the best deals and offers to your email.Explore course

IKE and IPsec

Checkpoint VPN solution uses these secure VPN protocols to manage encryption keys and send encrypted packets IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels IPSec  is a protocol that supports secure IP communication that is authenticated and encrypted on private or public networks

Site to Site VPN:

The basis of site to site VPN  is the encrypted  VPN tunnel. Two security gateways negotiate a link and create a VPN tunnel and each tunnel can contain more than one VPN connection One security gateways can maintain more than one VPN tunnel at the same time.

VPN Communities:  A VPNdomain is a collection ofinternal networks that use security Gateways to send and receive Its a collection of VPN tunnels and their attributes  Network resources of different VPN Domains can securely communicate with each other through VPN tunnels that terminate at the security gateways in the VPN communities vpn communities are based on star and mesh topology. in mesh community,  there are VPN tunnels b/w each pair of security gateways

Routing VPN traffic: configure the security gateways to route VPN traffic based on VPN domains or based on the routing settings of the operating system

For each VPN gateway. you must configure an existing gateway as a default gateway

Domain-based VPN: The  VPN traffic is routed according to the VPN domain-based routing to let satellite security gateways send VPN traffic to each other the center security gateway creates VPN tunnels to each satellite and the traffic is routed to the correct VPN domain

Routed-based VPN:  VPN traffic is routed according to the routing setting (static or dynamic) of the security gateway operating system the security gateway uses a VTI (VPN Tunnel Interface) to second the VPN traffic as if it were a physical interface the VTI of Security gateways in a VPN community connect and can support dynamic routing protocols

Configuration

Now we have to take the GUI of SG from the management interface ip-address with username-admin and uninets@123 and open  any browser and type https://172.11.5.1 and put the credential

and click on login

and we have to click on next

and we will choose the first option and click on the next

here if we want to change  IP-address of the interface and we can also provide the default -gateway and click to the next

Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need here we to configure the time zone and time for a device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next

Here we are configuring our IOS working we have two options one is to act as a security gateway or security management and one is a multi-domain server its use for managing multiple security management but we have one security management we will choose first and click on next

So here we  are operating devices in distributed mode (As we discussed earlier ) so we will select Security-Gateway and click on the next

Here it's asking for ip-gateway assignment to firewall from DHCP but already gives manual so selected NO

here giving the password for the SIC Process so SM can authenticate SG

click on Finish  IF configured properly then its our final view

Now we to set ip  address on interface eth1 so log into Branch_SG  and enter login credential, username- admin password-uninets@123

BRANCH-SG>

BRANCH-SG> set interface eth1 ipv4-address 172.11.6.1 subnet-mask255.255.255.0

BRANCH-SG> set interface eth1 state on

BRANCH-SG> show interface eth1

state on

mac-addr 50:13:00:04:00:01

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.6.1/24

here  we can see that we gave ip address to interface eth1 and now we have login into smart dashboard  and add new security gateway like we added before

here we are going to add new security gateway on security manager

no click on click mode

here we need to mention firewall name and their ip address and click on communication tab put sic process password and initialized it  then click on ok  here we can see that Branch- SG has been added on Sm

Now we have to enable VPN blades on both firewalls

So check mark on IPSec VPN blade then click on ok enable on next  firewall

Now we enabled ipsec blade on DC-SG Now we have to define vpn communities to define VPN peers and other VPN attributes then click on vpn communities and select site to site VPN

Click on new site to site and select topology type meshed because we have just two firewalls

give to any name we gave S2S then click on participating gateways tab

click on add

Click on ok here adding both firewall  then click on encryption tab

We choose default but we want use customize configuration then select custom then select methods from there then click on then click on advance setting  tab

Here we don't need to change anything then click on ok

Here we can see that S2S communities has been created Now we have to define rule base for vpn so click on policy tab

We are not mention any source or destination now we have to add communities so click on VPN tab and click on edit cell

Here we select third option and click on add

Here we are choosing our created communities S2S click on ok

click on ok here also

we want track it so click on track and select log click on ok and save the policy then push the policy

we selected both security gateways to push policies so now click on ok

Verification :-

BRANCH-SG> ping 172.11.2.1

PING 172.11.2.1 (172.11.2.1) 56(84) bytes of data.

64 bytes from 172.11.2.1: icmp_seq=5 ttl=64 time=1.06 ms

64 bytes from 172.11.2.1: icmp_seq=6 ttl=64 time=0.924 ms

64 bytes from 172.11.2.1: icmp_seq=7 ttl=64 time=1.00ms

Now we have to verify through  smart view tracker

Here we can check tunnel has been created  here source is Branch-SG and destination is DC-SG and all traffic has been encrypted Now we can verify through  cmd so logon into Branch-SG

BRANCH-SG> expert

Enter expert password:

 Warning! All configuration should be done through clash You are in expert mode now.

[Expert@BRANCH-SG:0]# vpn tu

**********     Select Option     **********

(1)             List all IKE SAs

(2)             List all IPsec SAs

(3)             List all IKE SAs for a given peer (GW) or user (Client)

(4)             List all IPsec SAs for a given peer (GW) or user (Client)

(5)             Delete all IPsec SAs for a given peer (GW)

(6)             Delete all IPsec SAs for a given User (Client)

(7)             Delete all IPsec+IKE SAs for a given peer (GW)

(8)             Delete all IPsec+IKE SAs for a given User (Client)

(9)             Delete all IPsec SAs for ALL peers and users

(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

1

Peer  172.11.2.1 SAs:

1. IKE SA :

[Expert@BRANCH-SG:0]# vpn tu

**********     Select Option     **********

(1)             List all IKE SAs

(2)             List all IPsec SAs

(3)             List all IKE SAs for a given peer (GW) or user (Client)

(4)             List all IPsec SAs for a given peer (GW) or user (Client)

(5)             Delete all IPsec SAs for a given peer (GW)

(6)             Delete all IPsec SAs for a given User (Client)

(7)             Delete all IPsec+IKE SAs for a given peer (GW)

(8)             Delete all IPsec+IKE SAs for a given User (Client)

(9)             Delete all IPsec SAs for ALL peers and users

(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

Peer  172.11.2.1 SAs:

1. SPI’s related to IKE SA :

INBOUND:

1. 0x7e02c903

OUTBOUND:

1. 0x167c1afe

Same thing we can check on DC-SG so login into DC-SG and verify all SA for phase-1 and PHASE-2 SA (ipsec-sa)

Enter expert password:

Warning! All configuration should be done through clish

You are in expert mode now.

[Expert@firewall-Gateway:0]# vpn tu

**********     Select Option     **********

(1)             List all IKE SAs

(2)             List all IPsec SAs

(3)             List all IKE SAs for a given peer (GW) or user (Client)

(4)             List all IPsec SAs for a given peer (GW) or user (Client)

(5)             Delete all IPsec SAs for a given peer (GW)

(6)             Delete all IPsec SAs for a given User (Client)

(7)             Delete all IPsec+IKE SAs for a given peer (GW)

(8)             Delete all IPsec+IKE SAs for a given User (Client)

(9)             Delete all IPsec SAs for ALL peers and users

(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

1

Peer  172.11.5.1 SAs:

1. IKE SA :

Hit key to continue …

**********     Select Option     **********

(1)             List all IKE SAs

(2)             List all IPsec SAs

(3)             List all IKE SAs for a given peer (GW) or user (Client)

(4)             List all IPsec SAs for a given peer (GW) or user (Client)

(5)             Delete all IPsec SAs for a given peer (GW)

(6)             Delete all IPsec SAs for a given User (Client)

(7)             Delete all IPsec+IKE SAs for a given peer (GW)

(8)             Delete all IPsec+IKE SAs for a given User (Client)

(9)             Delete all IPsec SAs for ALL peers and users

(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

Peer  172.11.5.1 SAs:

1. SPI’s related to IKE SA :

INBOUND  1. 0x167c1afe

OUTBOUND:  1. 0x7e02c903

here we verify that Phase-1 and phase-2 has been created and data is encrypting and decrypting on both sides.

If you are interested in more such network security technologies check out our network security training courses.