Configuring Site-to-Site VPNs between Embedded NGX Gateways

This document describes how to configure Site-to-Site Virtual Private Networks (VPNs) between Check Point Embedded NGX gateways. Note: This document is relevant for Embedded NGX 7.0. It is recommended to use the latest Embedded NGX firmware.

Note: The Embedded NGX screens that appear in this document relate to Safe@Office gateways.

Overview
A Site-to-Site VPN consists of two or more Site-to-Site VPN gateways that can communicate with each other in a bidirectional relationship. They are designed to handle secure communications between a companys internal departments and its branch offices.

How Do Site-to-Site VPNs Work?

The following figure describes a typical Site-to-Site VPN, when hosts on Sites A and B are installed with Embedded NGX UTM appliances:

Figure 1: Typical Site-to-Site VPN The Site-to-Site VPN works as follows: 1. The Site A and Site B security administrators each configure their Embedded NGX UTM appliance as a VPN gateway that will communicate with the other VPN gateways IP address and authenticate using either a preshared secret or certificates. 2. The Site A VPN gateway initiates a connection to the Site B VPN gateway, authenticates, and initiates a download topology request. 3. The Site B VPN Server acts as a topology server and sends the Site B VPN topology information to the Site A VPN gateway. The topology information consists of the Site B VPN gateway's IP address and the networks behind it. It is possible to view the VPN topology information on the gateway side, by surfing to: http://my.firewall/vpntopo.html. 4. When the host on Site A generates "interesting" packets, the Site A VPN gateway intercepts the packets, encrypts them, and routes them to the Site B VPN gateway.

Note: If a "Route All Traffic" topology is selected, then the Site A VPN topology is automatically set to 0.0.0.0 (meaning, all destination networks). As a result, all packets going through the VPN Client will be encrypted and routed over the VPN tunnel to the Site B VPN gateway. 5. The Site B VPN Server decrypts the packet. 6. The Site B VPN Server delivers the decrypted packets to the destination host on Site B. The packets appear to have been sent directly from the original host on Site A.

Site-to-Site VPN Considerations

Before configuring encryption between branch offices, a security administrator must answer the following questions: Which VPN gateways will encrypt data, and what are the VPN topologies? A VPN gateway performs encryption on behalf of its VPN topology. That is, the gateway encrypts all data packets originating from within its encryption domain and sent to other networks outside of the encryption domain. (Within the encryption domain, data packets are not encrypted.) The security administrator must plan the encryption relationship between network entities. That is, the administrator must decide which gateways should encrypt data to each other, and for which networks. The security administrator must then ensure that each gateway is configured with its own VPN topology, as well as the topology of the other VPN sites. Note: The Embedded NGX VPN gateway can automatically download the remote VPN site topology when negotiating with other Check Point Embedded NGX gateways. If desired, advanced users can manually configure which remote networks should be included in the VPN topology, according to their business security policy. What are the encryption keys? A VPN connection is encrypted using IPSec. In order to establish an IPSec VPN tunnel, the VPN peers authenticate to each other and negotiate for encryption keys during IKE key exchange. The IKE parameters must be shared between VPN peers. Note: The Embedded NGX VPN gateway can automatically negotiate for the encryption keys. When doing VPN between Embedded NGX-based VPN gateways, the following settings will be used by default: AES-256 Encryption SHA-1 Integrity Diffie-Hellman group 2 PFS disabled Phase-1 lifetime -1440 minutes, phase-2 lifetime 600 seconds

Advanced users can also manually modify the IKE settings according to their business security policy. Manual configuration is also the best option when configuring IPSec VPNs to non-Check Point-based products.

Which connection will be encrypted and how? The Embedded NGX UTM appliance can connect with several other gateways over a secured VPN connection, and each such connection can use different encryption parameters. The security administrator must therefore decide which connections to encrypt and which encryption parameters to use. For example, it is possible to use pre-shared secrets or certificates for authentication, and it is possible to use automatic VPN topology download. The Embedded NGX UTM appliance is interoperable with other IKE and IPSec software implementations; however, the automatic VPN topology download can be used between Check Point products only.

Workflow
To configure a Site-to-Site VPN

1. Add a topology download user and give the user's authentication details to the other gateway's administrator. See Adding a Topology Download User, page 3. Likewise, you will receive user authentication details from the other gateway's administrator. 2. Add the other Embedded NGX gateway as a Site-to-Site VPN site. See Adding a Site-to-Site VPN Site, page 5. Likewise, the other gateway's administrator will add your Embedded NGX gateway as a Site-to-Site VPN site. 3. Test the connection to the other gateway's VPN site. See Testing the Configuration, page 9. Likewise, the other gateway's administrator will test the connection to your VPN site.

Adding a Topology Download User

A topology download user has the same attributes as a remote access VPN user.
To add a topology download user

1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears.

2. Click New User. The Account Wizard opens displaying the Set User Details dialog box.

3. In the Username field, type a username. 4. In the Password and Confirm password fields, type a password. Use five to 25 characters (letters or numbers) for the new password. 5. Click Next. The Set User Permissions dialog box appears.

The options that appear on the page are dependant on the software and services you are using. 6. Select the VPN Remote Access check box. 7. Click Finish. The new user is saved.

Adding a Site-to-Site VPN Site

Note: The following procedure explains how to add a Site-to-Site VPN site, where the topology is downloaded automatically, and shared secret authentication is used. For information on additional configurations, refer to the Check Point Safe@Office User Guide.
To add a Site-to-Site VPN site

1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites.

2. Click New Site. The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Click Site-to-Site VPN. 4. Click Next.

The VPN Gateway Address dialog box appears.

5. In the Gateway Address field, type the IP address of the other Embedded NGX gateway. 6. Click Next. The VPN Network Configuration dialog box appears.

7. Click Download Configuration. This option will automatically configure your VPN settings, by downloading the network topology definition from the remote VPN gateway. 8. Click Next.

The Authentication Method dialog box appears.

9. Click Shared Secret. 10. Click Next. The Authentication dialog box appears.

11. In the Topology User field, type the username of the topology download user that you added in the previous task. 12. In the Topology Password field, type the password of the topology download user that you added in the previous task. 13. In the Use Shared Secret field, type the shared secret used for secure communications with the VPN site.

14. Click Next. The Security Methods dialog box appears.

15. Complete the fields as desired. For information, refer to the User Guide. 16. Click Next. The Connect dialog box appears.

17. To test the VPN connection, select the Try to Connect to the VPN Gateway check box. 18. Click Next. If you selected the check box, the Connecting screen appears, and then the Contacting VPN Site screen appears.

The Site Name dialog box appears.

19. Type a name for the other gateway's VPN site. 20. Click Next. The VPN Site Created screen appears.

21. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list.

Testing the Configuration

To test the configuration

1. Ping the IP address of the computer behind the other VPN site. 2. Surf to http://my.firewall/vpntopo.html and view the VPN topology information table. 3. In the Embedded NGX Portal, click Reports in the main menu, and click the VPN Tunnels tab to see the VPN tunnels graphically displayed. 4. Click the Event Log tab, and locate logs indicating that the VPN tunnel was established.