Documente Academic
Documente Profesional
Documente Cultură
This document describes how to configure Site-to-Site Virtual Private Networks (VPNs) between Check Point Embedded NGX gateways. Note: This document is relevant for Embedded NGX 7.0. It is recommended to use the latest Embedded NGX firmware.
Note: The Embedded NGX screens that appear in this document relate to Safe@Office gateways.
Overview
A Site-to-Site VPN consists of two or more Site-to-Site VPN gateways that can communicate with each other in a bidirectional relationship. They are designed to handle secure communications between a companys internal departments and its branch offices.
Figure 1: Typical Site-to-Site VPN The Site-to-Site VPN works as follows: 1. The Site A and Site B security administrators each configure their Embedded NGX UTM appliance as a VPN gateway that will communicate with the other VPN gateways IP address and authenticate using either a preshared secret or certificates. 2. The Site A VPN gateway initiates a connection to the Site B VPN gateway, authenticates, and initiates a download topology request. 3. The Site B VPN Server acts as a topology server and sends the Site B VPN topology information to the Site A VPN gateway. The topology information consists of the Site B VPN gateway's IP address and the networks behind it. It is possible to view the VPN topology information on the gateway side, by surfing to: http://my.firewall/vpntopo.html. 4. When the host on Site A generates "interesting" packets, the Site A VPN gateway intercepts the packets, encrypts them, and routes them to the Site B VPN gateway.
Note: If a "Route All Traffic" topology is selected, then the Site A VPN topology is automatically set to 0.0.0.0 (meaning, all destination networks). As a result, all packets going through the VPN Client will be encrypted and routed over the VPN tunnel to the Site B VPN gateway. 5. The Site B VPN Server decrypts the packet. 6. The Site B VPN Server delivers the decrypted packets to the destination host on Site B. The packets appear to have been sent directly from the original host on Site A.
Advanced users can also manually modify the IKE settings according to their business security policy. Manual configuration is also the best option when configuring IPSec VPNs to non-Check Point-based products.
Which connection will be encrypted and how? The Embedded NGX UTM appliance can connect with several other gateways over a secured VPN connection, and each such connection can use different encryption parameters. The security administrator must therefore decide which connections to encrypt and which encryption parameters to use. For example, it is possible to use pre-shared secrets or certificates for authentication, and it is possible to use automatic VPN topology download. The Embedded NGX UTM appliance is interoperable with other IKE and IPSec software implementations; however, the automatic VPN topology download can be used between Check Point products only.
Workflow
To configure a Site-to-Site VPN
1. Add a topology download user and give the user's authentication details to the other gateway's administrator. See Adding a Topology Download User, page 3. Likewise, you will receive user authentication details from the other gateway's administrator. 2. Add the other Embedded NGX gateway as a Site-to-Site VPN site. See Adding a Site-to-Site VPN Site, page 5. Likewise, the other gateway's administrator will add your Embedded NGX gateway as a Site-to-Site VPN site. 3. Test the connection to the other gateway's VPN site. See Testing the Configuration, page 9. Likewise, the other gateway's administrator will test the connection to your VPN site.
1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears.
2. Click New User. The Account Wizard opens displaying the Set User Details dialog box.
3. In the Username field, type a username. 4. In the Password and Confirm password fields, type a password. Use five to 25 characters (letters or numbers) for the new password. 5. Click Next. The Set User Permissions dialog box appears.
The options that appear on the page are dependant on the software and services you are using. 6. Select the VPN Remote Access check box. 7. Click Finish. The new user is saved.
1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites.
2. Click New Site. The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.
5. In the Gateway Address field, type the IP address of the other Embedded NGX gateway. 6. Click Next. The VPN Network Configuration dialog box appears.
7. Click Download Configuration. This option will automatically configure your VPN settings, by downloading the network topology definition from the remote VPN gateway. 8. Click Next.
9. Click Shared Secret. 10. Click Next. The Authentication dialog box appears.
11. In the Topology User field, type the username of the topology download user that you added in the previous task. 12. In the Topology Password field, type the password of the topology download user that you added in the previous task. 13. In the Use Shared Secret field, type the shared secret used for secure communications with the VPN site.
15. Complete the fields as desired. For information, refer to the User Guide. 16. Click Next. The Connect dialog box appears.
17. To test the VPN connection, select the Try to Connect to the VPN Gateway check box. 18. Click Next. If you selected the check box, the Connecting screen appears, and then the Contacting VPN Site screen appears.
19. Type a name for the other gateway's VPN site. 20. Click Next. The VPN Site Created screen appears.
21. Click Finish. The VPN Sites page reappears. The new site appears in the VPN Sites list.
1. Ping the IP address of the computer behind the other VPN site. 2. Surf to http://my.firewall/vpntopo.html and view the VPN topology information table. 3. In the Embedded NGX Portal, click Reports in the main menu, and click the VPN Tunnels tab to see the VPN tunnels graphically displayed. 4. Click the Event Log tab, and locate logs indicating that the VPN tunnel was established.