fir3net

Creating a basic Route Based VPN between 2 Check Point Firewalls

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces.

In this example both Firewalls are managed by the same manager. The gateways are :

  • Site A - External 192.168.1.1 Inside 10.1.1.1
  • Site B - External 192.168.2.1 Inside 10.1.2.1

In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.

Virtual Tunnel Interfaces (VTI's)

VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.

Steps

Create Object

  1. Create a Group Object called Empty containing no objects within SmartDashboard

Site A

  1. Create the VTI by running the command on Site A's CLI :
    vpn shell i a n 22.22.22.1 22.22.22.2 SiteB
  2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
  3. Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).

Site B

  1. Create the VTI by running the command on Site B's CLI :
    vpn shell i a n 22.22.22.2 22.22.22.1 SiteA
  2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
  3. Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).

General

  1. Create a new Meshed Site-2-Site Community within the VPN Community Tab.
  2. Under General select Accept All Encrypted Traffic
  3. Under Paricitpating Gateways add both Site A and Site B.
  4. Push the Policy to both gateways.

Add Static Routes

  1. On Site A add the following commands via the CLI :
    route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save
  2. On Site B add the following commands via the CLI :
    route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save

Additional Notes :

Below shows you the syntax used to create the VTIs :

[Expert@fw]# vpn shell i a n
Usage: /interface/add/numbered <LocalIP> <RemoteIP> <PeerName> [IfName]
  LocalIP  - The local IP of the tunnel
  RemoteIP - The remote IP of the tunnel
  PeerName - The peer to attach to this interface
  IfName   - The name of the interface to be used

Additional Resources :

For further information on Route Based Check Point VPNs along with how to create a Route Based VPN between a Cisco device and Check Point device please see here
(You will need to login into the Check Point UserCentre prior to accessing this link)

 

Tags: VPN

About the Author

RDonato

R Donato

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001