Create a Basic Route Based VPN between 2 Check Point Firewalls

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces.

In this example both Firewalls are managed by the same manager. The gateways are :

• Site A – External 192.168.1.1 Inside 10.1.1.1
• Site B – External 192.168.2.1 Inside 10.1.2.1

In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.

Virtual Tunnel Interfaces (VTI’s)

VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.

Steps

Create Object

1. Create a Group Object called Empty containing no objects within SmartDashboard

Site A

1. Create the VTI by running the command on Site A’s CLI :

   vpn shell i a n 22.22.22.1 22.22.22.2 SiteB

2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
3. Within the Gateway Object under Topology use the “Get” icon to retrive your new VPN Tunnel Interface (VTI).

Site B

1. Create the VTI by running the command on Site B’s CLI :

   vpn shell i a n 22.22.22.2 22.22.22.1 SiteA

2. Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
3. Within the Gateway Object under Topology use the “Get” icon to retrive your new VPN Tunnel Interface (VTI).

General

1. Create a new Meshed Site-2-Site Community within the VPN Community Tab.
2. Under General select Accept All Encrypted Traffic
3. Under Paricitpating Gateways add both Site A and Site B.
4. Push the Policy to both gateways.

Add Static Routes

1. On Site A add the following commands via the CLI :

   route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save

2. On Site B add the following commands via the CLI :

   route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save

Additional Notes :

Below shows you the syntax used to create the VTIs :

[Expert@fw]# vpn shell i a n
Usage: /interface/add/numbered <LocalIP> <RemoteIP> <PeerName> [IfName]
  LocalIP  - The local IP of the tunnel
  RemoteIP - The remote IP of the tunnel
  PeerName - The peer to attach to this interface
  IfName   - The name of the interface to be used

Additional Resources :

For further information on Route Based Check Point VPNs along with how to create a Route Based VPN between a Cisco device and Check Point device please see here
(You will need to login into the Check Point UserCentre prior to accessing this link)

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial