Site to Site VPN Edge Managed by R60 Smart Center

8/7/2019 Site to Site VPN Edge Managed by R60 Smart Center

1/16

1

Configuration of Site to Site VPNwith VPN-1 Edge

May 8, 2006

In This Document

IntroductionTo install NGX R60 VPN-1 Pro and SmartCenter, the SmartCenter Server must belicensed to manage more than one firewall module. If the SmartCenter Server and theNGX R60 gateway are installed on separate machines, it is recommended that you

statically NAT the management server.

In order for this configuration to work properly the following are required, VPN must beenabled and the policy package must be in Simplified VPN mode: VPN-1/FireWall-1 NGX VPN-1 Edge 5.0.x firmware or newer

Introduction page 1

Static NAT the SmartCenter / Management Server page 2

Add a VPN-1 Edge Object page 3

Create the VPN Community page 5

Basic FireWall-1 Rules page 13

Connecting to the SmartCenter/Management Server from VPN-1 Edge page 13
http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.html


2/16

Configuration of Site to Site VPN with VPN-1 Edge - Last Update May 8, 2006 2

Static NAT the SmartCenter / ManagementServer

1. Open SmartDashboard.

2. Go to Network Objects > Check Point > Management Server object.

3. Select the NAT tab and check Add Automatic Address Translation rules.

The following window appears:

4. From theTranslation method

drop-down list selectStatic

.5. In the Translation to IP address field enter the public routable IP address of the

Management server. This address must be on the same subnet as the externalinterface of the firewall module.

6. From the Install of Gateway drop-down list select the gateway that this managementserver is behind.

7. Select Apply for VPN-1 & FireWall-1 control connections . As a result of selecting thisoption VPN-1 Edge will connect to the management server via an implied rule.

Note - In a clustered environment, do not select Apply for PVN-1 & FireWall-1 controlconnections . Instead, create an explicit rule in the Rule Base for this connection.


3/16


Add a VPN-1 Edge Object1. Open SmartDashboard.

2. Create a VPN-1 Edge Embedded Object.Go to Network Objects > Check Point > New Check Point > VPN-1 Edge/EmbeddedGateway.


3. Configure the VPN-1 Edge gateway object: Enter a name in the Name text box.

Select a hardware type from the Type drop-down list Enter a registration key in the Registration Key text box.

4. Select VPN-1 Enabled and Connects as Site To Site Gateway .


4/16


5. Select the Topology tab.


6. Define the internal network behind the Edge (DMZ) and configure the VPN Domain(WAN).

7. Select Manually defined and select a network from the list provided. If you have notpreviously defined a network, Click New and define the Network


5/16


Create the VPN Community1. In SmartDashboard select the VPN Manager tab.

2. Right click inside the screen and select New Community > Star... .The following window appears:

3. In the General tab enter a name for your Community and select Accept all encryptedtraffic .

4. Select the Centers Gateway tab.


6/16



5. Click Add to add the NG or NGX gateway.

6. Select the Satellite Gateways tab.


7/16



7. Click Add to add the VPN-1 Edge embedded device.

8. Select the VPN Properties tab.


8/16



9. Configure the Phase 1 and Phase 2 key negotiation properties.

10. Select the Tunnel Management tab.


9/16



11. Under VPN Tunnel Sharing select One VPN tunnel per subnet pair .

12. Select Advance Settings > VPN Routing .


10/16



13. Select To center and other satellites through center .

14. Select Advance Settings > Advanced VPN Properties .


11/16



15. Select Disable NAT inside the VPN community . Leave the default settings on all otherproperties. These properties are not enabled by default on the VPN-1 Edge device.

16. Select the Shared Secret tab. When managed, the VPN-1 Edge device will negotiatevia the ICA certificate.


12/16



17. Make sure that Use only Shared Secret for all External members is not selected.

18. Click OK.


13/16


Basic FireWall-1 Rules1. In SmartDashboard create a rule (if necessary) that enables SWTP_SMS or SWTP

GATEWAY to the Management server. If the control connections are enabled, animplied rule allowing this connection already exists.

2. There should be an implied rule in the Rule Base for the VPN-1 community (top).An explicit rule can be created by editing the VPN-1 community and deselectingthe option Accept all encrypted traffic .

3. Create a rule where the Edge internal network destination is Any. Change the InstallOn field to the Edge Object and the R60 gateway.

4. Save and install the Security Policy to the hub firewall and the profile.

Connecting to the SmartCenter/ManagementServer from VPN-1 Edge

1. Log into the VPN-1 Edge device from the LAN at http://my.firewall or WAN at

https://external_ip:981 .The following window appears:


14/16


2. Select the Services Tab and click on Connect .


3. Enter the Static NAT IP address of the NGX R60 Management server in theSpecified IP text box and click Next.



15/16


4. Enter the Gateway ID and Registration Key and click Next. The gateway ID is thename of the VPN-1 Edge/Embedded device as it appears in SmartDashboard. Theregistration key is the password entered for the VPN-1 Edge/Embedded object.

After the connection is complete, the confirmation screen will appear.5. Click Next to complete the process.

6. To confirm that Edge is connected to the Management server, verify that in thebottom left hand corner of the screen the word Connected appears in the ServiceCenter.

7. To confirm that a policy has been installed select Setup > Tools > Diagnostics . ThePolicy section should show the name of the VPN-1 Edge profile as it appears inSmartDashboard.


16/16


8. To confirm that VPN is established, initiate traffic from a host behind the Edge to ahost behind the NG or NGX gateway. Go to Reports > VPN Tunnels and verify that thetunnel was established in the following window.

Documents

Site to Site VPN Edge Managed by R60 Smart Center