26 April 2011

How To Setup a Site-to-Site VPN with Cisco

Remote Gateway

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11892

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

26 April 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Setup a Site-to-Site VPN with Cisco Remote Gateway ).

http://supportcontent.checkpoint.com/documentation_download?ID=11892http://supportcenter.checkpoint.com/mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback%20on%20How%20To%20Setup%20a%20Site-to-Site%20VPN%20with%20Cisco%20Remote%20Gatewaymailto:cp_techpub_feedback@checkpoint.com?subject=Feedback%20on%20How%20To%20Setup%20a%20Site-to-Site%20VPN%20with%20Cisco%20Remote%20Gateway

Contents

Important Information ............................................................................................. 3 VPN Setup ............................................................................................................... 5

Configuring the Cisco Gateway Object ................................................................ 5 VPN Community Setup ........................................................................................ 6 VPN Community Configuration ............................................................................ 6 Defining the VPN Domain ...................................................................................12 VPN Domain Configuration .................................................................................14

Rules for Traffic .................................................................................................... 16 Setting a Rule .....................................................................................................16 Setting VPN Community in the Rule ...................................................................17

Final Step .............................................................................................................. 18

Configuring the Cisco Gateway Object

VPN Setup Page 5

VPN Setup

Configuring the Cisco Gateway Object To create the Cisco Gateway Object:

1. Right click: Network Objects >New >Others >Interoperable Device

2. In the General Properties dialog box, enter a Name for the Gateway, IP address and description (optional).

Note - Use the external routable IP address of the Cisco peer for the IP.

3. Click OK.

VPN Community Setup

VPN Setup Page 6

VPN Community Setup 1. Select the IPSec VPN tab.

2. Right click in the open area on the top panel. Select New Community-->Star

VPN Community Configuration To configure the VPN:

1. Name the VPN Community.

2. Click Center Gateways.

3. Click Add.

4. Select the local Check PointSecurity Gateway object.

VPN Community Configuration

VPN Setup Page 7

5. Click OK.

6. Click Satellite Gateways.

7. Click Add

8. Select the previously named Cisco peer gateway object.

VPN Community Configuration

VPN Setup Page 8

9. Click OK.

10. Click VPN Properties.

Note - You can change the Phase 1 and Phase 2 properties here. Note the values you select, because the peer will need to match these values.

You can define the Tunnel setup in the Tunnel Management option. One VPN tunnel per subnet pair is the recommended tunnel sharing method. This shares your network on either side of the VPN, makes the phase 2 negotiation easier, and requires fewer tunnels to be built for the VPN.

VPN Community Configuration

VPN Setup Page 9

You can restrict access on the VPN through your security rulebase.

Note - Permanent tunnels can only be done between Check Point gateways.

To Configure VPN Tunnel:

1. Click Tunnel Management to configure the tunnel.

To Configure the Shared Secrets:

1. Click Advanced Settings

2. Click Shared Secret

3. Select Use only Shared Secret for all External members

4. Select your peer gateway in the list

5. Click Edit to edit the shared secret.

Note - Remember this secret because your peer will need it to set up the VPN on the other end.

VPN Community Configuration

VPN Setup Page 10

To Modify Phase 1 and Phase 2 Advanced Settings

1. Click Advanced VPN Properties

Keep note of these values.

Note - It is recommended that you select Disable NAT inside the VPN community to access resources behind your peer gateway using their real IP addresses and vice versa.

VPN Community Configuration

VPN Setup Page 11

2. Click OK to exit back to the SmartDashboard.

Note - You may see the following message: At least one of the VPN Community members does not have the VPN domain defined. Are you sure you want to continue?

3. Click Yes to view your defined VPN community

Defining the VPN Domain

VPN Setup Page 12

Defining the VPN Domain Make sure you have Network Objects to represent the local networks and the Cisco peer networks that will be sharing with you.

To Define the VPN Domain:

1. Right-click Networks

2. Select Network

In the Network Properties window, enter the properties of the Cisco peer internal network.

When many networks are shared on either end of the tunnel, it is recommended to create different groups to represent the domains on either side of the VPN tunnel.

To create a Group:

1. Right click Groups

2. Select Groups>Simple Group

This example shows one shared network, and there is one object in the group. There is no limit to the number of networks that can be shared.

Important - Adding groups within a group can impact network performance. Make sure the group is "flat".

Defining the VPN Domain

VPN Setup Page 13

We recommend that the name of the group is relevant to the network setup, for example: "Local_VPN_Domain".

Add all local networks for the VPN, to create the group that represents the Cisco peer shared network.

3. Click OK

VPN Domain Configuration

VPN Setup Page 14

4. Adding a second group:

VPN Domain Configuration

Setting the VPN domains for each gateway:

1. Open the Properties for your local Check Point gateway object.

2. Click Topology in the VPN Domain area.

3. Select Manually defined

VPN Domain Configuration

VPN Setup Page 15

4. From the list, select .

5. Click OK and open the Properties for the Cisco gateway.

6. Select the group/network that represents the VPN domain.

7. Click OK

Setting a Rule

Rules for Traffic Page 16

Rules for Traffic After you setup the objects, the VPN, and the community, set up Rules to control flow of traffic to allow and restrict access to the VPN.

Setting a Rule To setup a Rule:

1. Right click above the number in the rule column where you want the rule to be set.

2. Select Add Rule>Below

In the example below, the Rule allows any service across the tunnel in both directions.

Setting VPN Community in the Rule

Rules for Traffic Page 17

Setting VPN Community in the Rule

To set the VPN community in the VPN column of the Rule:

1. Right click the Any Traffic icon.

2. Select Edit Cell.

3. Select Only connections encrypted in specific VPN Communities.

4. Click Add.

5. Select the VPN community.

6. Click OK.

7. Click OK again.

The Rule appears in the VPN column.

Setting VPN Community in the Rule

Final Step Page 18

Final Step Install the policy to the local Check Point gateway. The VPN is setup!

After the Cisco remote side sets up their VPN to match, a secure communication with their site is established.

Important InformationVPN SetupConfiguring the Cisco Gateway ObjectVPN Community SetupVPN Community ConfigurationTo Configure VPN Tunnel:To Configure the Shared Secrets:To Modify Phase 1 and Phase 2 Advanced Settings

Defining the VPN DomainTo Define the VPN Domain:To create a Group:

VPN Domain ConfigurationSetting the VPN domains for each gateway:

Rules for TrafficSetting a RuleSetting VPN Community in the RuleTo set the VPN community in the VPN column of the Rule:

Final Step