By Manny Fernandez

November 15, 2019

Site-to-Site VPN with Checkpoint Stand-Alone

A colleague wanted to test VPNs to multiple platforms.  I set up a Checkpoint 1450, PAN 200, and an ASA 5515.  This box is running the following:

2019-11-15_19-32-51.png

Configuring The Internet

2019-11-15_14-51-54.png

To begin, I needed to configure the Internet side of the Checkpoint Firewall.

Troubleshooting Connection

2019-11-15_19-35-10.png

  1. Choose the Logs & Monitoring tab on the top.
  2. Choose Tools on the left column.
  3. Ping / Traceroute to test connectivity.
  4. DNS lookup to test DNS services.
  5. Packet Capture.

Configuring the VPN

2019-11-15_14-53-20.png

By choosing VPN on the top tab, then VPN Sites you can see I have no VPNs defined.  You can click the Add link in the top/middle section of the screen.

2019-11-15_18-17-27.png

Here we can see the Remote Site configuration screen that shows the main section of the VPN connection.

  1. Give the VPN a descriptive name.
  2. Enter the remote peer IP address.
  3. If you are using PSK or Certificate, Choose accordingly.
  4. Enter and Validate the PSK (If using PSK).
  5. Next you will need to configure the Phase II selector for the remote site.
  6. Finally, click Apply

Note:  This is extremely strange when you are used to using other firewalls on the market. Checkpoint is known for its Encryption Domain that is not necessarily configured in this VPN or in the Communities if using the Centralized Management solution.

2019-11-15_18-18-44.png

Next we configure the Phase I and Phase II proposals.  If you want to add multiple Encryptions schemes as an example, you can choose additional ones and they will be added to the top (see below)

Screen Shot 2019-11-15 at 6.28.57 PM.png

  1. We chose AES 128
  2. We chose AES 256
  3. Shows the both selected Encryption Schemes

2019-11-15_15-31-33.png

To set up the Phase II selectors for the Local side, go to VPN then Advanced. You will see the first red square that shows the local encryption domain is defined manually which you will need to select.

2019-11-15_14-59-55.png

Once selected, you can add separate networks or single IP addresses, however it will NOT let you add a group.  This can be problematic depending on the number of networks you have behind the checkpoint.

2019-11-15_15-33-46.png

You will need to create rules (in Checkpoint = Policies in FTNT).

2019-11-15_15-38-27.png

On the top section, you see the Link’d sections in regular English.  By selecting each of those sections on the top, you can modify the Source / Destination / Application / Service.

2019-11-15_19-29-30.png

You will also need to create a no-nat rule under Access Policy then NAT.  You can create a new rule.

Here we can see that when LOCA-LANs (a group containing local-lan1 and local-lan2)

Note: Yes I know I spelled the group name incorrect.  Just lazy to go back and fix it after getting the screenshots. 🙂

Hope this helps

 

 

Recent posts

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story