R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation

ABosinceanu — Thu, 06 Oct 2022 16:46:37 GMT

I have documented here the Site to Site VPN config between two Check Point R81.10 Gateways hosted in Azure Cloud, managed also by Azure Hosted IaaS Security Management Server. Attached also the Word document.

Firewall deployment & VNET level configs, used for this VPN S2S setup are documented here:

https://community.checkpoint.com/t5/Cloud-Network-Security/R81-10-Single-Gateway-Azure-deployment/m-p/158745#M3359

Configuring Site To Site VPN between 2 Check Point Gateways hosted in Azure

Version 1.0

6 October 2022

Configuration description:

Firewall Management Servers

A single Management server is managing both Gateways

Gateways

westSG protecting VNET1 10.0.0.0/16
northSG protecting VNET2 10.2.0.0/16

Services & VMs that need to communicate via VPN

west-webserver hosted in VNET1 à subnet 10.0.2.0/24
north-webserver hosted in VNET2 à subnet 10.2.2.0/24

Existing environment setup

On both VNET1 and VNET2, the subnets where the webservers are hosted are configured as “Hide behind the Gateway”.
- This setting is the basic config for the Azure hosted assets to have Internet Access via the Check Point Security gateway à config on network object
  - Automatic NAT Rules are enabled

Existing configuration is documented here:

https://community.checkpoint.com/t5/Cloud-Network-Security/R81-10-Single-Gateway-Azure-deployment/m-p/157618#M3308

Site to Site VPN Configuration Steps

Enable IPsec VPN software blade on both Gateways --> General Properies --> Network Security TAB --> Check The IPSec VPN tick box --> Click OK to save the configuration.
Create a VPN Community object --> Objects --> More Objects --> VPN Community --> New Meshed Community
1. Give a name to the VPN Community and add the two gateways and Click OK.
2. The other default settings can remain default for this Check Point to Check Point VPN Configuration.
Configure the VPN Domain for both Security Gateways --> Edit Gateway properies --> Network Management --> VPN Domain --> Select User Defined option --> tick the 3 dots in the right --> Select the subnet you want to use for the VPN. If the object for the subnet is not created, create it.
1. If you do not want to use an entire subnet as VPN Domain, you can create and use Address Range objects.
Set the Scope of the VPN --> Gateway Properties --> IPSec VPN TAB & add the VPN Community you created earlyer
Link selection --> Gateway Properies --> IPSec VPN TAB --> Link Selection under-TAB --> assure that Main Address is selected and Operating System Routing Table also.
Link selection --> Gateway Properies --> IPSec VPN TAB --> Link Selection under-TAB --> Go to Source IP address settings --> Select Manual --> Selected addresses from topology table --> select the private IP of the eth0(external) of the Gateway
Validate that Step 1 was configured on both gateways
Validate that Steps 3, 4, 5 & 6 where configured on both gateways
Azure level routes --> In Azure Portal --> Go to Route Tables
Edit the Route Tables for the subnets used in VPN Domain for both Gateways, in this case there are only two route tables as we have only a single test subnet in each Azure VNET
On the Route Table properies, go to Routes TAB and add a new Route to reddirect traffic torward the other VNET’s subnet via the gateway’s eth1 private IP
1. For the north-asset-routes, all traffic to west-webserver subnet assets will be reddirected via the north-SG eth1 interface IP
2. For the west-asset-routes, all traffic to north-webserver subnet assets will be reddirected via the west-SG eth1 interface IP
Create Access Control Rules
1. In SmartConsole --> Security Policy --> Access Control --> Policy --> I have created a single policy to allow traffic both ways(north-->west & west-->north) marking the previously created VPN Community with any service and marked as Allowed
  1. This policy was installed on both Security Gateways
  2. I used subnet objects both for Source & Destination as this is a test/Demo environment only.
    1. In real life, we will use host objects, host groups, Dynamic Objects and so on…
  3. Create Access Control Rules
    1. In SmartConsole --> Security Policy --> Access Control --> NAT --> I have created two manual NAT rules
      1. This policies are needed because both assets subnet(north & west) have NAT configured --> Hide behind the gateway. Practically, this rules are an exception for the following Automatic NAT Rules(created automatically when configured NAT on subnet objects)
        
        We do not want that traffic from west-subnet-assets to reach the north-subnet-assets with northSG gateway eth0 private IP, but with it’s own subnet allocated IP --> as we need to filter traffic as much as possible.
      2. Do not forget to Publish & Install the policies on both gateways to implement changes & configs.
      3. Testing can be done by ping from a server hosted in west-subnet-assets to a server hosted in the north-subnet-assets and than from north to west.

Re: R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation

Danny — Tue, 14 Feb 2023 17:52:46 GMT

Great write-up. Thanks for sharing! 👍

topic Re: R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation in Cloud Firewall

R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation

Re: R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation