topic Re: Check Point - AWS VPN tunnels question in Firewall and Security Management

Check Point - AWS VPN tunnels question

arcotangente — Wed, 01 Jul 2020 20:20:11 GMT

Hi guys,

I'm trying to configure a few tunnels from a Check Point cluster to Amazon AWS and I'm not able to understand the part of the VTI interfaces IPs and cluster topology IP's. I have read the following two guides:

https://docs.aws.amazon.com/es_es/vpn/latest/s2svpn/cgw-static-routing-examples.html

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100726

The Check Point one seems to be contradictory to me, it says:

Under "VPN Tunnel Type" select "Numbered"

Under "Local Address": provide the "Inside IP Address" of the "Customer Gateway" as specified in the configuration file. (This relates to a single gateway configuration.)
Under "Remote Address": provide the "Inside IP Address" of the "Virtual Private Gateway" as specified in the configuration file.

But afterwards, it says:

* Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.

Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.

In the AWS config file, there are 2 IP's for each tunnel, as follows:

f. IP Address: 169.254.92.222 g. Remote IP: 169.254.92.221

The CP guide also states:

Fetching the VPN Tunnel interfaces:

(Note: If you have not done so already, enable the IPsec VPN blade on your gateway)

Open your gateway or cluster object, and navigate to the Topology tab.
Re-fetch the interface configuration.
Note: For clusters, define the newly added interfaces as Cluster interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":

I don't see any "Customer gateway IP" information in the AWS config file. So I'm totally lost, don't know what IP to set in the Local and Remote VTI, which one to put in the static routing, and which one to set the cluster interfaces...

May you help to shed some light?

Thanks in advance

Re: Check Point - AWS VPN tunnels question

arcotangente — Fri, 03 Jul 2020 09:22:39 GMT

No one? 😞

Re: Check Point - AWS VPN tunnels question

mk1 — Sat, 04 Jul 2020 05:12:20 GMT

Hello arcotangente,

Here are the steps I usually follow when create new VPN with AWS.

1. Create Interoperable objects with public IPs of AWS VPN peers with SmartConsole. For instance if your AWS VPN peer IP is 52.30.155.2, create object called AWS_GW1 with that IP, and add empty network group for encryption domain in its topology. Do the same for the second AWS VPN peer GW (AWS_GW2).

2. Add the following commands on each cluster member:
HA Member 1
add vpn tunnel 1 type numbered local 169.254.92.1 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

HA Member 2
add vpn tunnel 1 type numbered local 169.254.92.2 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

After it's a point-to-point interface you can add any IP address from that subnet. Then you will configure 169.254.92.222 on the VIP.

As you can see I have .158 for VIP, and .157 is the IP address of AWS's side of the tunnel. You have to follow the same for the second tunnel to the other AWS VPN GW.

The rest of the instructions for routing and policies are described in the configuration file which you download from AWS Console.

Re: Check Point - AWS VPN tunnels question

arcotangente — Mon, 06 Jul 2020 09:37:40 GMT

Hi MK1.

Thank you for the response! So, let me see if I got this right, we should have the following (example) configuration for a tunnel to AWS:

HA Member 1 (tunnel 1)
add vpn tunnel 1 type numbered local 169.254.92.1 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

HA Member 1 (tunnel 2)
add vpn tunnel 2 type numbered local 169.254.92.3 remote 169.254.92.223 peer AWS_GW1
set interface vpnt2 state on
set interface vpnt2 mtu 1436

HA Member 2 (tunnel 1)
add vpn tunnel 1 type numbered local 169.254.92.2 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

HA Member 2 (tunnel 2)
add vpn tunnel 2 type numbered local 169.254.92.4 remote 169.254.92.223 peer AWS_GW1
set interface vpnt2 state on
set interface vpnt2 mtu 1436

And then for cluster ip addresses - 169.254.92.222 for vpnt1 and 169.254.92.224 for vpnt2.

Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet?

Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range ? Should we stick to the config file from AWS in terms of ip addresses for local and remote on the VTI or we can come up with our own?

Thanks!

Re: Check Point - AWS VPN tunnels question

mk1 — Mon, 06 Jul 2020 10:07:47 GMT

No, your configuration is wrong. AWS give you two separate IPsec peer IPs which are public. Let's say they are 1.1.1.1 and 2.2.2.2.
The first thing you have to create with SmartConsole are the Interoperable Devices of remote VPN peers, in our case AWS_GW1 which is 1.1.1.1 and AWS_GW2 which is 2.2.2.2.

AWS give you also two separate IPs part of 169.254.x.x range. Let's say IPs for the first tunnel are 169.254.1.99 (AWS) and 169.254.1.100 (you) and the IPs for the second tunnel are 169.254.2.99 (AWS) and 169.254.2.100 (you).

Then you have the following config in the CLI:

GW1
add vpn tunnel 1 type numbered local 169.254.1.1 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

add vpn tunnel 2 type numbered local 169.254.2.1 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436

GW2
add vpn tunnel 1 type numbered local 169.254.1.2 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436

add vpn tunnel 2 type numbered local 169.254.2.2 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436

The main purpose here is to have different IPs on each VPN tunnel interface, and then you will configure the VIP via GUI with the proper IP provided by AWS, in our case 169.254.1.100 will be VIP for vpnt1 and 169.254.2.100 for vpnt2. Then you have to add your static routes pointing to 169.254.1.99 and 169.254.2.99 (if you don't use BGP). One of them should be with priority.

On your questions:
Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet? - Cluster IP address must be the one given by AWS. Member IP addresses could be any IP address.

Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range? - Yes, it does. You have to use the IPs given by AWS for both sides of the tunnels, and you can use another IPs for each member interfaces different from VIP.

Re: Check Point - AWS VPN tunnels question

arcotangente — Wed, 08 Jul 2020 14:01:53 GMT

It worked!

Thank you very much!

Re: Check Point - AWS VPN tunnels question

kobi_rudy — Thu, 06 Aug 2020 08:18:39 GMT

Does the mtu 1436 important? can it be the cause for vpn resets if the mtu is 1500?

Re: Check Point - AWS VPN tunnels question

Faimuddin_N_A — Wed, 20 Apr 2022 05:51:10 GMT

Hi ,

I need to create ipsec tunnel with cluster checkpoint fw to AWS gateway but AWS shared the 169.254.1.1/30 pool only for vti, but as per my understanding we need at least three ip's for both cluster member, I am stuck please suggest.

Re: Check Point - AWS VPN tunnels question

Tobias_Moritz — Thu, 21 Apr 2022 10:21:03 GMT

Short answer: Use the AWS provided address as cluster address in topology and for the node addresses, just continue counting up. This looks strange, because it brings you out of that /30 mask, but it works. It works, because the VTI is set up using the cluster address anyway, the local node addresses are in fact ignored. But you have to enter something there.

Long answer: Just follow sk100726 (static routing) or sk108958 (dynamic routing). Your question is also answered there.