Author @Julie_Paul 

Introduction

This document is instructions to setup a 1500 Appliance managed by an SMP plan in a Star VPN setup with an externally managed gateway a that is R80.x or higher.

Setup:

• Security Management Server(SMS) at R80.40, latest JHF
• 6500 Appliance managed by SMS, also at R80.40
• Security Management Portal (SMP) configured
• 1500 appliance managed by SMP portal at latest firmware version
• Plan is created and applied to the 1500 Appliance

Assumptions

• NAT is not being utilized or needed in this example, as every network behind each gateway is unique.
• You have access to both the Security Management Portal and the Security Management Server

SMP Portal Steps

1. Export SMP Certificate
   1. Logon to the SMP portal, go to Service Domain – Settings—in the General section select Certificates
   2. Click export X.509 and save to your desktop

2. Import SMS Certificate.  (See step 1 in the SMS section on how to get the Certificate)
   1. Click on the Certificates Tab
      
   2. Click Add
      1. Enter a name, in this example we will call it SMS-CA
      2. Click Import X.509, select the internal_ca.crt file downloaded from the SMS. Click Save

3. Retrieve DN for the gateway on the SMP portal
   1. Select Gateways and click on the gateway to be in the VPN, in this example it is lab02-gw
   2. Click on VPN – Authentication Method
   3. Highlight the Distinguished Name and click copy, save this to a notepad for use in the SMS portal

4. Create a new gateway to represent the externally managed gateway
   1. Select Gateways under the Home Section – click New
   2.  Leave the Type as the default of Small Office Appliance
   3. Enter the name of the External gateway, in this example it is Spock
   4. Uncheck “Managed by SMP”
   5. Enter in the Static IP of the external interface, Click Finish

5. Create a VPN Community
   1. Select Communities under the Home Section, Click New
   2. Enter in a name—we will use SMP-SMS in this example
      1.      Description is optional
   3. Click Ok
   4. Click on VPN Settings—Select VPN type to Star
   5. Set the Center Gateway to the spock object just created in step 4
   6. Change Satellite Routing to the option that works for you, we will use “Route to other satellites through center”
   7. Click Save

6.  Set the VPN Community
   1. Under the Home go to the Plan Section
   2. Open the plan in use in this example we are using the Plan-MSP-1500
   3. Select VPN – Community, use the drop down and select the VPN community you just created in Step 5 SMP-SMS 
   4. Click Finish — then click Save

7. Setup internal Topology for External Gateway in the SMP
   1. Under Home – Gateways edit the External Gateway we created in Step 4 Spock
   2. Click VPN – Internal Network Topology
   3. Under the Manually configured Networks—click New
   4. Enter in a name, in our example use Spock-Internal
   5. Enter in the Internal Network and Network mask
   6. Click Finish --  then click Save

8. Setup Internal Topology for the Internal Gateway lab02-gw
   1. Under Home – Gateways – Edit lab02-gw
   2. Click on VPN – Internal Network Topology
      1.      Click New under the Manually configured networks
      2.      Add the internal network, in this example it is 192.168.12.0/24, click Finish & Save

SMS Portal Steps

1.  Export the Certificate for use in the SMP portal
   1. Open Object Explorer, search for the internal_ca, open the object
   2. Click Local Security Management Server Tab
   3. Click Save As, save to your desktop, close the object

2. Create a new VPN Community called SMP-VPN
   1. Open Object Explorer, Click New VPN Community --> Star Community
   2. Add the name SMP-VPN in this example
      
   3. Click on Advanced, Select “Disable NAT inside the VPN community”

1. Click OK to accept the new object

3. Create a Trusted CA—called SMP-CA
   1. Open Object Explorer, Click Add New Server --> More --> Trusted CA…
      
      
      
   2. Enter the name SMP-CA
   3. Click on OPSEC PKI, click Get, select the SMP cert you extracted in step 1 under the SMP Section.
   4. In the Retrieve CRL From section, uncheck HTTP Servers (s)

4. Enable IPSEC VPN on the Gateway
   1. In this example we are using the Gateway Spock
      NOTE:  In this example, the Main IP for Spock is internal 192.168 x address
      
   2.  Go to the IPSEC vpn option in the Gateway Spock, Click Add select the new VPN community we created in step 2 SMP-VPN, click OK. 
      
      
   3.  Select Center Gateways, as this will be the center of our Star VPN, click Add
      
      
   4. Click on Link Selection,
      1. Under the “Always use this IP address”  section
         NOTE: Default is to use the Main IP address.  In this scenario, the main IP is a 192.168 x address.  We need to use external IP or VIP if a cluster.  This will be the IP address used for VPN communication to the SMP device.
      2.    Select the option “Selected Address from topology table”.
      3. Click the drop down option and select the external IP or VIP if a cluster. 
      4. This will be the IP address that the VPN will use for communication to the SMP device.

         

          

          

   5. Click OK to save the changes made

5. Create the Network Object(s) to represent the IP addresses behind the remote VPN gateway. In this example we have one network 192.168.12.254/24
   1. Note, if you have more than one network, create a group for all the networks

6. Create an object to represent the other end of the tunnel
   1. Click New Network object --> Gateway and Servers --> More --> Externally Managed VPN Gateway
   2. In this example we will call it lab02-gw
      
      
   3. Enter the name of the object and the external IP address & Select IPsec VPN
   4. Click on Topology, Click New, add the Name of External and the Ip information for the external interface  Our example will be 96.93.233.106/28
      
   5. Click on Topology, select External, click OK
      
   6. In the VPN Domain, select “User defined“ select the Network object/group you just created in Step 3 & click OK

7. Re-open the Externally Managed Check Point Gateway object you just created.
   1. Note:  you cannot add to the VPN community until after you click OK in step 4
   2. Click on IPSec VPN, select Add, select the SMP-VPN community and pick Satellite Gateways option
   3. Click Matching Criteria
      1. Click the drop down select and select the SMP-CA Trusted CA object we created in step 3. 
      2. Check the DN box and past in the Distinguished Name information that you copied to the notepad in SMP Step 3. Click OK
         

8. Publish & Install Policy