Introduction
This document is instructions to setup a 1500 Appliance managed by an SMP plan in a Star VPN setup with an externally managed gateway a that is R80.x or higher.
Setup:
- Security Management Server(SMS) at R80.40, latest JHF
- 6500 Appliance managed by SMS, also at R80.40
- Security Management Portal (SMP) configured
- 1500 appliance managed by SMP portal at latest firmware version
- Plan is created and applied to the 1500 Appliance
Assumptions
- NAT is not being utilized or needed in this example, as every network behind each gateway is unique.
- You have access to both the Security Management Portal and the Security Management Server
SMP Portal Steps
- Export SMP Certificate
- Logon to the SMP portal, go to Service Domain – Settings—in the General section select Certificates
- Click export X.509 and save to your desktop
![_Val__0-1594291725560.png _Val__0-1594291725560.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7170i8CF2F744C284CD31/image-size/medium?v=v2&px=400)
- Import SMS Certificate. (See step 1 in the SMS section on how to get the Certificate)
- Click on the Certificates Tab
![_Val__1-1594291725563.png _Val__1-1594291725563.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7169i43EC902697FA0473/image-size/medium?v=v2&px=400)
- Click Add
- Enter a name, in this example we will call it SMS-CA
- Click Import X.509, select the internal_ca.crt file downloaded from the SMS. Click Save
![_Val__2-1594291725567.png _Val__2-1594291725567.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7171iDD63D94EF0C8641A/image-size/medium?v=v2&px=400)
- Retrieve DN for the gateway on the SMP portal
- Select Gateways and click on the gateway to be in the VPN, in this example it is lab02-gw
- Click on VPN – Authentication Method
- Highlight the Distinguished Name and click copy, save this to a notepad for use in the SMS portal
- Create a new gateway to represent the externally managed gateway
- Select Gateways under the Home Section – click New
- Leave the Type as the default of Small Office Appliance
- Enter the name of the External gateway, in this example it is Spock
- Uncheck “Managed by SMP”
- Enter in the Static IP of the external interface, Click Finish
![_Val__3-1594291725570.png _Val__3-1594291725570.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7172iC3EB0AF8D1F29251/image-size/medium?v=v2&px=400)
- Create a VPN Community
- Select Communities under the Home Section, Click New
- Enter in a name—we will use SMP-SMS in this example
- Description is optional
- Click Ok
- Click on VPN Settings—Select VPN type to Star
- Set the Center Gateway to the spock object just created in step 4
- Change Satellite Routing to the option that works for you, we will use “Route to other satellites through center”
- Click Save
![_Val__4-1594291725573.png _Val__4-1594291725573.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7174i4555FB5C49163BA4/image-size/medium?v=v2&px=400)
- Set the VPN Community
- Under the Home go to the Plan Section
- Open the plan in use in this example we are using the Plan-MSP-1500
- Select VPN – Community, use the drop down and select the VPN community you just created in Step 5 SMP-SMS
- Click Finish — then click Save
![_Val__5-1594291725574.png _Val__5-1594291725574.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7173i4F7AC74BCF0E569B/image-size/medium?v=v2&px=400)
- Setup internal Topology for External Gateway in the SMP
- Under Home – Gateways edit the External Gateway we created in Step 4 Spock
- Click VPN – Internal Network Topology
- Under the Manually configured Networks—click New
- Enter in a name, in our example use Spock-Internal
- Enter in the Internal Network and Network mask
- Click Finish -- then click Save
![_Val__6-1594291725576.png _Val__6-1594291725576.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7175iDD86402FD8A8E86D/image-size/medium?v=v2&px=400)
- Setup Internal Topology for the Internal Gateway lab02-gw
- Under Home – Gateways – Edit lab02-gw
- Click on VPN – Internal Network Topology
- Click New under the Manually configured networks
- Add the internal network, in this example it is 192.168.12.0/24, click Finish & Save
![_Val__7-1594291725579.png _Val__7-1594291725579.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7177i0A044B298AAEACC7/image-size/medium?v=v2&px=400)
SMS Portal Steps
- Export the Certificate for use in the SMP portal
- Open Object Explorer, search for the internal_ca, open the object
- Click Local Security Management Server Tab
- Click Save As, save to your desktop, close the object
![_Val__8-1594291725581.png _Val__8-1594291725581.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7176iC212B05E4F40B760/image-size/medium?v=v2&px=400)
- Create a new VPN Community called SMP-VPN
- Open Object Explorer, Click New VPN Community --> Star Community
- Add the name SMP-VPN in this example
![_Val__9-1594291725584.png _Val__9-1594291725584.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7178i19B18F082374F5BA/image-size/medium?v=v2&px=400)
- Click on Advanced, Select “Disable NAT inside the VPN community”
![_Val__10-1594291725585.png _Val__10-1594291725585.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7181i31061F215AC3AEF1/image-size/medium?v=v2&px=400)
- Click OK to accept the new object
- Create a Trusted CA—called SMP-CA
- Open Object Explorer, Click Add New Server --> More --> Trusted CA…
![_Val__11-1594291725588.png _Val__11-1594291725588.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7180iBAB1A87B7F99334A/image-size/medium?v=v2&px=400)
- Enter the name SMP-CA
- Click on OPSEC PKI, click Get, select the SMP cert you extracted in step 1 under the SMP Section.
- In the Retrieve CRL From section, uncheck HTTP Servers (s)
![_Val__12-1594291725590.png _Val__12-1594291725590.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7182iC212A01071EE2EFF/image-size/medium?v=v2&px=400)
- Enable IPSEC VPN on the Gateway
- In this example we are using the Gateway Spock
NOTE: In this example, the Main IP for Spock is internal 192.168 x address
![_Val__13-1594291725593.png _Val__13-1594291725593.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7184i1D290CF7B94C15BB/image-size/medium?v=v2&px=400)
- Go to the IPSEC vpn option in the Gateway Spock, Click Add select the new VPN community we created in step 2 SMP-VPN, click OK.
![_Val__14-1594291725594.png _Val__14-1594291725594.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7183i8113EBEBE82E48CC/image-size/medium?v=v2&px=400)
- Select Center Gateways, as this will be the center of our Star VPN, click Add
![_Val__15-1594291725595.png _Val__15-1594291725595.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7185i7BA3E92993177BF2/image-size/medium?v=v2&px=400)
- Click on Link Selection,
- Under the “Always use this IP address” section
NOTE: Default is to use the Main IP address. In this scenario, the main IP is a 192.168 x address. We need to use external IP or VIP if a cluster. This will be the IP address used for VPN communication to the SMP device.
- Select the option “Selected Address from topology table”.
- Click the drop down option and select the external IP or VIP if a cluster.
- This will be the IP address that the VPN will use for communication to the SMP device.
![_Val__16-1594291725599.png _Val__16-1594291725599.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7186iD364FFC0AC519AB2/image-size/medium?v=v2&px=400)
- Click OK to save the changes made
- Create the Network Object(s) to represent the IP addresses behind the remote VPN gateway. In this example we have one network 192.168.12.254/24
- Note, if you have more than one network, create a group for all the networks
![_Val__17-1594291725601.png _Val__17-1594291725601.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7188iCF9E0C4D98C72E3F/image-size/medium?v=v2&px=400)
- Create an object to represent the other end of the tunnel
- Click New Network object --> Gateway and Servers --> More --> Externally Managed VPN Gateway
- In this example we will call it lab02-gw
![_Val__18-1594291725602.png _Val__18-1594291725602.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7189i1F6C81106070785E/image-size/medium?v=v2&px=400)
- Enter the name of the object and the external IP address & Select IPsec VPN
- Click on Topology, Click New, add the Name of External and the Ip information for the external interface Our example will be 96.93.233.106/28
![_Val__19-1594291725604.png _Val__19-1594291725604.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7192i207AF044E1A19934/image-size/medium?v=v2&px=400)
- Click on Topology, select External, click OK
![_Val__20-1594291725606.png _Val__20-1594291725606.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7190iB92B290C4746D578/image-size/medium?v=v2&px=400)
- In the VPN Domain, select “User defined“ select the Network object/group you just created in Step 3 & click OK
![_Val__21-1594291725608.png _Val__21-1594291725608.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7193i3E4E3A0BA69DE8C2/image-size/medium?v=v2&px=400)
- Re-open the Externally Managed Check Point Gateway object you just created.
- Note: you cannot add to the VPN community until after you click OK in step 4
- Click on IPSec VPN, select Add, select the SMP-VPN community and pick Satellite Gateways option
![_Val__22-1594291725609.png _Val__22-1594291725609.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7195i9492A71A4D09969D/image-size/medium?v=v2&px=400)
- Click Matching Criteria
- Click the drop down select and select the SMP-CA Trusted CA object we created in step 3.
- Check the DN box and past in the Distinguished Name information that you copied to the notepad in SMP Step 3. Click OK
![_Val__23-1594291725610.png _Val__23-1594291725610.png](https://community.checkpoint.com/t5/image/serverpage/image-id/7194i9C406278D91E5A6F/image-size/medium?v=v2&px=400)
- Publish & Install Policy