Create a Post
ABosinceanu
Contributor

R81.10 Site to Site VPN Config between two Gateways hosted in Azure - full documentation

I have documented here the Site to Site VPN config between two Check Point R81.10 Gateways hosted in Azure Cloud, managed also by Azure Hosted IaaS Security Management Server. Attached also the Word document.

Cloud Network Security 

Firewall deployment & VNET level configs, used for this VPN S2S setup are documented here: 

https://community.checkpoint.com/t5/Cloud-Network-Security/R81-10-Single-Gateway-Azure-deployment/m-...

 

Configuring Site To Site VPN between 2 Check Point Gateways hosted in Azure

Version 1.0

6 October 2022

 

Configuration description:

Firewall Management Servers

  • A single Management server is managing both Gateways

Gateways

  • westSG protecting VNET1 10.0.0.0/16
  • northSG protecting VNET2 10.2.0.0/16

Services & VMs that need to communicate via VPN

  • west-webserver hosted in VNET1 à subnet 10.0.2.0/24
  • north-webserver hosted in VNET2 à subnet 10.2.2.0/24

Existing environment setup

  • On both VNET1 and VNET2, the subnets where the webservers are hosted are configured as “Hide behind the Gateway”.
    • This setting is the basic config for the Azure hosted assets to have Internet Access via the Check Point Security gateway à config on network object
      • Automatic NAT Rules are enabled

 

Existing configuration is documented here:

https://community.checkpoint.com/t5/Cloud-Network-Security/R81-10-Single-Gateway-Azure-deployment/m-...

 

 

Site to Site VPN Configuration Steps

 

  1. Enable IPsec VPN software blade on both Gateways --> General Properies --> Network Security TAB --> Check The IPSec VPN tick box --> Click OK to save the configuration.andreibo_0-1665074035098.png

     

    andreibo_1-1665074035101.png

     

  2. Create a VPN Community object --> Objects --> More Objects --> VPN Community --> New Meshed Communityandreibo_2-1665074035107.png

     

    1. Give a name to the VPN Community and add the two gateways and Click OK.andreibo_3-1665074035108.png

       

    2. The other default settings can remain default for this Check Point to Check Point VPN Configuration.
  3. Configure the VPN Domain for both Security Gateways --> Edit Gateway properies --> Network Management --> VPN Domain --> Select User Defined option --> tick the 3 dots in the right --> Select the subnet you want to use for the VPN. If the object for the subnet is not created, create it.andreibo_4-1665074035110.png

     

    1. If you do not want to use an entire subnet as VPN Domain, you can create and use Address Range objects.andreibo_5-1665074035112.png

       

  4. Set the Scope of the VPN --> Gateway Properties --> IPSec VPN TAB & add the VPN Community you created earlyerandreibo_6-1665074035114.png

     

  5. Link selection --> Gateway Properies --> IPSec VPN TAB --> Link Selection under-TAB --> assure that Main Address is selected and Operating System Routing Table also.andreibo_7-1665074035116.png

     

  6. Link selection --> Gateway Properies --> IPSec VPN TAB --> Link Selection under-TAB --> Go to Source IP address settings --> Select Manual --> Selected addresses from topology table --> select the private IP of the eth0(external) of the Gatewayandreibo_8-1665074035118.png

     

  7. Validate that Step 1 was configured on both gateways
  8. Validate that Steps 3, 4, 5 & 6 where configured on both gateways
  9. Azure level routes --> In Azure Portal --> Go to Route Tablesandreibo_9-1665074035119.png

     

  10. Edit the Route Tables for the subnets used in VPN Domain for both Gateways, in this case there are only two route tables as we have only a single test subnet in each Azure VNETandreibo_10-1665074035119.png

     

  11. On the Route Table properies, go to Routes TAB and add a new Route to reddirect traffic torward the other VNET’s subnet via the gateway’s eth1 private IPandreibo_11-1665074035121.png

     

    1. For the north-asset-routes, all traffic to west-webserver subnet assets will be reddirected via the north-SG eth1 interface IPandreibo_12-1665074035121.png

       

    2. For the west-asset-routes, all traffic to north-webserver subnet assets will be reddirected via the west-SG eth1 interface IPandreibo_13-1665074035122.png

       

  12. Create Access Control Rules
    1. In SmartConsole --> Security Policy --> Access Control --> Policy --> I have created a single policy to allow traffic both ways(north-->west & west-->north) marking the previously created VPN Community with any service and marked as Allowed andreibo_14-1665074035125.png

       

      1.      This policy was installed on both Security Gatewaysandreibo_15-1665074035126.png

         

      2.      I used subnet objects both for Source & Destination as this is a test/Demo environment only.
        1. In real life, we will use host objects, host groups, Dynamic Objects and so on…
      3. Create Access Control Rules
        1. In SmartConsole --> Security Policy --> Access Control --> NAT --> I have created two manual NAT rulesandreibo_16-1665074035129.png

           

          1.      This policies are needed because both assets subnet(north & west) have NAT configured --> Hide behind the gateway. Practically, this rules are an exception for the following Automatic NAT Rules(created automatically when configured NAT on subnet objects)andreibo_17-1665074035130.png

             

             
            1. We do not want that traffic from west-subnet-assets to reach the north-subnet-assets with northSG gateway eth0 private IP, but with it’s own subnet allocated IP --> as we need to filter traffic as much as possible.
          2. Do not forget to Publish & Install the policies on both gateways to implement changes & configs.
          3. Testing can be done by ping from a server hosted in west-subnet-assets to a server hosted in the north-subnet-assets and than from north to west.
Andrei Bosinceanu
https://www.linkedin.com/in/andrei-bosinceanu-34582358/
0 Replies