This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecdetKrypton
Contributor
‎2025-04-08 10:12 AM
Jump to solution

How to create a site-to-site VPN between two Check Point firewalls

Hello, I want to create a site-to-site VPN between two Check Point firewalls, both with public IPs. If both firewalls are managed by the same management console, is there another method to establish the connection, or can I do it as if they were two independent Check Points? What would be the best method to create a site-to-site VPN in this case?

0 Kudos
3 Solutions

Accepted Solutions
Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-08 11:03 AM
Jump to solution

If they are managed by the same Security Management Server it is as simple as adding them them to a VPN Community (and a couple of other steps...)

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

View solution in original post

Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-08 01:05 PM
In response to SecdetKrypton
Jump to solution

The main difference between a Meshed and a Star VPN Community lies in their topology and the way VPN tunnels are established:

Meshed VPN Community:

  • In a Meshed community, there are VPN tunnels between each pair of Security Gateways. This means that every gateway can directly communicate with every other gateway in the community.
  • This setup is ideal for environments where all sites need to communicate with each other directly, providing a fully interconnected network

Star VPN Community:

  • In a Star community, each satellite Security Gateway has a VPN tunnel to the central Security Gateway, but not to other Security Gateways in the community.
  • This topology is suitable for scenarios where remote sites (satellites) need to communicate with a central site (hub) but not necessarily with each other.

 

Seems like in your case you need a simple Meshed VPN Community. No need for a dedicated shared secret since they are part of the same community (Shared Secret would be needed if the Security Gateways are not managed by the same Security Management Server)

View solution in original post

the_rock
MVP Diamond
MVP Diamond
‎2025-04-09 03:36 AM
In response to SecdetKrypton
Jump to solution

No problem, glad we can help.

Andy

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
9 Replies
Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-08 11:03 AM
Jump to solution

If they are managed by the same Security Management Server it is as simple as adding them them to a VPN Community (and a couple of other steps...)

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

the_rock
MVP Diamond
MVP Diamond
‎2025-04-08 11:21 AM
Jump to solution

Its pretty much what Tal sent.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
SecdetKrypton
Contributor
‎2025-04-08 12:24 PM
In response to the_rock
Jump to solution

When creating the VPN community, it would be set up as a star, and both security gateways would be added as center gateways without a shared secret?

0 Kudos
Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-08 01:05 PM
In response to SecdetKrypton
Jump to solution

The main difference between a Meshed and a Star VPN Community lies in their topology and the way VPN tunnels are established:

Meshed VPN Community:

  • In a Meshed community, there are VPN tunnels between each pair of Security Gateways. This means that every gateway can directly communicate with every other gateway in the community.
  • This setup is ideal for environments where all sites need to communicate with each other directly, providing a fully interconnected network

Star VPN Community:

  • In a Star community, each satellite Security Gateway has a VPN tunnel to the central Security Gateway, but not to other Security Gateways in the community.
  • This topology is suitable for scenarios where remote sites (satellites) need to communicate with a central site (hub) but not necessarily with each other.

 

Seems like in your case you need a simple Meshed VPN Community. No need for a dedicated shared secret since they are part of the same community (Shared Secret would be needed if the Security Gateways are not managed by the same Security Management Server)

SecdetKrypton
Contributor
‎2025-04-08 04:25 PM
In response to Tal_Paz-Fridman
Jump to solution

"Thank you for your explanation, it was very clear."

the_rock
MVP Diamond
MVP Diamond
‎2025-04-08 04:50 PM
In response to SecdetKrypton
Jump to solution

To add to an excellent explanation Tal provided, hope below is useful too.

Andy

Meshed VPN (Full Mesh):
  • Connectivity:
    Every site in the VPN has a direct, secure tunnel (VPN tunnel) to every other site. 
     
  • Scalability:
    While it offers high redundancy and fault tolerance, the number of tunnels grows exponentially with each added site, which can become complex to manage. 
     
  • Performance:
    A fully meshed topology allows for the highest performance, lowest transmission delay, and the best fault tolerance possible. 
     
  • Use Cases:
    Ideal for situations where all sites need to communicate directly with each other, such as a company with multiple offices that need to share data and resources freely. 
     
 
Star VPN (Hub and Spoke):
  • Connectivity:
    Satellite sites (spokes) connect only to a central site (hub), and satellite sites cannot directly communicate with each other. 
     
  • Scalability:
    Easier to manage than a mesh VPN, especially for large networks, as the number of tunnels grows linearly with the number of satellite sites. 
     
  • Performance:
    Traffic between satellite sites must go through the central hub, which can introduce some latency. 
     
  • Use Cases:
    Suitable for scenarios where communication between remote sites and a central office is needed, but not necessarily between the remote sites themselves, such as a company with remote offices and a main office. 
     
  • Security:
    If the central hub fails, all communication from hub to spokes and between spokes fails. 
Best,
Andy
"Have a great day and if its not, change it"
SecdetKrypton
Contributor
‎2025-04-08 09:01 PM
In response to the_rock
Jump to solution

Thank you very much for the explanation, it will be helpful.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-09 03:36 AM
In response to SecdetKrypton
Jump to solution

No problem, glad we can help.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-08 01:16 PM
In response to SecdetKrypton
Jump to solution

If its only 2 firewalls, I never found much difference, but as @Tal_Paz-Fridman indicated, those are main differences. You are correct, only if you indicate satellite gateway, then you need to enter shared secret, so just add both of them (if its 2) as center gateways.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events