This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oscar_David_Gom
Contributor
Contributor
‎2019-06-20 09:30 AM

VSX VPN with AWS

HI

 

I have a R80.10 VSX cluster, one of my VS is manging our VPNS, today I recevied a request of creating a VPN against AWS, they send us a txt file generated from AWS where indicate the step by step for creating it, the problem started with first step: Creating a Tunnel interface, as we are using VSX, that is not supported, so what we do was:

 

1. Creating a Star community

2. Add as the center my VS and for the satellite the interoperable device configured as usual (Public IP, encryption domain, etc).

3. Setting parameters of encryption, etc. as said by txt configuration file from aws.

 

1. Under Security Policies choose "VPN Communities" and click "New", "Star Community".
 2. Choose "General" and provide a name :  vpn-0a265dfe8bec93511. 
 3. For "Center Gateways", add your gateway or cluster.
 4. For "Satellite Gateways", add the interoperable devices that you created before. 
 5. For "Encryption", choose "IKEv1 only". 
 6. In the "Encryption Suite" section, choose "Custom", "Custom Encryption".
 7. Configure the properties as follows:
  Phase 1 Properties - Internet Key Exchange (IKE)
  a. Perform key exchange encryption with: aes128 
  b. Perform data integrity with: sha1

 Phase 2 Properties -IPSEC
 a. Perform IPsec data encryption with: aes128 
 b. Perform data integrity with: sha1 
 
 8. For "Tunnel Management", choose "Set Permanent Tunnels", "On all tunnels in the community". 
 9. In the "VPN Tunnel Sharing" section, choose "One VPN tunnel per Gateway pair". 
 10. Expand "Advanced Settings". For "Shared Secret":  *************
 11. For "Advanced VPN Properties", configure the properties as follows:
   IKE (Phase 1)
   a. Use Diffie-Hellman group: 2 
   b. IKE SA lifetime: 28800 seconds 
    IPSEC (Phase 2) a. Use Perfect Forward Secrecy: Checked b. IPSEC SA Lifetime: 3600 sec 

 12. Click OK to close the VPN Window

4. Configuring tunnel_keep_alive method for dpd.

5. Creating the rule.

6. Installing policies.

Result: VPN is always Down, so my question is, how to configure a vpn against amazon when i'm using VSX?

 

Thanks.

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2019-06-21 04:33 AM

Take a look here: https://community.checkpoint.com/t5/CloudGuard-IaaS/AWS-deployment-with-VSX-on-prem-gateway/td-p/195...

0 Kudos
am
Participant
‎2019-11-12 06:58 AM

This question keeps popping up and no direct answer has been seen yet. Has anybody been able to create a VPN tunnel between AWS and VSX? And if yes, can you share your setup? Or even between AWS and "nonVTI" VPN with regular CP gateway.

0 Kudos
Hieu_le
Explorer
‎2020-10-26 09:36 PM

Have you done it? @Oscar_David_Gom 

0 Kudos
Oscar_David_Gom
Contributor
Contributor
‎2020-10-27 10:28 AM
In response to Hieu_le

Hi, 

 

Yes, we could stablish the VPN, we configured it as a policy based VPN (mesh, encription domains on fw and interoperable device, permanent tunnel, etc.) and in the guidbedit we changed keep alive method to dpd in both, aws and on prem firewall objects, save changes, install policy and it immediately goes UP. 

 

David.

  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events