This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chueymtz
Explorer
‎2024-01-11 08:51 AM

Need Help Setting up New VPN in HA for Verizon M2M

I would like some help with this if possible, I inherited this checkpoint setup and don't know how to configure so I was looking for some help. We currently have a Verizon M2M portal that we access using VTI on our firewall 3200's HA setup. I have to update our vpn to a new BGP solution because Verizon is doing away with the setup we have currently, they sent me these requirements but I don't where to start. Per the tech:

Perform this prior this is a sample of what needs to be done:

1. Add VTI interface IP's on Primary
2. Enable BGP on Primary
3. Add new backupVPN Circuit
4. add VTI and BGP on backup Circuit
5. add Prepend statement on backup circuit

On First Firewall:

Firewall1
!
interface Tunnel1
nameif VTI_interface
ip address 10.1.1.2 255.255.255.252
tunnel source interface Outside
tunnel destination 123.xxx.xxx.38
tunnel mode ipsec ipv4
tunnel protection ipsec profile VERIZON
!


router bgp 65535
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 10.1.1.1 remote-as 6167
neighbor 10.1.1.1 activate
network 0.0.0.0
no auto-summary
synchronization
exit-address-family
!

route VTI_interface 10.0.0.0 255.252.0.0 10.1.1.1 1


crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac
crypto ipsec profile VERIZON
set ikev1 transform-set VTI

 

crypto ikev1 enable Outside

crypto ikev1 policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400


tunnel-group 123.xxx.xxx.38 type ipsec-l2l
tunnel-group 123.xxx.xxx.38 ipsec-attributes
ikev1 pre-shared-key *****
!

 


Firewall2

!
interface Tunnel2
nameif VTI_interface
ip address 10.1.4.2 255.255.255.252
tunnel source interface Outside1
tunnel destination 123.xx.xxx.250

tunnel mode ipsec ipv4
tunnel protection ipsec profile VERIZON

!
router bgp 65535
bgp log-neighbor-changes
bgp bestpath compare-routerid
address-family ipv4 unicast
neighbor 10.1.4.1 remote-as 6167
neighbor 10.1.4.1 activate
neighbor 10.1.4.1 route-map PREPEND out
network 0.0.0.0
no auto-summary
no synchronization
exit-address-family

route-map PREPEND permit 10

set as-path prepend 65535 65535
!
route-map PREPEND permit 20

!
route VTI_interface 10.0.0.0 255.252.0.0 10.4.1.1 1


crypto ipsec ikev1 transform-set VTI esp-aes-256 esp-sha-hmac
crypto ipsec profile VERIZON
set ikev1 transform-set VTI

crypto ikev1 enable Outside1

crypto ikev1 policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 123.xxx.xxx.250 type ipsec-l2l
tunnel-group 123.xxx.xxx.250 ipsec-attributes
ikev1 pre-shared-key *****
!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2024-01-12 12:05 PM

You would need to configure a route-based VPN on the Check Point side.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events