- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi guys,
I'm trying to configure a few tunnels from a Check Point cluster to Amazon AWS and I'm not able to understand the part of the VTI interfaces IPs and cluster topology IP's. I have read the following two guides:
https://docs.aws.amazon.com/es_es/vpn/latest/s2svpn/cgw-static-routing-examples.html
The Check Point one seems to be contradictory to me, it says:
But afterwards, it says:
* Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.
Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.
In the AWS config file, there are 2 IP's for each tunnel, as follows:
f. IP Address: 169.254.92.222
g. Remote IP: 169.254.92.221
The CP guide also states:
Fetching the VPN Tunnel interfaces:
(Note: If you have not done so already, enable the IPsec VPN blade on your gateway)
Open your gateway or cluster object, and navigate to the Topology tab.
Re-fetch the interface configuration.
Note: For clusters, define the newly added interfaces as Cluster interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":
I don't see any "Customer gateway IP" information in the AWS config file. So I'm totally lost, don't know what IP to set in the Local and Remote VTI, which one to put in the static routing, and which one to set the cluster interfaces...
May you help to shed some light?
Thanks in advance
No, your configuration is wrong. AWS give you two separate IPsec peer IPs which are public. Let's say they are 1.1.1.1 and 2.2.2.2.
The first thing you have to create with SmartConsole are the Interoperable Devices of remote VPN peers, in our case AWS_GW1 which is 1.1.1.1 and AWS_GW2 which is 2.2.2.2.
AWS give you also two separate IPs part of 169.254.x.x range. Let's say IPs for the first tunnel are 169.254.1.99 (AWS) and 169.254.1.100 (you) and the IPs for the second tunnel are 169.254.2.99 (AWS) and 169.254.2.100 (you).
Then you have the following config in the CLI:
GW1
add vpn tunnel 1 type numbered local 169.254.1.1 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
add vpn tunnel 2 type numbered local 169.254.2.1 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436
GW2
add vpn tunnel 1 type numbered local 169.254.1.2 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
add vpn tunnel 2 type numbered local 169.254.2.2 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436
The main purpose here is to have different IPs on each VPN tunnel interface, and then you will configure the VIP via GUI with the proper IP provided by AWS, in our case 169.254.1.100 will be VIP for vpnt1 and 169.254.2.100 for vpnt2. Then you have to add your static routes pointing to 169.254.1.99 and 169.254.2.99 (if you don't use BGP). One of them should be with priority.
On your questions:
Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet? - Cluster IP address must be the one given by AWS. Member IP addresses could be any IP address.
Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range? - Yes, it does. You have to use the IPs given by AWS for both sides of the tunnels, and you can use another IPs for each member interfaces different from VIP.
Hello arcotangente,
Here are the steps I usually follow when create new VPN with AWS.
1. Create Interoperable objects with public IPs of AWS VPN peers with SmartConsole. For instance if your AWS VPN peer IP is 52.30.155.2, create object called AWS_GW1 with that IP, and add empty network group for encryption domain in its topology. Do the same for the second AWS VPN peer GW (AWS_GW2).
2. Add the following commands on each cluster member:
HA Member 1
add vpn tunnel 1 type numbered local 169.254.92.1 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
HA Member 2
add vpn tunnel 1 type numbered local 169.254.92.2 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
After it's a point-to-point interface you can add any IP address from that subnet. Then you will configure 169.254.92.222 on the VIP.
As you can see I have .158 for VIP, and .157 is the IP address of AWS's side of the tunnel. You have to follow the same for the second tunnel to the other AWS VPN GW.
The rest of the instructions for routing and policies are described in the configuration file which you download from AWS Console.
Hi MK1.
Thank you for the response! So, let me see if I got this right, we should have the following (example) configuration for a tunnel to AWS:
HA Member 1 (tunnel 1)
add vpn tunnel 1 type numbered local 169.254.92.1 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
HA Member 1 (tunnel 2)
add vpn tunnel 2 type numbered local 169.254.92.3 remote 169.254.92.223 peer AWS_GW1
set interface vpnt2 state on
set interface vpnt2 mtu 1436
HA Member 2 (tunnel 1)
add vpn tunnel 1 type numbered local 169.254.92.2 remote 169.254.92.221 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
HA Member 2 (tunnel 2)
add vpn tunnel 2 type numbered local 169.254.92.4 remote 169.254.92.223 peer AWS_GW1
set interface vpnt2 state on
set interface vpnt2 mtu 1436
And then for cluster ip addresses - 169.254.92.222 for vpnt1 and 169.254.92.224 for vpnt2.
Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet?
Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range ? Should we stick to the config file from AWS in terms of ip addresses for local and remote on the VTI or we can come up with our own?
Thanks!
No, your configuration is wrong. AWS give you two separate IPsec peer IPs which are public. Let's say they are 1.1.1.1 and 2.2.2.2.
The first thing you have to create with SmartConsole are the Interoperable Devices of remote VPN peers, in our case AWS_GW1 which is 1.1.1.1 and AWS_GW2 which is 2.2.2.2.
AWS give you also two separate IPs part of 169.254.x.x range. Let's say IPs for the first tunnel are 169.254.1.99 (AWS) and 169.254.1.100 (you) and the IPs for the second tunnel are 169.254.2.99 (AWS) and 169.254.2.100 (you).
Then you have the following config in the CLI:
GW1
add vpn tunnel 1 type numbered local 169.254.1.1 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
add vpn tunnel 2 type numbered local 169.254.2.1 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436
GW2
add vpn tunnel 1 type numbered local 169.254.1.2 remote 169.254.1.99 peer AWS_GW1
set interface vpnt1 state on
set interface vpnt1 mtu 1436
add vpn tunnel 2 type numbered local 169.254.2.2 remote 169.254.2.99 peer AWS_GW2
set interface vpnt2 state on
set interface vpnt2 mtu 1436
The main purpose here is to have different IPs on each VPN tunnel interface, and then you will configure the VIP via GUI with the proper IP provided by AWS, in our case 169.254.1.100 will be VIP for vpnt1 and 169.254.2.100 for vpnt2. Then you have to add your static routes pointing to 169.254.1.99 and 169.254.2.99 (if you don't use BGP). One of them should be with priority.
On your questions:
Should the cluster ip address be a specific ip address, or just any ip address in the 169.254.92.x subnet? - Cluster IP address must be the one given by AWS. Member IP addresses could be any IP address.
Also, does it matter what local and remote ip address we use for the tunnel configuration or just any from the 169.254.x.x range? - Yes, it does. You have to use the IPs given by AWS for both sides of the tunnels, and you can use another IPs for each member interfaces different from VIP.
It worked!
Thank you very much!
Does the mtu 1436 important? can it be the cause for vpn resets if the mtu is 1500?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY