Solved: Check Point - AWS VPN tunnels question - Page 2

arcotangente · ‎2020-07-01

Hi guys,

I'm trying to configure a few tunnels from a Check Point cluster to Amazon AWS and I'm not able to understand the part of the VTI interfaces IPs and cluster topology IP's. I have read the following two guides:

https://docs.aws.amazon.com/es_es/vpn/latest/s2svpn/cgw-static-routing-examples.html

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The Check Point one seems to be contradictory to me, it says:

Click to Expand

Under "VPN Tunnel Type" select "Numbered"

Under "Local Address": provide the "Inside IP Address" of the "Customer Gateway" as specified in the configuration file. (This relates to a single gateway configuration.)
Under "Remote Address": provide the "Inside IP Address" of the "Virtual Private Gateway" as specified in the configuration file.

Under "VPN Tunnel Type" select "Numbered"Under "Local Address": provide the "Inside IP Address" of the "Customer Gateway" as specified in the configuration file. (This relates to a single gateway configuration.)Under "Remote Address": provide the "Inside IP Address" of the "Virtual Private Gateway" as specified in the configuration file.

But afterwards, it says:

Click to Expand

* Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.

Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.

* Note: VTI Local Address (per cluster member) must be different than the addresses provided in the configuration file. These addresses are only locally significant, and are used to establish the point-to-point connection between the logical Check Point and AWS interfaces, on which VPN nexthop routes will be configured for use.Note: For a cluster with two members, four unique addresses are required - one for each VTI, as outlined above. All other settings can stay the same. In total, six VTI IP addresses would be required - the additional two will be the shared addresses, which will be defined in SmartDashboard later.

In the AWS config file, there are 2 IP's for each tunnel, as follows:

f. IP Address: 169.254.92.222
g. Remote IP: 169.254.92.221

The CP guide also states:

Click to Expand

Fetching the VPN Tunnel interfaces:

(Note: If you have not done so already, enable the IPsec VPN blade on your gateway)

Open your gateway or cluster object, and navigate to the Topology tab.
Re-fetch the interface configuration.
Note: For clusters, define the newly added interfaces as Cluster interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":

Fetching the VPN Tunnel interfaces:(Note: If you have not done so already, enable the IPsec VPN blade on your gateway)Open your gateway or cluster object, and navigate to the Topology tab.Re-fetch the interface configuration.Note: For clusters, define the newly added interfaces as Cluster interfaces, using the IP addresses specified in the configuration file for the "Customer Gateway":

I don't see any "Customer gateway IP" information in the AWS config file. So I'm totally lost, don't know what IP to set in the Local and Remote VTI, which one to put in the static routing, and which one to set the cluster interfaces...

May you help to shed some light?

Thanks in advance

Are you a member of CheckMates?

Check Point - AWS VPN tunnels question