- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi,
what information do we need from the remote site customer when creating site to site VPN?
At a very high level:
It gets a bit more complicated if both ends of the VPN are using the same address space.
See more here: Site to Site VPN R80.10 - Part of Check Point Infinity
You need to exchange information with the remote site customer as he needs to configure the VPN on his side as well and therefore needs to know the external IP address of your VPN gateway, encryption domain, encryption settings and other data.
Best practice is to fill out a VPN Datasheet like this one:
| VPN Site 1 | VPN Site 2 | 
|---|---|
| Company A | Company B | 
| Requested by: | Requested by: | 
| Planning contact: | Planning contact: | 
| Responsible for installation: | Responsible for installation: | 
| VPN Gateway | |
| Hardware Vendor & Version: Check Point R__.__ | Hardware Vendor & Version: | 
| External IP address: | External IP address: | 
| Encryption Domain / Crypto Map: 
 | Encryption Domain / Crypto Map: | 
| VPN Phase 1 (IKE) | |
| Key Management: 
 | Key Management: 
 | 
| DH-Group (Diffie-Hellman): 
 | DH-Group (Diffie-Hellman): | 
| Encryption Algorithm: 
 | Encryption Algorithm: | 
| Hash / Data Integrity: 
 | Hash: | 
| Pseudo Random Function (PRF): 
 | Pseudo Random Function (PRF): 
 | 
| Authentication Method: 
 | Authentication Method: 
 | 
| SA Lifetime / Renegotiation time: 1440 min. (Default) | SA Lifetime: | 
| VPN Phase 2 (IPSec) | |
| Encapsulation: ESP | Encapsulation: ESP | 
| Perfect Forward Secrecy (PFS): Yes / No | Perfect Forward Secrecy (PFS): Yes / No | 
| DH-Group (Diffie-Hellman): Group 1 (768 bit) Group 2 (1024 bit) Group 5 (1536 bit) Group 14 (2048 bit) Group 19 (256-bit ECP) Group 20 (384-bit ECP) | DH-Group (Diffie-Hellman): | 
| Encryption Algorithm: 
 | Encryption Algorithm: | 
| Hash / Data Integrity: 
 | Hash: | 
| Aggressive Mode: Yes / No | Aggressive Mode: Yes / No | 
| SA Lifetime: 3600 sec. (Default) | SA Lifetime: | 
| VPN Tunnel Sharing | |
| 
 | |
| VPN NAT Options | |
| Disable NAT inside the VPN traffic: Yes / No | |
| VPN Interesting Traffic | |
| Inbound from Site 2: | Inbound from Site 1: | 
| Outbound to Site 2: | Outbound to Site 1: | 
A great worksheet, just want to emphasize that the Phase 1 SA Lifetime is expressed by Check Point in minutes, while the Phase 2 SA Lifetime is expressed by Check Point in seconds. Most other vendors express both values in seconds.
If these values are mismatched between the two sites the VPN will still start and appear to work, but for an interoperable VPN situation in particular Delete SAs don't always work correctly. This will cause seemingly random hangs of the VPN tunnel that can be rectified by killing the tunnel via "vpn tu", at which point the VPN will immediately pop back up and start working...until the hang happens again. Also watch out for early tunnel expirations due to a Data Lifesize limit being reached or a VPN idle timer expiring. Enabling Permanent Tunnels (and enabling DPD with it for interoperable VPNs) is strongly recommended.
--
 My book "Max Power: Check Point Firewall Performance Optimization" 
 now available via http://maxpowerfirewalls.com.
For Phase 1 Encryption Algorithm:
Is it CBC or ECB?
Pretty sure it is CBC: sk105119: Best Practices - VPN Performance
--
 My Book "Max Power: Check Point Firewall Performance Optimization" 
 Second Edition Coming Soon
That is very helpful 
Danny,
Can you post the .doc version of the VPN worksheet?
I created the above datasheet from scratch within this Jive portal using html tables and standard text formatting. Therefore I don't have a .doc version but you should be able to easily copy it from here into any .doc.
Thanks Danny. I've exported it to a document and copy/pasted it in Word and it looks fine.
I'd like to ask you a question though: for Check Point to Check Point externally managed gateway, one of the pre-requisites is the topology data exchange and it is not included in this document.
Is it still a requirement in R80.10 (I believe it is referencing older documents in the R80.10 Advanced VPN Configuration Guide) and if so, can you add it to your template?
Thank you.
In my experience this is not a pre-requisite. I'm using many of these configurations and never exchanged the entire topology data, just the networks that are part of the interesting traffic.
Can someone from Check Point provide a definitive answer to the topology exchange requirements between externally managed gateways?
According to the Advanced VPN Configuration Guide:
To configure a VPN using pre-shared secrets, with the external Security Gateways as satellites in a star VPN Community, proceed as follows:
I'm pretty sure in an externally managed gateway scenario, you're not exchanging topology automatically.
Basically all it's saying is that your local definition should be the same as it is defined on the remote site (using similar subnet definitions, settings, etc).
That I understand. The issue is that with any other device or peer, the exchange of the topology data is not required.
We are simply specifying Encryption Domain and external IP of the peer (in addition to crypto settings).
What makes Externally managed CP gateway different that it requires (if it still does) the topology data?
I am working now with one of my clients that is trying to peer with someone also running CP, but they are refusing to provide their topology data. So I am trying to get to the bottom of issue here to see if it is really a mandatory pre-requisite.
Is this table still valid? Im my opionion, yes
any suggestion appreciated
thank you
Thank you very much for the table.
A quick question, we face a requirement to use AES-GCM-256 algorithm in phase 1.
I guess this is still not supported, is it?
( gw: R81.10 jhf 78 )
Thanks again.
AES-GCM-256 should be supported from R80.30 "out of the box" and will work with R80.10/.20 with the relevant JHF level per: https://support.checkpoint.com/results/sk/sk152832
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 23 | |
| 20 | |
| 13 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 6 | |
| 5 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY