Connecting to a Check Point Security Gateway peer

Connecting an IBM policy-based VPN to a Check Point Security Gateway peer

Here's an example of how to connect an IBM policy-vased VPN to a Check Point Security Gateway peer:

1. To configure the security gateways that are internally managed, follow these steps:

   • Go to SmartConsole > Gateways & Services and click the name of security gateway to open the Security Gateway configuration page.
   • Go to the Network Management page to define the topology.
   • Go to the Network Management > VPN Domain page to define the VPN domain.

2. To create an interoperable device on the Check Point SmartConsole, follow these steps:

   • Go to Object Explorer and click New > More > Network Object > More > Interoperable Device to open the new interoperable device page.
   • Go to the General Properties page and enter the IBM VPN gateway name and public IP address.
   • Go to the Topology page and add the IBM VPN gateway public IP address and IBM VPC subnets. Add the IBM VPN public IP address as an external network with netmask 255.255.255.255. Add the IBM VPC subnets as an internal network.

3. To add the VPN Community, follow these steps.

   These instructions are based on the Star Community type, but the Meshed Community type is also an option.

   • Go to SmartConsole > Security Policies > Access Tools > VPN Communities, click Star Community to open the new VPN community page.
   • Enter the new community name.
   • Go to the Gateways > Center Gateways page, click the + icon, and add the Check Point Security Gateway.
   • Go to the Gateways > Satellite Gateways page, click the + icon, and add the IBM VPN gateway.
   • Go to the Encryption page and use the default Encryption Method and Encryption Suite.
   • Go to the Tunnel Management page and select One VPN tunnel per subnet pair.
   • Go to the Shared Secret page and set the pre-shared key.
   • Click OK and publish the changes.

4. To add relevant access rules in the Security Policy page, follow these steps:

   • Add the community in the VPN column, the services in the Service & Applications column, the wanted action, and the appropriate track option.
   • Install the access control policy.

Connecting an IBM route-based VPN to a Check Point Security Gateway peer

These example steps are referred to in the CheckPoint Administration Guide

To connect an IBM route-based VPN to a Check Point Security Gateway peer, follow these steps:

1. To enable the IPsec VPN, select SmartConsole > Gateways & Services, then click the name of security gateway to open the Security Gateway configuration page. In the General Properties tabbed view, click IPsec VPN.

   

2. To enable the route-based VPN, follow these steps:

   • Select SmartConsole > Gateways & Services, then click the name of security gateway to open the Security Gateway configuration page.
   • Click Network Management > VPN Domain.
   • Select User defined.
   • Click the [...] button.
   • Click New > Group > Simple Group and enter a name.
   • Click OK (leave the Group object empty).

   

3. To add the IBM VPN gateway as the interoperable device, go to Object Explorer. Then, click New > More > Network Object > More > Interoperable Device to open the new interoperable device page. Enter the small public IP address of the IBM route-based VPN gateway in the IPv4 address field.

   For more information about the small public IP, see this important notice.

   

4. To create the VPN community, select SmartConsole > Security Policies > Access Tools > VPN Communities. Then, click Star Community to open the new VPN community page. Add the CheckPoint gateway and IBM route-based VPN gateway.

   

5. To configure encrypted traffic, click Encrypted Traffic on the VPN community, then select Accept all encrypted traffic.

   

6. To configure IKE and IPsec proposals, click Encryption on the VPN community. Then, select an encryption method, suits, and perfect forward secrecy. These values must match the IBM route-based VPN configuration.

   

7. To configure tunnel management, click Tunnel Management on the VPN community. Then, select On all tunnels in the community and One VPN tunnel per Gateway Pair.

   

8. To configure the pre-shared key, click Shared Secret on the VPN community. Set the same pre-shared key as the IBM VPN route-based gateway.

   

9. To enable directional match, select Menu > Global properties > VPN > Advanced, then click Enable VPN Directional Match in VPN Column.

   

10. To add directional matching VPN rules, select SmartConsole > Security Policies > Access Control > Policy, then add a new VPN rule. The directional rule must contain these directional matching conditions:

    • Your VPN community > Your VPN community
    • Your VPN community > Internal_Clear
    • Internal_Clear > Your VPN community

    

11. To install the policy, select SmartConsole > Security Policies, then click Install Policy.

    

12. To add a Virtual Tunnel Interface (VTI), select Gaia Portal > Network Management > Network Interfaces, then click Add > VPN Tunnel.

    

13. To add the static route, select Gaia Portal > Network Management > IPv4 Static Routes, then click Add. The destination CIDR is the IBM VPC subnet.

    

14. To refresh the network topology, follow these steps:

    • Select SmartConsole > Gateways & Services, then click the name of security gateway to open the Security Gateway configuration page.
    • Select Network Management, then click Get Interfaces > Get Interfaces with Topology.

    

Creating a custom IKE policy for a Check Point Security Gateway

By default, Check Point Security Gateway uses IKEv1; therefore, you must create a custom IKE policy to replace the default policy for the VPN in your VPC. In the following policy example, you must use matched IKE and IPsec policy.

To use a custom IKE policy in VPN for VPC:

1. On the VPN for VPC page in the IBM Cloud console, select the IKE policies tab.
2. Click New IKE policy and specify the following values:
   • For the IKE Version field, select 1.
   • For the Authentication field, select sha256.
   • For the Encryption field, select aes256.
   • For the DH Group field, select 19.
   • For the Key lifetime field, specify 86400.
3. When you create the VPN connection in your VPC, select this custom IKE policy.

Creating a custom IPsec policy for Check Point Security Gateway

To use a custom IPsec policy in VPN for VPC:

1. On the VPN for VPC page in the IBM Cloud console, select the IPsec policies tab.
2. Click New IPsec policy and specify the following values:
   • For the Authentication field, select sha256.
   • For the Encryption field, select aes256.
   • For the Key lifetime field, specify 3600.
3. When you create the VPN connection in your VPC, select this custom IPsec policy.

Ensuring NAT-T is always on

Make sure that the NAT-T feature is enabled on your on-premises VPN device. The following list shows the default behaviors:

• NAT-T is enabled when a NAT device is detected.
• offer_nat_t_initator is set to false (initiator sends NAT-T traffic).
• offer_nat_t_responder_for_known_gw is set to true (responder accepts NAT-T traffic from known gateways).
• force_nat_t is set to false (forces NAT-T, even if there is no NAT-T device).

It is recommended to change these default settings to the following:

• Enable NAT-T.
• Set offer_nat_t_initator to true.
• If you know that there's no NAT device in the environment, set force_nat_t to true.

You can view and change these variables by using the GuiDBedit Tool. Refer to the Check Point documentation for your particular version to confirm these steps.

1. In the upper-left pane, click TABLE > Network Objects > network_objects.
2. In the upper-right pane, select the applicable Security Gateway object.
3. In the lower pane, see the VPN section.
4. To save the changes, click File > Save All.
5. In SmartConsole, install the Access Control Policy on this Security Gateway object.

For more information, see NAT-T Compatibility With Check Point Devices.