Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword or section
Like this

Table Of Contents

Important Information
The Check Point VPN Solution
VPN Components
Understanding the Terminology
Site to Site VPN
VPN Communities
IKE Phase I
IKE Phase II (Quick mode or IPSec Phase)
IKEv1 and IKEv2
Methods of Encryption and Integrity
Phase I modes
Renegotiating IKE & IPSec Lifetimes
Perfect Forward Secrecy
IP Compression
Subnets and Security Associations
IKE DoS Protection
Understanding DoS Attacks
IKE DoS Attacks
Defense Against IKE DoS Attacks
SmartDashboard IKE DoS Attack Protection Settings
Advanced IKE Dos Attack Protection Settings
Configuring Advanced IKE Properties
On the VPN Community Network Object
On the Gateway Network Object
Introduction to Site to Site VPN
The Need for Virtual Private Networks
How it Works
Authentication Between Community Members
VPN Topologies
Access Control and VPN Communities
Special Considerations for Planning a VPN Topology
Routing Traffic within a VPN Community
Excluded Services
Special Considerations for Planning a VPN Topology
Configuring Site to Site VPNs
Migrating from Traditional Mode to Simplified Mode
Configuring a Meshed Community Between Internally Managed Gateways
Configuring a Star VPN Community
Confirming a VPN Tunnel Successfully Opens
Configuring a VPN with External Security Gateways Using PKI
Configuring a VPN with External Security Gateways Using a Pre-Shared Secret
How to Authorize Firewall Control Connections in VPN Communities
Why Turning off FireWall Implied Rules Blocks Control Connections
Allowing Firewall Control Connections Inside a VPN
Discovering Which Services are Used for Control Connections
Public Key Infrastructure
Need for Integration with Different PKI Solutions
Supporting a Wide Variety of PKI Solutions
PKI and Remote Access Users
PKI Deployments and VPN
Trusting An External CA
Enrolling a Managed Entity
Validation of a Certificate
Special Considerations for PKI
Using the Internal CA vs. Deploying a Third Party CA
Distributed Key Management and Storage
Configuration of PKI Operations
Trusting a CA – Step-By-Step
Configuring OCSP
Site-to-Site VPN
Domain Based VPN
Overview of Domain-based VPN
VPN Routing and Access Control
Configuring Domain Based VPN
Configuring the 'Accept VPN Traffic Rule'
Configuring Numbered VTIs
VTIs in a Clustered Environment
Configuring VTIs in a Clustered Environment
Enabling Dynamic Routing Protocols on VTIs
Configuring Anti-Spoofing on VTIs
Configuring a Loopback Interface
Configuring Unnumbered VTIs
Routing Multicast Packets Through VPN Tunnels
Tunnel Management
Overview of Tunnel Management
Configuring Tunnel Features
Route Injection Mechanism
Overview of Route Injection
Automatic RIM
Custom Scripts
tnlmon.conf File
Injecting Peer Security Gateway Interfaces
Configuring RIM
Wire Mode
Overview of Wire Mode
Wire Mode Scenarios
Special Considerations for Wire Mode
Configuring Wire Mode
Directional VPN Enforcement
Overview of Directional VPN
Directional Enforcement within a Community
Configurable Objects in a Direction
Directional Enforcement between Communities
Configuring Directional VPN
Link Selection
Link Selection Overview
Configuring IP Selection by Remote Peer
Probing Settings
Configuring Outgoing Route Selection
When Initiating a Tunnel
Configuring Source IP Address Settings
Outgoing Link Tracking
Link Selection Scenarios
Service Based Link Selection
Trusted Links
On Demand Links (ODL)
Link Selection and ISP Redundancy
Link Selection and ISP Redundancy Scenarios
Link Selection with non-Check Point Devices
Multiple Entry Point VPNs
Overview of MEP
Explicit MEP
Implicit MEP
Routing Return Packets
Special Considerations
Configuring MEP
Traditional Mode VPNs
Introduction to Traditional Mode VPNs
VPN Domains and Encryption Rules
Defining VPN Properties
Internally and Externally Managed Security Gateways
Considerations for VPN Creation
Configuring Traditional Mode VPNs
Converting a Traditional Policy to a Community Based Policy
Introduction to Converting to Simplified VPN Mode
How Traditional VPN Mode Differs from a Simplified VPN Mode
How an Encrypt Rule Works in Traditional Mode
Principles of the Conversion to Simplified Mode
Placing the Security Gateways into the Communities
Conversion of Encrypt Rule
Remote Access VPN
Remote Access VPN Overview
Need for Remote Access VPN
The Check Point Solution for Remote Access
VPN for Remote Access Considerations
VPN for Remote Access Configuration
Office Mode
The Need for Remote Clients to be Part of the LAN
Enabling IP Address per User
Office Mode Considerations
Configuring Office Mode
Office Mode through the ipassignment.conf File
Packaging SecureClient
Introduction: The Need to Simplify Remote Client Installations
The Check Point Solution - SecureClient Packaging Tool
Creating a Preconfigured Package
Configuring MSI Packaging
Desktop Security
The Need for Desktop Security
Desktop Security Solution
Desktop Security Considerations
Configuring Desktop Security
Layer Two Tunneling Protocol (L2TP) Clients
The Need for Supporting L2TP Clients
Solution - Working with L2TP Clients
Considerations for Choosing Microsoft IPSec/L2TP Clients
Configuring Remote Access for Microsoft IPSec/L2TP Clients
Secure Configuration Verification
The Need to Verify Remote Client's Security Status
The Secure Configuration Verification Solution
Installing SCV Plugins on the Client
Considerations regarding SCV
Configuring SCV
VPN Routing - Remote Access
The Need for VPN Routing
Check Point Solution for Greater Connectivity and Security
Configuring VPN Routing for Remote Access VPN
Link Selection for Remote Access Clients
Overview 222 Configuring Link Selection for Remote Access Only 222
Configuring Link Selection for Remote Access Only
Preventing a Client Inside the Encryption Domain from Encrypting
WINS (Connect Mode Only)
Authentication Timeout and Password Caching
Secure Domain Logon (SDL)
Using Secure Domain Logon
Back Connections (Server to Client)
Auto Topology Update (Connect Mode only)
How to Work with non-Check Point Firewalls
Resolving Internal Names with the SecuRemote DNS Server
Multiple Entry Point for Remote Access VPNs
The Need for Multiple Entry Point Security Gateways
The Check Point Solution for Multiple Entry Points
Disabling MEP
Configuring Preferred Backup Security Gateway
Userc.C and Product.ini Configuration Files
Introduction to Userc.C and Product.ini
Userc.C File Parameters
Product.ini Parameters
SSL Network Extender
Introduction to the SSL Network Extender
How the SSL Network Extender Works
Commonly Used Concepts
Special Considerations for the SSL Network Extender
Configuring the SSL Network Extender
SSL Network Extender User Experience
Troubleshooting SSL Network Extender
Resolving Connectivity Issues
The Need for Connectivity Resolution Features
Check Point Solution for Connectivity Issues
Overcoming NAT Related Issues
Overcoming Restricted Internet Access
Configuring Remote Access Connectivity
VPN Command Line Interface
VPN Commands
SecureClient Commands
Desktop Policy Commands
VPN Shell
Configuring a Virtual Interface Using the VPN Shell 290
Configuring a Virtual Interface Using the VPN Shell
0 of .
Results for:
No results containing your search query
P. 1
CP R75 VPN Admin Guide

CP R75 VPN Admin Guide

Ratings: (0)|Views: 3,137|Likes:
Published by Yoav Nir

More info:

Published by: Yoav Nir on Jun 15, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





You're Reading a Free Preview
Pages 6 to 48 are not shown in this preview.
You're Reading a Free Preview
Pages 54 to 58 are not shown in this preview.
You're Reading a Free Preview
Pages 64 to 207 are not shown in this preview.
You're Reading a Free Preview
Pages 213 to 223 are not shown in this preview.
You're Reading a Free Preview
Pages 229 to 299 are not shown in this preview.

Activity (8)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Hervé Schlecht liked this
Hervé Robins liked this
mtuanlatoi9704 liked this
bugmenot540 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->