Professional Documents
Culture Documents
Configuring A Site-To-Site VPN
Configuring A Site-To-Site VPN
Note: This document is relevant for Embedded NGX 7.0. It is recommended to use the latest
Embedded NGX firmware.
Note: The Embedded NGX screens that appear in this document relate to Safe@Office gateways.
Overview
A Site-to-Site VPN consists of two or more Site-to-Site VPN gateways that can communicate with each other in a bi-
directional relationship. They are designed to handle secure communications between a company’s internal
departments and its branch offices.
Note: The Embedded NGX VPN gateway can automatically download the remote VPN site
topology when negotiating with other Check Point Embedded NGX gateways. If desired, advanced
users can manually configure which remote networks should be included in the VPN topology,
according to their business security policy.
Note: The Embedded NGX VPN gateway can automatically negotiate for the encryption keys. When
doing VPN between Embedded NGX-based VPN gateways, the following settings will be used by
default:
• AES-256 Encryption
• SHA-1 Integrity
• Diffie-Hellman group 2
• PFS disabled
• Phase-1 lifetime -1440 minutes, phase-2 lifetime – 600 seconds
Advanced users can also manually modify the IKE settings according to their business security
policy. Manual configuration is also the best option when configuring IPSec VPNs to non-Check
Point-based products.
2
Which connection will be encrypted and how?
The Embedded NGX UTM appliance can connect with several other gateways over a secured VPN connection,
and each such connection can use different encryption parameters. The security administrator must therefore
decide which connections to encrypt and which encryption parameters to use. For example, it is possible to use
pre-shared secrets or certificates for authentication, and it is possible to use automatic VPN topology download.
The Embedded NGX UTM appliance is interoperable with other IKE and IPSec software implementations;
however, the automatic VPN topology download can be used between Check Point products only.
Workflow
To configure a Site-to-Site VPN
1. Add a topology download user and give the user's authentication details to the other gateway's administrator.
See “Adding a Topology Download User,” page 3.
Likewise, you will receive user authentication details from the other gateway's administrator.
2. Add the other Embedded NGX gateway as a Site-to-Site VPN site.
See “Adding a Site-to-Site VPN Site,” page 5.
Likewise, the other gateway's administrator will add your Embedded NGX gateway as a Site-to-Site VPN site.
3. Test the connection to the other gateway's VPN site.
See “Testing the Configuration,” page 9.
Likewise, the other gateway's administrator will test the connection to your VPN site.
3
2. Click New User.
The Account Wizard opens displaying the Set User Details dialog box.
The options that appear on the page are dependant on the software and services you are using.
6. Select the VPN Remote Access check box.
7. Click Finish.
The new user is saved.
4
Adding a Site-to-Site VPN Site
Note: The following procedure explains how to add a Site-to-Site VPN site, where the topology is
downloaded automatically, and shared secret authentication is used. For information on additional
configurations, refer to the Check Point Safe@Office User Guide.
5
The VPN Gateway Address dialog box appears.
5. In the Gateway Address field, type the IP address of the other Embedded NGX gateway.
6. Click Next.
The VPN Network Configuration dialog box appears.
6
The Authentication Method dialog box appears.
11. In the Topology User field, type the username of the topology download user that you added in the previous task.
12. In the Topology Password field, type the password of the topology download user that you added in the previous
task.
13. In the Use Shared Secret field, type the shared secret used for secure communications with the VPN site.
7
14. Click Next.
The Security Methods dialog box appears.
17. To test the VPN connection, select the Try to Connect to the VPN Gateway check box.
18. Click Next.
If you selected the check box, the Connecting screen appears, and then the Contacting VPN Site screen appears.
8
The Site Name dialog box appears.