Configuring Site-to-Site VPNs between

Embedded NGX Gateways

This document describes how to configure Site-to-Site Virtual Private Networks (VPNs) between Check Point
Embedded NGX gateways.

Note: This document is relevant for Embedded NGX 7.0. It is recommended to use the latest
Embedded NGX firmware.

Note: The Embedded NGX screens that appear in this document relate to Safe@Office gateways.

Overview
A Site-to-Site VPN consists of two or more Site-to-Site VPN gateways that can communicate with each other in a bi-
directional relationship. They are designed to handle secure communications between a company’s internal
departments and its branch offices.

How Do Site-to-Site VPNs Work?

The following figure describes a typical Site-to-Site VPN, when hosts on Sites A and B are installed with Embedded
NGX UTM appliances:

Figure 1: Typical Site-to-Site VPN

The Site-to-Site VPN works as follows:
1. The Site A and Site B security administrators each configure their Embedded NGX UTM appliance as a VPN
gateway that will communicate with the other VPN gateway’s IP address and authenticate using either a pre-
shared secret or certificates.
2. The Site A VPN gateway initiates a connection to the Site B VPN gateway, authenticates, and initiates a
download topology request.
3. The Site B VPN Server acts as a topology server and sends the Site B VPN topology information to the Site A
VPN gateway. The topology information consists of the Site B VPN gateway's IP address and the networks
behind it. It is possible to view the VPN topology information on the gateway side, by surfing to:
http://my.firewall/vpntopo.html.
4. When the host on Site A generates "interesting" packets, the Site A VPN gateway intercepts the packets, encrypts
them, and routes them to the Site B VPN gateway.
 Note: If a "Route All Traffic" topology is selected, then the Site A VPN topology is automatically
set to 0.0.0.0 (meaning, all destination networks). As a result, all packets going through the VPN
Client will be encrypted and routed over the VPN tunnel to the Site B VPN gateway.

5. The Site B VPN Server decrypts the packet.

6. The Site B VPN Server delivers the decrypted packets to the destination host on Site B. The packets appear to
have been sent directly from the original host on Site A.

Site-to-Site VPN Considerations

Before configuring encryption between branch offices, a security administrator must answer the following questions:
„ Which VPN gateways will encrypt data, and what are the VPN topologies?
A VPN gateway performs encryption on behalf of its VPN topology. That is, the gateway encrypts all data
packets originating from within its encryption domain and sent to other networks outside of the encryption
domain. (Within the encryption domain, data packets are not encrypted.)
The security administrator must plan the encryption relationship between network entities. That is, the
administrator must decide which gateways should encrypt data to each other, and for which networks. The
security administrator must then ensure that each gateway is configured with its own VPN topology, as well as the
topology of the other VPN sites.

Note: The Embedded NGX VPN gateway can automatically download the remote VPN site
topology when negotiating with other Check Point Embedded NGX gateways. If desired, advanced
users can manually configure which remote networks should be included in the VPN topology,
according to their business security policy.

„ What are the encryption keys?

A VPN connection is encrypted using IPSec. In order to establish an IPSec VPN tunnel, the VPN peers
authenticate to each other and negotiate for encryption keys during IKE key exchange. The IKE parameters must
be shared between VPN peers.

Note: The Embedded NGX VPN gateway can automatically negotiate for the encryption keys. When
doing VPN between Embedded NGX-based VPN gateways, the following settings will be used by
default:
• AES-256 Encryption
• SHA-1 Integrity
• Diffie-Hellman group 2
• PFS disabled
• Phase-1 lifetime -1440 minutes, phase-2 lifetime – 600 seconds
Advanced users can also manually modify the IKE settings according to their business security
policy. Manual configuration is also the best option when configuring IPSec VPNs to non-Check
Point-based products.

2
„ Which connection will be encrypted and how?
The Embedded NGX UTM appliance can connect with several other gateways over a secured VPN connection,
and each such connection can use different encryption parameters. The security administrator must therefore
decide which connections to encrypt and which encryption parameters to use. For example, it is possible to use
pre-shared secrets or certificates for authentication, and it is possible to use automatic VPN topology download.
The Embedded NGX UTM appliance is interoperable with other IKE and IPSec software implementations;
however, the automatic VPN topology download can be used between Check Point products only.

Workflow
To configure a Site-to-Site VPN
1. Add a topology download user and give the user's authentication details to the other gateway's administrator.
See “Adding a Topology Download User,” page 3.
Likewise, you will receive user authentication details from the other gateway's administrator.
2. Add the other Embedded NGX gateway as a Site-to-Site VPN site.
See “Adding a Site-to-Site VPN Site,” page 5.
Likewise, the other gateway's administrator will add your Embedded NGX gateway as a Site-to-Site VPN site.
3. Test the connection to the other gateway's VPN site.
See “Testing the Configuration,” page 9.
Likewise, the other gateway's administrator will test the connection to your VPN site.

Adding a Topology Download User

A topology download user has the same attributes as a remote access VPN user.
To add a topology download user
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.

3
2. Click New User.
The Account Wizard opens displaying the Set User Details dialog box.

3. In the Username field, type a username.

4. In the Password and Confirm password fields, type a password.
Use five to 25 characters (letters or numbers) for the new password.
5. Click Next.
The Set User Permissions dialog box appears.

The options that appear on the page are dependant on the software and services you are using.
6. Select the VPN Remote Access check box.
7. Click Finish.
The new user is saved.

4
Adding a Site-to-Site VPN Site

Note: The following procedure explains how to add a Site-to-Site VPN site, where the topology is
downloaded automatically, and shared secret authentication is used. For information on additional
configurations, refer to the Check Point Safe@Office User Guide.

To add a Site-to-Site VPN site

1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears with a list of VPN sites.

2. Click New Site.

The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Click Site-to-Site VPN.

4. Click Next.

5
 The VPN Gateway Address dialog box appears.

5. In the Gateway Address field, type the IP address of the other Embedded NGX gateway.
6. Click Next.
The VPN Network Configuration dialog box appears.

7. Click Download Configuration.

This option will automatically configure your VPN settings, by downloading the network topology definition
from the remote VPN gateway.
8. Click Next.

6
 The Authentication Method dialog box appears.

9. Click Shared Secret.

10. Click Next.
The Authentication dialog box appears.

11. In the Topology User field, type the username of the topology download user that you added in the previous task.
12. In the Topology Password field, type the password of the topology download user that you added in the previous
task.
13. In the Use Shared Secret field, type the shared secret used for secure communications with the VPN site.

7
14. Click Next.
The Security Methods dialog box appears.

15. Complete the fields as desired.

For information, refer to the User Guide.
16. Click Next.
The Connect dialog box appears.

17. To test the VPN connection, select the Try to Connect to the VPN Gateway check box.
18. Click Next.
If you selected the check box, the Connecting screen appears, and then the Contacting VPN Site screen appears.

8
 The Site Name dialog box appears.

19. Type a name for the other gateway's VPN site.

20. Click Next.
The VPN Site Created screen appears.

21. Click Finish.

The VPN Sites page reappears. The new site appears in the VPN Sites list.

Testing the Configuration

To test the configuration
1. Ping the IP address of the computer behind the other VPN site.
2. Surf to http://my.firewall/vpntopo.html and view the VPN topology information table.
3. In the Embedded NGX Portal, click Reports in the main menu, and click the VPN Tunnels tab to see the VPN
tunnels graphically displayed.
4. Click the Event Log tab, and locate logs indicating that the VPN tunnel was established.