check point VPN

IPsec VPN

The solution lets the encrypt anddecrypt traffic to andfrom other security gateway andclient . use to easily configure VPNconnections between security gateway andremote device .

For Site-to-Site Communities, you can configure Star andMesh topologies for VPNnetworks, andinclude third-party gateway.

The VPNtunnel guarantees:

• Authenticity – Uses standard authentication methods

• Privacy – All VPNdata is encrypted

• Integrity – Uses industry-standard integrity assurance methods

IKE andIPsec

The check point VPNsolution uses these secure VPNprotocols to manage encryption keys, andsend encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPNtunnels. IPsec is protocol that supports secure IP communications that are authenticated andencrypted on private or public networks.

VPNComponents

VPNis composed of:

• VPNendpoints, such as security gateway, security gateway cluster , or remote client ( such as laptop computer or mobile phone ) that communicate over a VPN.

• VPNtrust entities, such as a check point InternalCertificate Authority (). TheICA is part of the check point suite used for creating trusted connection between security gateway, authenticating administrators andthird party servers. TheICA provides certificates for internal security gateway andremote access clients which negotiate the VPNlink.

• VPNManagement tools, such as andSmartConsole. TheSmartConsole lets organizations define anddeploy Intranet, andremote Access VPNs.

understand the terminology

• VPN- Virtual Private Network. A secure, encrypted connection between networks andremote clients on a public infrastructure, to give authenticated remote users andsites secured access to an organization’s network andresources.

• Virtual Tunnel Interface -Virtual Tunnel Interface. A virtual interface that is a member of an existing, Route Based, VPNtunnel.

• VPNPeer – Agateway that connects to a different VPNgateway using a Virtual Tunnel Interface.

• VPNdomain – A group of computers andnetworks connected to a VPNtunnel by one VPNgateway that handles encryption andprotects the VPNdomain members.

• VPNCommunity – A named collection of VPNdomains, each protected by a VPNgateway.

• VPNsecurity gateway – Thesecurity gateway that manages encryption anddecryption of traffic between members of a VPNdomain, typically located at one () or both () ends of a VPNtunnel.

• Site to Site VPN- An encrypted tunnel between two security gateway, typically of different geographical sites.

• Remote Access VPN – An encryption tunnel between asecurity gateway andRemote Access clients, such as Endpoint Security VPN, andcommunities.

• Remote Access Community – A group of computers, appliances, anddevices that access, with authentication andencryption, the internal protected network from physically remote sites.

• Star Topology – A “hub andspoke” virtual private network community, with security gateway define as satellite ( spoke ) that create tunnel only with the centralsecurity gateway (“hub”).

• Meshed topology – A VPNcommunity with a VPNdomain that creates a tunnel to other VPNdomains.

• domain-based VPN- A method to route encrypted traffic with parameters defined by security gateway.

• Route-based VPN- A routing method for participants in a VPNcommunity, defined by the Virtual Tunnel Interfaces (VTI).

• IKE (Internet Key Exchange) – An Encryption key management protocol that enhances IPSec by providing additional features, flexibility, andease of configuration.

• IPSec – A set of secure VPNprotocols that manage encryption keys andencrypted packet traffic, to create a standard for authentication andencryption services.

Site-to-Site VPN

The basis of Site-to-Site VPNis the encrypted VPNtunnel. Two security gateway negotiate a link andcreate a VPNtunnel andeach tunnel can contain more than one VPNconnection. One security gateway can maintain more than one VPNtunnel at the same time.

Sample Site-to-Site VPNDeployment

In this sample VPNdeployment, Host 4 andHost 5 securely send data to each other. Thesecurity gateway perform IKE negotiation andcreate a VPNtunnel. They use the IPsec protocol to encrypt anddecrypt data that is sent between Host 4 andHost 5.

VPNCommunities

A VPNdomain is a collection of internal networks that use security gateway to send andreceive VPNtraffic. Define the resources that are included in the VPNdomain for each security gateway. Then join the security gateway into a VPNcommunity – collection of VPNtunnels andtheir attributes. Network resources of different VPNdomains can securely communicate with each other through VPNtunnels that terminate at the security gateway in the VPNcommunities.

VPNcommunities are based on Star andMesh topologies:

• In a Star community, each satellite security gateway has a VPNtunnel to the central security gateway, but not to other security gateway in the community.

• In a Mesh community, there are VPNtunnels between each pair of security gateway.

Sample Combination VPNCommunity

This deployment is composed of a Mesh community for London andNew York security gateway that share internal networks. Thesecurity gateway for external networks of company partners do not have access to the London andNew York internal networks. However, the Star VPNcommunities let the company partners access the internal networks of the sites that they work with.

Routing VPNTraffic

configure thesecurity gateway to route VPNtraffic based on VPNdomains or based on the routing settings of the operating system.

Note – For each VPNsecurity gateway, you is configure must configure an existsecurity gateway as a default gateway.

domain Based VPN

The VPNtraffic is routed according to the VPNdomains that are define inSmartConsole. usedomain based routing to let satellite security gateway in a star-based topology send VPNtraffic to each other. Thecentral security gateway creates a VPNtunnel to each satellite security gateway andthe traffic is routed to the correct VPNdomain.

Route base VPN

VPNtraffic is routed according to the routing settings (static or dynamic) of the security gateway operating system. Thesecurity gateway uses a VTI ( Interface) to send the VPNtraffic as if it were a physical interface. TheVTIs of security gateway in a VPNcommunity connect andcan support dynamic routing protocols.

Granular Routing Control

The Link Selection feature gives you granular control of the VPNtraffic in the network. usethis feature to enable the security gateway to:

• Find the best possible route for VPNtraffic

• Select the interfaces that are used for VPNtraffic to internal andexternal networks

• configure theIP addresses that are used for VPNtraffic

• useroute probing to select available VPNtunnels

• useLoad Sharing for Link Selection to equally distribute VPNtraffic to VPNtunnels

IPv6 Support andLimitations

This release includes limited IPv6 support for IPsec VPN communities:

• IPv6 is supported for Site to Site VPNonly (Main IP to Main IP).

  The main ip address for bothsecurity gateway must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.

• ipv6 support ikev2 encryption only . ikev2 is automatically always used for IPv6 traffic .

  You is configure can configure the encryption method only for IPv4 traffic .

• VPNtunneling only supports IPv4 inside an IPv4 tunnel, andIPv6 inside an IPv6 tunnel.

  ipv4 traffic inside an ipv6 tunnel is not support .

These VPNfeatures are not supported for IPv6:

• Remote Access VPN

• CRL fetch for the Internal Certificate Authority

• Multiple Entry Points (MEP)

• Route-based VPN(VTI)

• Wire Mode VPN

• security gateway with a dynamic IP address (DAIP).

• Route Injection Mechanism (RIM)

• traditional modefirewall Policies

• IKE Denial of Service protection

• IKE Aggressive Mode

• security gateway with Dynamic IP addresses (DAIP)

• Traditional Mode VPN

• Migration from traditional modeto Simplified mode

• Tunnel Management ( permanent tunnel )

• Directional VPNEnforcement

• Link Selection

• GRE Tunnels

• Tunnel View in SmartView Monitor

• VPNOverview page

• $FWDIR/conf/vpn_route.conf configuration file