Search This Blog

Wednesday, August 19, 2015

Check Point site-to-site VPN with full route



This post will demonstrate, step by step, how to configure a site-to-site VPN between 2 Check Point security gateways, were all traffic from site B is routed through site A, and will use site A public IP for internet access – hence full tunnel from site B to site A.

Each site is managed by its own, so I have two security management servers.

This is the network topology diagram:

First step we will create network objects:

Right click on Networks -> Network and add the remote site network




Now create a simple group which will gather all remote site networks, in case we have more than one, right click on Groups -> Groups -> Simple group



In the following group we will add all the remote networks.

Repeat these steps for local networks and group:



Now let’s create the remote peer object, right click on Check Point -> Check Point -> More -> Externally Managed VPN Gateway



Type in the machine name, IP address and check Firewall and IPSec VPN checkboxes:


Next choose Topology, in the right pane, and under VPN Domain choose Manually defined and select the remote peer group we made earlier:


Do the same step for our locally security gateway, and make sure that the local VPN group is set:


This group represent the local networks which are behind our security gateway.

Next let’s create the VPN community, select IPSec VPN in the products pane, click on New and choose Star Community:



Type a name for the community and check Accept all encrypted traffic check box:

Select Center Gateways in the right pane, click Add and choose the gateway that will be the center, in our case CP-CLUSTER, which is the security gateway of site A:


Then select Satellite Gateways, click Add and choose site B gateway, in our case CP-SG3:


Leave encryption with his default settings:


Select Tunnel Management, check Set Permanent Tunnels check box:


Select Advanced Settings -> VPN Routing and click on To Center, or through the center to other satellites, to internet and other VPN targets:


This setting will force the satellites to route all traffic through the center gateway.

Select Excluded Services, click Add and choose IKE:


Select Shared Secret, check Use Only Shared Secret for all External members, then click on the peer name, click edit and type in the shared secret (Check Point recommend to use a shared secret with no less the 20 characters):


Select Advanced VPN Properties, and under NAT check Disable NAT inside the VPN community:


Click OK and close the Star Community.

Last step we need to create Firewall policy to allow traffic between the two sites, select Firewall in the products pane and choose Policy. Add new rule between the two groups (local and remote VPN groups) in both directions:




To finish click on Install Policy.

Please note that those steps should be configured on both sides each with his corresponding objects and settings.

Also the following steps should be configured only on the center gateway -
Add Firewall policy rule to allow site B networks to access the internet:


And add NAT rule for remote site network:



Now when client in network 192.168.20.0/24 will access the internet, he will pass-through CP-CLUSTER and will use his external IP.

Products List:
CP-CLUSTER – Check Point R77.20
CP-SG3 – Check Point R77.30

34 comments:

  1. The remote connections on the internet are possible only with the VPN technology and with the use of the VPN any information can be privately sent to its employees in different locations. free vpn sites

    ReplyDelete
  2. Maintaining a stable connection is also very important in determination of how fast a VPN can go. It is always advisable to choose a VPN server with the least amount of data packet loss and if possible 0 %.Vpn for netflix

    ReplyDelete
  3. A lot of people having an incorrect image about the cash advance loans or sometimes refer it as bad credit payday loans. allertaprivacy

    ReplyDelete
  4. Such a strikingly basic article.I basically wish to offer a creature proceed for the standard data you have perfect here on this post. privacidadenlared

    ReplyDelete
  5. Man's lives, such as uncontrolled huge amounts, definitely not while countries furthermore reefs, challenging to seismic disturbance upward perfect apply. https://privatnostonline.com

    ReplyDelete
  6. Very cozy looking rooms. Let me know if your going to Mexico. Oh and btw. you should read our Tipping in Mexico guide if you do. It will save you a lot of awkward moments. internetprivatsphare.ch

    ReplyDelete
  7. This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! visit website

    ReplyDelete
  8. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site. beste vpn

    ReplyDelete
  9. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. Klik hier

    ReplyDelete
  10. Virtual Private Networks can be convoluted while considering the innovation included. On the off chance that you have any inquiries in regards to the framework's security, execution, or speed, ask the supplier's delegates. https://vpn.surf/blog/buy-vpn-with-dash-coin/

    ReplyDelete
  11. Thanks a lot for one’s intriguing write-up. It’s actually exceptional. Searching ahead for this sort of revisions.
    short term loans no credit check who

    ReplyDelete
  12. Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! expressvpn free trial

    ReplyDelete
  13. I’ve been surfing online more than three hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my opinion, if all webmasters and bloggers made good content as you did, the web will be a lot more useful than ever before. top android vpn

    ReplyDelete
  14. Pls correct the drawing : both sites have same IP address subnet 192.168.10.0/24

    ReplyDelete
  15. For VPNs that are ready to go once installed, and are also compatible with other VPNs that need set up, you may refer to this VPN ranking website that lists the top free and paid VPNs, complete with features and reviews.

    ReplyDelete
  16. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Backlink

    ReplyDelete
  17. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work photographe publicitaire

    ReplyDelete
  18. I am a new user of this site so here i saw multiple articles and posts posted by this site,I curious more interest in some of them hope you will give more information on this topics in your next articles. vpn

    ReplyDelete
  19. VPN that does not cost you anything up front. Most free VPN services offer only PPTP which is considered obsolete. Also, because it is free, there will be thousands of users logging in resulting in lack of bandwidth for all. How to choose right VPN?

    ReplyDelete
  20. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. 科学上网

    ReplyDelete
  21. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. 科学上网

    ReplyDelete
  22. In the event that that doesn't work, ping the loopback address 127.0.0.1. In the event that that fizzles, your connector may not be working or it's anything but appropriately arranged. steam in home streaming vpn

    ReplyDelete
  23. Do you have an IP address? Attempt ipconfig/all. On the off chance that you don't have an IP address reboot your PC. https://onohosting.com/

    ReplyDelete
  24. While choosing the right intermediary supplier you should look whether what is the complete pivot season of these intermediaries and after how much span their intermediaries are turned. helpful resources

    ReplyDelete
  25. I have been impressed after read this because of some quality work and informative thoughts. I just want to say thanks for the writer and wish you all the best for coming! Your exuberance is refreshing. diebestenvpn

    ReplyDelete
  26. I invite you to the page where you can design with overpowering information on as shown by a general point of view clashing district interests. read more

    ReplyDelete
  27. The reality about SEO services is that it is routinely not hard work, but that doesn't mean its unproblematic.It still takes time, dedication, effort, strategy, technique, method, skill, and experience to execute eminence SEO services. As we can see, these SEO experts want nothing but to deliver their services through a complete utilization of SEO tools to produce outstanding results. web hosting services

    ReplyDelete
  28. Blog commenting is a great way to expand a websites influence throughout the web, however if done incorrectly you can alienate readers and other web masters. This brief guide goes over the basics of blog commenting, including footprints and increasing the stickiness of blog comments. https://hostinglelo.in/

    ReplyDelete
  29. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You. ExpressVPN Deal

    ReplyDelete
  30. What is VPN? VPN is an abbreviation for virtual private network. It can be defined as the method that is usually applied so as to add to the privacy and the security into the public and private networks, the internet and Wi-Fi hotspots. dark web links

    ReplyDelete
  31. A virtual private network or VPN service is the tool that is commonly used these days to protect the privacy of users when surfing the web. They can do this by creating a sort of encrypted tunnel where all the data that you submit on the web can pass through. Because it's encrypted, it will be impossible for people who intercept the data to read and understand it. deep web

    ReplyDelete
  32. Reports of hacking, cyber attacks, and divulging of personal information have accelerated over the past decade, causing a corresponding increase in the need for security and protection. While businesses tend to be the major target for cyber attacks, the use of VPNs among individuals is also on the rise. dark web

    ReplyDelete