How to Set Up Site-to-Site VPN in Check Point

Site-to-Site VPN connects two or more locations securely over the internet using encrypted tunnels. Check Point's IPsec VPN implementation provides enterprise-grade security with flexible configuration options. This guide walks you through setting up VPN connections between Check Point Security Gateways.

Prerequisites

Before you begin, ensure you have:

• Two or more Security Gateways with IPsec VPN Software Blade available
• SmartConsole access with permissions to modify VPN settings
• Trusted Communication (SIC) established between all gateways and Management Server
• Network documentation including:
  • Gateway external IP addresses
  • Internal networks (VPN domains) at each site
  • Required encryption and authentication settings
• Firewall rules allowing IKE (UDP 500, 4500) and ESP (IP protocol 50) traffic

Understanding VPN Components

Step 1: Enable the IPsec VPN Software Blade

Enable VPN on each participating gateway:

1. Open SmartConsole and connect to your Management Server
2. Navigate to Gateways & Servers in the left panel
3. Double-click the Security Gateway object to open its properties
4. In the General Properties tab, locate Network Security
5. Check the box for IPsec VPN
6. Click OK to save the gateway configuration
7. Repeat for all gateways that will participate in VPN
8. Click Publish to save changes

Note: You must publish and install policy after enabling blades for changes to take effect.

Step 2: Configure VPN Domains

The VPN Domain defines which networks are accessible through the VPN tunnel. Configure this for each gateway:

Automatic VPN Domain

By default, Check Point includes all networks considered "internal" to the gateway:

1. Double-click the Security Gateway object
2. Navigate to Network Management > VPN Domain
3. Select All IP Addresses behind Gateway based on Topology
4. Click OK

User-Defined VPN Domain

For more control over which networks are included:

1. Double-click the Security Gateway object
2. Navigate to Network Management > VPN Domain
3. Select User defined
4. Click the ... button to select objects
5. Add specific Network or Group objects that should be accessible via VPN
6. Click OK to save

Creating a VPN Domain Group

For complex environments with multiple networks:

1. Go to Objects menu > New > Group > Simple Group
2. Name it descriptively (e.g., "Site_A_VPN_Domain")
3. Add all network objects that should be in the VPN domain
4. Click OK
5. Assign this group as the gateway's VPN Domain

Step 3: Create a VPN Community

VPN Communities define which gateways can establish VPN tunnels with each other:

1. Navigate to Security Policies in the left panel
2. In the Access Tools section on the right, click VPN Communities
3. Click New and select your community type:
   • Star Community - Hub-and-spoke topology
   • Mesh Community - All-to-all connectivity

Configuring a Star Community

1. Enter a Name for the community (e.g., "Corporate_VPN")
2. On the Gateways page:
   • Center Gateways: Click Add and select your hub/headquarters gateway(s)
   • Check Mesh center gateways if you have multiple center gateways that should communicate directly
   • Satellite Gateways: Click Add and select branch office gateways
3. Configure other settings as needed (covered in following steps)
4. Click OK to save

Configuring a Mesh Community

1. Enter a Name for the community
2. On the Gateways page:
   • Click Add and select all participating gateways
   • All gateways in a mesh can communicate directly with each other
3. Configure encryption and other settings
4. Click OK to save

Step 4: Configure Encryption Settings

From the VPN Community properties, select Encryption in the navigation tree:

Encryption Method

Encryption Suite

Select a pre-defined suite or configure custom settings:

Security Note: Use Suite-B GCM-256 or Suite-B GCM-128 for new deployments. Avoid SHA-1 and Group 2 for production environments.

Custom Encryption Settings

For Custom encryption, configure Phase 1 and Phase 2 separately:

Phase 1 (IKE SA):

• Encryption: AES-256
• Data Integrity: SHA-256 or SHA-384
• Diffie-Hellman Group: Group 14 (2048-bit) or higher

Phase 2 (IPsec SA):

• Encryption: AES-256 GCM or AES-256
• Data Integrity: SHA-256 (not needed for GCM)

Step 5: Configure Authentication

From the VPN Community properties, select Shared Secret or Certificate Authentication:

Pre-Shared Secret Authentication

1. Select the Shared Secret page in the community properties

2. Choose an authentication method:

   • Use only Shared Secret - Simple but less secure
   • Certificate or Shared Secret - Fallback option

3. Configure the shared secret:

   • Select the gateway pair
   • Click Edit or double-click the entry
   • Enter a strong Shared Secret (minimum 16 characters, mix of letters, numbers, symbols)
   • Confirm the secret
   • Click OK

Certificate-Based Authentication

For enhanced security, use certificates:

1. Ensure each gateway has a valid certificate from a trusted CA
2. In the VPN Community, select Certificate Authentication options
3. Configure certificate validation settings

Step 6: Configure Tunnel Features

Permanent Tunnels

Keep tunnels active even without traffic:

1. In VPN Community properties, go to Tunnel Management
2. Enable Permanent Tunnels
3. Configure tunnel keep-alive settings

Dead Peer Detection (DPD)

Detect failed tunnels automatically:

1. Enable Dead Peer Detection (DPD)
2. Configure detection intervals:
   • Tunnel Idle Time before DPD: How long to wait before checking (default: 30 seconds)
   • DPD Retry Interval: Time between probes (default: 10 seconds)
   • DPD Retry Count: Number of failed probes before declaring tunnel dead (default: 3)

Step 7: Configure Access Control Rules

Create rules to allow traffic through the VPN tunnel:

Accept All Encrypted Traffic (Simple)

1. In the VPN Community properties, go to Encrypted Traffic
2. Enable Accept all encrypted traffic
3. This creates an implicit rule allowing all traffic within the community

Granular Access Control (Recommended)

For more control, create explicit rules:

1. Go to Security Policies > Access Control > Policy

2. Add a new rule:

   • Name: "Allow VPN Traffic - Site A to Site B"
   • Source: [Site A VPN Domain objects]
   • Destination: [Site B VPN Domain objects]
   • VPN: [Your VPN Community]
   • Services: [Specific services or Any]
   • Action: Accept
   • Track: Log

3. Create reciprocal rules for return traffic if needed

Step 8: Install the Policy

After completing VPN configuration:

1. Click Publish to save all changes
2. Click Install Policy
3. Select the Access Control policy
4. Select all gateways participating in the VPN
5. Click Install
6. Monitor the installation in the Tasks panel

Step 9: Verify VPN Connectivity

Check Logs in SmartConsole

1. Go to Logs & Monitor in SmartConsole
2. Look for these log types:
   • Key Install - Indicates successful Phase 1/Phase 2 negotiation
   • Encrypt - Traffic being encrypted and sent through tunnel
   • Decrypt - Traffic being received and decrypted

Monitor VPN Tunnels

1. In SmartConsole, go to Logs & Monitor
2. Select the Tunnels or VPN view
3. Verify tunnels show as Active

Command-Line Verification

SSH to the Security Gateway and run:

# View tunnel status
vpn tunnelutil

# Or use the interactive menu
vpn tu

# View all active tunnels
vpn tu tlist

# Debug specific tunnel
vpn debug trunc
vpn debug on TDERROR_ALL_ALL

Test Traffic Flow

From a host behind one gateway, ping a host behind the other gateway:

ping <remote_internal_ip>

Check logs to confirm traffic is being encrypted/decrypted.

Troubleshooting Common Issues

Tunnel Not Establishing

Symptoms: No Key Install logs, tunnel shows as down.

Solutions:

1. Verify IKE ports are open:
   • UDP 500 (IKE)
   • UDP 4500 (NAT-T)
   • IP Protocol 50 (ESP)
2. Check that encryption settings match on both sides
3. Verify pre-shared secrets are identical
4. Confirm gateway external IP addresses are correct
5. Check for NAT between gateways

Tunnel Establishes but No Traffic Flows

Symptoms: Key Install logs present, but no Encrypt/Decrypt logs.

Solutions:

1. Verify VPN domains are correctly defined on both sides
2. Check access control rules allow the traffic
3. Confirm source/destination are within the VPN domains
4. Check routing tables on gateways

Intermittent Tunnel Drops

Symptoms: Tunnel works then fails periodically.

Solutions:

1. Check for DPD failures in logs
2. Verify network stability between sites
3. Increase DPD timeout values
4. Check for conflicting NAT rules
5. Verify no rekeying issues (check Phase 2 lifetime settings)

Phase 1 Failures

Symptoms: Log shows "IKE Phase 1 failed" errors.

Solutions:

1. Verify both sides use the same IKE version
2. Check encryption and DH group settings match
3. Confirm authentication method matches (PSK vs. certificate)
4. Verify pre-shared secret is identical on both sides

VPN Configuration Reference

Recommended Settings for New Deployments

Ports and Protocols Required

Next Steps

After establishing basic site-to-site VPN:

1. Add More Sites - Expand your VPN community with additional gateways
2. Configure Backup Links - Set up redundant VPN paths for high availability
3. Implement Certificate Authentication - Enhance security with PKI
4. Monitor VPN Performance - Use SmartView Monitor for tunnel statistics
5. Configure Remote Access VPN - Enable secure access for mobile users

Additional Resources

• Check Point R81 Site-to-Site VPN Admin Guide
• VPN Configuration Best Practices
• Check Point CheckMates Community

Need expert help with Check Point VPN configuration? Inventive HQ provides comprehensive VPN implementation services, from initial setup to multi-site mesh deployments. Contact us for a free consultation.