Aviatrix Gateway to Check Point(R88.10)¶
This document describes how to build an IPSec tunnel based site2cloud connection between Aviatrix Gateway and Check Point Firewall. To simulate an on-prem Check Point Firewall, we use a Check Point CloudGuard IaaS firewall VM at AWS VPC.
Network setup is as following:
VPC1 (with Aviatrix Gateway)
VPC1 CIDR: 10.12.0.0/16
VPC1 Public Subnet CIDR: 10.12.0.0/23
VPC1 Private Subnet CIDR: 10.12.2.0/23
VPC2 (with Check Point Security Gateway)
VPC2 CIDR: 10.24.0.0/16
VPC2 Public Subnet CIDR: 10.24.0.0/23
VPC2 Private Subnet CIDR: 10.24.2.0/23
1. Launch Check Point Security Gateway VM¶
launch a CheckPoint VM with at least two network interfaces. One interface serves as a WAN port and is in VPC2’s public subnet. The other interface serves as a LAN port and is in VPC2’s private subnet. Collect the public IP address of the WAN port.
2. Create Site2Cloud Connection at Aviatrix Controller¶
2.1 Go to Gateway->New Gateway to launch an Aviatrix Gateway at VPC1’s public subnet. Collect both public and private IP addresses of the Gateway.
2.2 Go to site2cloud and click Add New to create a site2cloud connection:
Field | Value |
---|---|
VPC ID/VNet Name | Choose VPC ID of VPC1 |
Connection Type | Unmapped |
Connection Name | Arbitrary (e.g. avx-cp-s2c) |
Remote Gateway Type | Generic |
Tunnel Type | UDP |
Algorithms | Uncheck this box |
Encryption over DirectConnect | Uncheck this box |
Enable HA | Uncheck this box |
Primary Cloud Gateway | Select Aviatrix Gateway created above |
Remote Gateway IP Address | Public IP of CheckPoint-VM WAN port |
Pre-shared Key | Optional (auto-generated if not entered) |
Remote Subnet | 10.24.2.0/23 (VPC2 private subnet) |
Local Subnet | 10.12.2.0/23 (VPC1 private subnet) |
2.3 Go to the site2cloud page. From the site2cloud connection table, select the connection created above (e.g. avx-cp-s2c). Select Generic from Vendor drop down list and click the Download Configuration button to download the site2cloud configuration. Save the configuration file for configuring CheckPoint-VM.
3. Download and Install SmartConsole¶
3.1 Using a browser, connect to the Gaia Portal of the CheckPoint-VM at https://CheckPoint-VM_Public-IP: 3.2 click Download Now! as shown below to download SmartConsole.
3.3 Install SmartConsole at your local machine and launch SmartDashboard.
4. Create Network Objects at SmartConsole¶
4.1. At Check Point SmartDashboard window, go to new -> network -> and create two objects.
4.2 Create one network for private subnet of VPC2 (Check Point VPC)
Field | Value |
---|---|
Name | Arbitrary (e.g. CP-Private-Subnet) |
IPv4 Network Address | VPC2 private subnet CIDR |
IPv4 Net mask | VPC2 private subnet mask |
4.3 Create one network for private subnet of VPC1 (Aviatrix Gateway VPC)
Field | Value |
---|---|
Name | Arbitrary (e.g. AVX-Private-Subnet) |
IPv4 Network Address | VPC1 private subnet CIDR |
IPv4 Net mask | VPC1 private subnet mask |
5. Configure Check Point Security Gateway with VPN¶
Field | Value |
---|---|
IPv4 Address | Private IP of CheckPoint VM WAN port |
Network Security | Select ‘IPSec VPN’ |
5.2 go to network management -> vpn domain -> click on manually defined and select network created at 4.2.5.3 Go to network management -> double click “eth0” (Check Point WAN port). Cick on modify Select External (leads out to the Internet).5.4 Go to network management -> double click “eth1” (Check Point LAN port). Cick on modify. Select Override -> this network (internal) -> specific -> select netwrok created in 4.2.
- 5.5 Double click on gateway as shown in step 5.1 -> IPSec VPN -> link selection -> statically natted ip -> public IP of CheckPoint wan port
- Click on source ip settings -> select manual -> in selected address from topology table -> select the private IP of CheckPoint wan port
5.6 Double click on gateway as shown in step 5.1 -> VPN advanced and leave it as it is to use the community settings and leave NAT traversal turned on.
6. Configure an Interoperable Device to Represent Aviatrix Gateway¶
6.1 Go to gateways and services -> New network objects -> interoperable devices -> click on add new and then following the below picture to create a new interoperable device to represent Aviatrix G ateway.
6.2 Double Click on interoporable device -> avx-gw(created in step 6.1) -> general properties -> IPv4 address will be public ip of aviatrix gateway
6.3 Double Click on interoporable device -> avx-gw(created in step 6.1) -> topology -> manually defined -> select the network created in step 4.3
6.4 Double Click on interoporable device -> avx-gw(created in step 6.1) -> IPSec VPN - Link Selection -> select Always use this IP address -> Main Address
6.5 Double Click on interoporable device -> avx-gw(created in step 6.1) -> IPSec VPN – VPN advanced window, select use the community settings.
7. Create a VPN Community¶
7.1 Click on VPN communities on the smart console and then create star community as shown below.
7.2 After creating the VPN commmunity, double click on created VPN community -> gateway tab and then to select gateway created in step 5
7.3 Double click on created VPN community -> encryption -> Encryption window, select the options according to the site2cloud configuration downloaded at Step 2.3.
7.4 Double click on created VPN community -> tunnel management and then select one VPN tunnel per gateway pair.
7.5 Double click on created VPN community -> VPN routing -> select as shown below image.
7.6 Double click on created VPN community -> Shared secret -> Advanced Settings - Shared Secret window, enter Shared Secret by copying the Pre-Shared Key from the site2cloud configuration downloaded at Step 2.3.
7.7 Double click on created VPN community -> advanced -> enter the Phase1 and Phase2 parameters according to the site2cloud configuration downloaded at Step 2.3.
8. Create Firewall Rule for VPN Traffic¶
Go to security and policies and then add a policy and click on install policy.
9. Troubleshooting and Verifying at Check Point Security Gateway¶
9.1 Go to logs and monitor -> add new tab and then click on tunnel and user monitoring.
9.2. After above step click on IPsec VPN to see the tunnel status
10. Troubleshooting and Verifying at Aviatrix Controller¶
10.1 At the Aviatrix Controller, go to the Site2Cloud page. Verify that the status of the site2cloud connection is up.
10.2 At the Site2Cloud - Diagnostics page, run various diagnostics commands.
Field | Value |
---|---|
VPC ID/VNet Name | VPC1 (Aviatrix Gateway VPC) ID |
Connection | Name of site2cloud connection created at Step 2 |
Gateway | Name of Aviatrix Gateway |
Action | One of the supported diagnostics commands |
10.3. Below is the sample output for ping from an instance in Aviatrix private subnet to an instance in CheckPoint private subnet.