Aviatrix Gateway to Check Point(R77.30)

This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Check Point Firewall. To simulate an on-prem Check Point Firewall, we use a Check Point CloudGuard IaaS firewall VM at AWS VPC.

If you do not have access to AWS, you can simulate an on-prem Firewall by deploying the Palo Alto Firewall in any other cloud (such as Microsoft Azure, Google Cloud Platform, or Oracle Cloud Infrastructure).

The network setup is as follows:

VPC1 (with Aviatrix Gateway)

VPC1 CIDR: 10.0.0.0/16

VPC1 Public Subnet CIDR: 10.0.1.0/24

VPC1 Private Subnet CIDR: 10.0.2.0/24

VPC2 (with Check Point Security Gateway)

VPC2 CIDR: 10.10.0.0/16

VPC2 Public Subnet CIDR: 10.10.0.0/24

VPC2 Private Subnet CIDR: 10.10.1.0/24

Launching Check Point Security Gateway VM

Refer to the http:/supportcontent.checkpoint.com/documentation_download?ID=45816[vSEC Gateway for Amazon Web Services Getting Started Guide] to launch a CheckPoint VM with at least two network interfaces. One interface serves as a WAN port and is in VPC2’s public subnet. The other interface serves as a LAN port and is in VPC2’s private subnet. Collect the public IP address of the WAN port.

Creating a Site2Cloud Connection at Aviatrix Controller

  1. Go to Gateway > New Gateway to launch an Aviatrix Gateway at VPC1’s public subnet. Collect both public and private IP addresses of the Gateway.

  2. Go to Site2Cloud and click Add New to create a Site2Cloud connection:

    Field Value

    VPC ID/VNet Name

    Choose VPC ID of VPC1

    Connection Type

    Unmapped

    Connection Name

    Arbitrary (e.g. avx-cp-s2c)

    Remote Gateway Type

    Generic

    Tunnel Type

    UDP

    Algorithms

    Unmark this checkbox

    Encryption over DirectConnect

    Unmark this checkbox

    Enable HA

    Unmark this checkbox

    Primary Cloud Gateway

    Select Aviatrix Gateway created above

    Remote Gateway IP Address

    Public IP of CheckPoint-VM WAN port

    Pre-shared Key

    Optional (auto-generated if not entered)

    Remote Subnet

    10.10.1.0/24 (VPC2 private subnet)

    Local Subnet

    10.0.2.0/24 (VPC1 private subnet)

  1. Go to the Site2Cloud page. From the Site2Cloud connection table, select the connection created above (e.g. avx-cp-s2c). Select Generic from the Vendor dropdown list and click Download Configuration to download the Site2Cloud configuration. Save the configuration file for configuring CheckPoint-VM.

Downloading and Installing SmartConsole

  1. Using a browser, connect to the Gaia Portal of the CheckPoint-VM at https:/CheckPoint-VM_Public-IP:

  1. Click Overview at the left navigation bar, and then click Download Now! to download SmartConsole.

image0
  1. Install SmartConsole at your local machine and launch SmartDashboard.

Creating Network Objects at SmartConsole

  1. At the Check Point SmartDashboard window, select the Desktop tab. Right click the Networks folder at the left navigation bar and select Network.

  2. Create one network for private subnet of VPC2 (Check Point VPC).

    image1
    Field Value

    Name

    Arbitrary (e.g. CP-Private-Subnet)

    IPv4 Network Address

    VPC2 private subnet CIDR

    IPv4 Net mask

    VPC2 private subnet mask

  1. Create one network for private subnet of VPC1 (Aviatrix Gateway VPC).

    image2
    Field Value

    Name

    Arbitrary (e.g. AVX-Private-Subnet)

    IPv4 Network Address

    VPC1 private subnet CIDR

    IPv4 Net mask

    VPC1 private subnet mask

Configuring Check Point Security Gateway with VPN

  1. At the SmartDashboard window, select the Desktop tab and expand the Check Point folder at the left navigation bar. Note that your gateway VM with the name format "gw-xxxxxx" is automatically created.

image3
  1. Right-click the gateway name and select Edit from the menu.

  2. At the Check Point Gateway > General Properties window:

    image4
    Field Value

    IPv4 Address

    Private IP of CheckPoint VM WAN port

    Test SIC Status

    Make sure the status is "communicating"

    Network Security

    Select IPsec VPN

  3. At Check Point Gateway - Topology window, select Manually defined for VPN Domain. Select the network created when you created a network for private subnet of VPC2 (Check Point VPC).

image5
  1. At Check Point Gateway - Topology window, double-click "eth0" (Check Point WAN port). Select External (leads out to the Internet).

image6
  1. At Check Point Gateway - Topology window, double click "eth1" (Check Point LAN port). Select Internal (leads to the local network).

image7
  1. At the Check Point Gateway - IPsec VPN - Link Selection window, configure the parameters as follows:

    image8
    Field Value

    Statically NATed IP

    Public IP of Check Point WAN port

    Selected address from topology table

    Private IP of Check Point WAN port

  1. At the Check Point Gateway - IPsec VPN - VPN Advanced window, configure the parameters as follows:

image9

Configuring an Interoperable Device to Represent Aviatrix Gateway

  1. At Check Point SmartDashboard window, select the Desktop tab. Right-click the Networks folder at the left navigation bar to create a new interoperable device.

  2. At the Interoperable Device - General Properties window:

    image10
    Field Value

    Name

    Arbitrary (e.g. AVX-GW)

    IPv4 Address

    Public IP of Aviatrix Gateway

  3. At the Interopable Device - Topology window, select Manually defined for VPN Domain. Select the network private subnet of VPC1 (Aviatrix Gateway VPC) you created above.

image11
  1. At the Interopable Device - IPsec VPN - Link Selection window, select Always use this IP address > Main Address.

image12
  1. At the Interopable Device - IPsec VPN - VPN Advanced window, select Use the community settings.

image13

Creating a VPN Community

  1. At SmartDashboard IPsec VPN tab, select Overview from left navigation bar. Click New to create a Meshed Community.

image14
  1. At Meshed Community Properties - General window, create one community with a name (e.g. Site2Cloud-avx).

image15
  1. At Meshed Community Properties - Participating Gateways window, add both Check Point Security Gateway (e.g. gw-fe024c) and the interopable device created when you configured an interoperable device to represent the Aviatrix Gateway (e.g. AVX-GW) to this community.

image16
  1. At Meshed Community Properties - Encryption window, select the options according to the Site2Cloud configuration for configuring CheckPoint-VM you saved and downloaded above.

image17
  1. At Meshed Community Properties - Tunnel Management window, select One VPN tunnel per Gateway pair for VPN Tunnel Sharing.

image18
  1. At the Meshed Community Properties - Advanced Settings - Shared Secret window, enter Shared Secret by copying the Pre-Shared Key from the Site2Cloud configuration downloaded above.

image19
  1. At the Meshed Community Properties - Advanced Settings - Advanced VPN Properties window, enter the Phase1 and Phase2 parameters according to the Site2Cloud configuration downloaded above.

image20

Creating Firewall Rule for VPN Traffic

  1. At SmartDashboard window, select the Firewall tab.

  2. Select Policy to add a new rule.

    image21
    Field Value

    VPN

    Select the Meshed VPN Community created above

    Install On Sele

    ct Check Point Security Gateway

  3. Click Install Policy button to push the firewall policy to the Check Point Security Gateway.

image22

Troubleshooting and Verifying at Check Point Security Gateway

  1. At SmartDashboard window, from SmartConsole dropdown list, select SmartView Monitor.

image23
  1. At the SmartView Monitor window, select VPNs from Gateway Status and verify Encrypted Traffic.

image24

Troubleshooting and Verifying at Aviatrix Controller

  1. At the Aviatrix Controller, go to the Site2Cloud page. Verify that the status of the Site2Cloud connection is up.

image25
  1. At the Site2Cloud - Diagnostics page, run various diagnostics commands.

    image26
    Field Value

    VPC ID/VNet Name

    VPC1 (Aviatrix Gateway VPC) ID

    Connection

    Name of Site2Cloud connection created above

    Gateway

    Name of Aviatrix Gateway

    Action

    One of the supported diagnostics commands

    For support, please open a support ticket at Aviatrix Support Portal.