This document describes how to build an IPsec tunnel based Site2Cloud connection between Aviatrix Gateway and Check Point Firewall. To simulate an on-prem Check Point Firewall, we use a Check Point CloudGuard IaaS firewall VM at AWS VPC.
Note
If you do not have access to AWS, you can simulate an on-prem Firewall by deploying the Palo Alto Firewall in any other cloud (such as Microsoft Azure, Google Cloud Platform, or Oracle Cloud Infrastructure).
The network setup is as follows:
VPC1 (with Aviatrix Gateway)
VPC1 CIDR: 10.12.0.0/16
VPC1 Public Subnet CIDR: 10.12.0.0/23
VPC1 Private Subnet CIDR: 10.12.2.0/23
VPC2 (with Check Point Security Gateway)
VPC2 CIDR: 10.24.0.0/16
VPC2 Public Subnet CIDR: 10.24.0.0/23
VPC2 Private Subnet CIDR: 10.24.2.0/23
Launch a CheckPoint VM with at least two network interfaces. One interface serves as a WAN port and is in VPC2's public subnet. The other interface serves as a LAN port and is in VPC2's private subnet. Collect the public IP address of the WAN port.
- Go to Gateway > New Gateway to launch an Aviatrix Gateway at VPC1's public subnet. Collect both public and private IP addresses of the Gateway.
- Go to the Site2Cloud and click Add New to create a Site2Cloud connection:
Field | Value |
---|---|
|
Choose VPC ID of VPC1 |
|
Unmapped |
|
Arbitrary (e.g. avx-cp-s2c) |
|
Generic |
|
UDP |
|
Unmark this checkbox |
|
Unmark this checkbox |
|
Unmark this checkbox |
|
Select Aviatrix Gateway created above |
|
Public IP of CheckPoint-VM WAN port |
|
Optional (auto-generated if not entered) |
|
10.24.2.0/23 (VPC2 private subnet) |
|
10.12.2.0/23 (VPC1 private subnet) |
- Go to the Site2Cloud page. From the Site2Cloud connection table, select the connection created above (e.g. avx-cp-s2c). Select Generic from Vendor drop down list and click Download Configuration to download the Site2Cloud configuration. Save the configuration file for configuring CheckPoint-VM.
- Using a browser, connect to the Gaia Portal of the CheckPoint-VM at https://CheckPoint-VM_Public-IP:
- Click Download Now! as shown below to download SmartConsole.
- Install SmartConsole at your local machine and launch SmartDashboard.
- At the Check Point SmartDashboard window, go to New > Network and create two objects.
- Create one network for private subnet of VPC2 (Check Point VPC).
Field | Value |
---|---|
|
Arbitrary (e.g. CP-Private-Subnet) |
|
VPC2 private subnet CIDR |
|
VPC2 private subnet mask |
- Create one network for private subnet of VPC1 (Aviatrix Gateway VPC).
Field | Value |
---|---|
|
Arbitrary (e.g. AVX-Private-Subnet) |
|
VPC1 private subnet CIDR |
|
VPC1 private subnet mask |
- At the SmartDashboard window, go to Gateways and services > double-click on the gateway.
Field | Value |
---|---|
|
Private IP of CheckPoint VM WAN port |
|
Select IPsec VPN |
- Go to Network management > VPN domain > click Manually defined and select the network created previously (see the "Creating Network Objects at SmartConsole" section above).
- Go to Network management > double-click "eth0" (Check Point WAN port). Select External (leads out to the Internet).
- Go to Network management > double-click "eth1" (Check Point LAN port). Click on modify. Select **Override > this network (internal) > specific > select network created previously (see the "Create Network Objects at SmartConsole" above).
- Double-click on gateway as shown in step 1 above > IPsec VPN > link selection > statically NATted IP > public IP of CheckPoint WAN port.
Click on source IP settings > select manual > in selected address from topology table > select the private IP of CheckPoint wan port.
- Double-click on the gateway as shown in step 1 above > VPN advanced and leave it as it is to use the community settings and leave NAT traversal turned on.
- Go to Gateways and services > New network objects > Interoperable devices > click Add new and then use the image below to create a new interoperable device to represent Aviatrix Gateway.
- Double-click on Interoperable device > avx-gwv (created in step 1 of this section) > General properties. The IPv4 address will be the public IP of the Aviatrix Gateway.
- Double-click on Interoperable device > avx-gwv (created in step 1 in this section) > Topology > Manually defined > select the network for private subnet of VPC1 (Aviatrix Gateway VPC) network created above.
- Double-click on Interoperable device > avx-gwv (created in step 1 of this section) > IPsec VPN - Link Selection > select Always use this IP address > Main Address.
- Double-click on Interoperable device > avx-gwv (created in step 1 of this section) > IPsec VPN – VPN advanced window. Select Use the community settings.
- Click on VPN communities on the smart console. Then, create a Star Community as shown below.
- After creating the VPN community, double-click on the created VPN community > Gateway tab. Then, select the gateway created above (see the "Configuring Check Point Security Gateway with VPN" section).
- Double-click on created VPN community > Encryption > Encryption window and select the options according to the Site2Cloud configuration downloaded previously (see the "Create Site2Cloud Connection at Aviatrix Controller" section above).
- Double-click on created VPN community > Tunnel management and then select one VPN tunnel per gateway pair.
- Double-click on created VPN community > VPN routing > select as shown in the image below.
- Double-click on created VPN community > Shared secret > Advanced Settings - Shared Secret window. Enter the Shared Secret by copying the Pre-Shared Key from the Site2Cloud configuration downloaded previously (see the "Create Site2Cloud Connection at Aviatrix Controller" section above).
- Double-click on the created VPN community > Advanced > enter the Phase1 and Phase2 parameters according to the Site2Cloud configuration downloaded previously (see the "Create Site2Cloud Connection at Aviatrix Controller" section above).
Go to security and policies. Add a policy and click Install Policy.
- Go to Logs and monitor > Add a new tab. Then, click on Open Tunnel & User Monitoring.
- Click IPsec VPN to see the tunnel status.
- At the Aviatrix Controller, go to the Site2Cloud page. Verify that the status of the Site2Cloud connection is up.
- At the Site2Cloud - Diagnostics page, run various diagnostics commands.
Field | Value |
---|---|
|
VPC1 (Aviatrix Gateway VPC) ID |
|
Name of the Site2Cloud connection created previously (see the "Create Site2Cloud Connection at Aviatrix Controller" section above) |
|
Name of the Aviatrix Gateway |
|
One of the supported diagnostics commands |
- Below is the sample output for ping from an instance in Aviatrix private subnet to an instance in CheckPoint private subnet.