Post

AWS IPsec VPN with Check Point

Posted
By Sena Perdiana 3 min read

In this lab, we build a site-to-site IPsec VPN between an on-premise firewall (Check Point) and AWS using a Virtual Private Gateway (VGW). The goal is to extend an on-prem network into an AWS VPC securely over the internet. AWS provides a managed IPsec endpoint (the VGW) and we configure our Check Point firewall as the customer-side on-premise peer.

Creating VPC

Here we setup one VPC “vpn-vpc” with one subnet that will be reached over VPN through our on-premise check point

x


And here’s the 10.50.1.0/24 subnet

x


Configuring AWS VPN

Next we’ll create a Virtual Private Gateway, give it name and leave the rest with default values

x


After successfully created, next attach this VGW to the VPC

x

x

x


Then back to VPC’s route tables, add static route to the on-prem’s prefix (10.21.0.0/24) and select the VGW as the next hop

x


After that we create a Customer Gateway, give it name and set the On Premise’s Check Point Public IP Address. The On-prem device doesn’t need to have a direct Public IP and can sit behind NAT

x

x


And finally we create the Site to Site VPN Connection using the configured VGW and CGW, here we also input the on-prem’s local prefix

x


When we scroll down, we are presented with 2 pre-configured Tunnels that we can modify to match our needs

x


For this lab the deafult options are already sufficient to establish the VPN so we go with that

x


Here we need to again add the on-prem local prefix

x


And we have configured our VPN, here we have 2 tunnels with down status that we need to configure on the other side

x


Hit Download Configuration in order to get the VPN configuration values to setup on the on-prem device

x


The downloaded config gives us important details that we use to configure the IPSec VPN on the Check Point’s side

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

TUNNEL 1

VPN Identifiers
VPN Connection ID: vpn-0beb087a0370896e2
Virtual Private Gateway ID: vgw-01d76f57e7ae9fba7
Customer Gateway ID: cgw-073eb0951935fa136

Tunnel Outside IPs
AWS outside IP: 13.211.65.6
Check Point WAN IP (NATed): 173.39.116.5

Tunnel Inside IPs
Check Point (local): 169.254.220.26
AWS (remote): 169.254.220.25

Pre-shared key: Cn3xaTnx8eN9dgbPU9zEfJD.l2GRnZ2X

Network Prefixes
AWS: 10.50.0.0/16
Local: 10.21.0.0/24

Configuring Check Point VPN

On the Check Point side, first we enable the IPSec blade

x


Next on VPN Domain, we select our local prefix

x


Next we’ll create an Interopable Device

x


Here we setup AWS’s Outside IP Address

x


And on Topology, we have to create a simple group with empty value

x


Next we create a Tunnel Interface using the Tunnel Inside IPs and add a static route to pass traffic going to 10.50.0.0/16 to this interface

1
2
3
4
5

add vpn tunnel 1 type numbered local 169.254.220.26 remote 169.254.220.25 peer AWS_Tunnel1
set interface vpnt1 state on
set interface vpnt1 mtu 1399

set static-route 10.50.0.0/16 nexthop gateway address 169.254.220.25 on

x


Afte that, we crate a new Star VPN Community where we select CP as Center Gateways and AWS as the Satellite Gateways

x


Then on Encryption Settings we match the configured settings on the AWS side

x


Next we enable the Permanent Tunnel on all tunnels

x


And finally we add the Pre-shared Key and hit OK

x


After that we will add policy, but before that we need to enable VPN Directional Match so the menu can be used on policy rule

x


Then we create a simple policy to allow traffic coming in and out between the two subnets

x


Verifying VPN

After pushing the policy on CP side, the Tunnel 1 should be up on AWS

x


We can also see the tunnel status on the CP side using Smart View

x


To test the traffic, here a host on 10.21.0.21 is able to reach the host on 10.50.1.98

x


And same goes with vice versa

x


On Check Point, we can see the logs for traffic going back and forth between these 2 hosts

x


Cloud, Amazon Web Services (AWS)
AWS Check Point
This post is licensed under CC BY 4.0 by the author.