Post

GCP HA VPN with Check Point

Posted
By Sena Perdiana 2 min read

In this lab, we build a route-based HA VPN between GCP and a Check Point Firewall, using VTI and eBGP to exchange routes dynamically. Unlike Classic VPN, which is a policy-based VPN that uses encryption domains to define interesting traffic, HA VPN uses dynamic routing with Cloud Router and BGP to advertise and learn prefixes automatically.

Configuring VPC

Here we’ll use the VPN-VPC on the 10.60.0.0/24 subnet

x


Configuring Cloud Router

Next we set up a Cloud Router as our virtual router on GCP, here we attach it to our VPC and give a BGP AS Number of 65001, and configure it to advertise all known networks

x

x


Configuring HA VPN

Next we configure the HA VPN

x


Here we give it name and associate it with our VPC.

x


On here we setup tunnel to our On-premise Check Point firewall

x


The peer check point object contains the public IP Address of the firewall, keep in mind this device is sitting behind NAT and is not directly accessible by the public IP

x


Scroll down to the routing options we select the Cloud Router and set up the Pre-shared Key

x


Then on cipher options, we’d just select the default option for simplicity

x


Next on BGP sessions, we configure the peer BGP on the On-prem CP that uses AS Number 65002

x

x


And finally on the summary page, we can download our configuration to be used to configure on the on-prem side

x

x


This VPN Wizard automatically creates these 3 configurations

x

x

x


Configuring Check Point VPN

On Check Point side, we create a new Interoperable Device named GCP_Tunnel1 with GCP’s public IP Address

x


On Topology, we make sure to use Empty Group on the VPN Domain so the VPN will use routing table to decide which traffic will be encrypted

x


Next we create a Star Community selecting our CP as Center Gateways and GCP as Satellite Gateways

x


Then we configure the ciphers following the supported setup by GCP

x


Next we enable Permanent Tunnels

x


And finally we configure the Pre-share Key

x


And we also add a rule policy to allow traffic going between the 2 subnets

x


After that, we create a Tunnel Interface with peer name following the Interoperable Device name and IP Addressing following the downloaded configuration from GCP

x


And we enable BGP to receive and advertise routes between GCP and On-premise

x

x


Lastly we import the interface so it shows up on Smart Console, and that should wrap up the configurations

x


Verifying VPN

On GCP side, we can see both Tunnel and BGP sessions are established

x


Same goes if we verify it on the Check Point side

x


On GCP’s Cloud Router, we verify that it’s advertising the 10.60.0.0/24 to BGP

x


And it’s also receiving 10.21.0.0/24 from BGP

x


Same goes with CP, the BGP session has successfully received 10.60.0.0/24 from GCP and advertise 10.21.0.0/24 to GCP

x


And we’re also able to connect between the two hosts on GCP and On-prem

x

x


With logs showing up on CP verifying VPN and BGP connections are working perfectly

x


Cloud, Google Cloud Platform (GCP)
GCP Check Point
This post is licensed under CC BY 4.0 by the author.