- 2 Minutes to read
Setting up site-to-site on Check Point
- 2 Minutes to read
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Creating a gateway object at the Check Point Smart Console
Open the Check Point Smart Console
Go to Security Policies
Add NordLayer Private Gateway as an object as shown in the image below. Please make sure you have the IP of your NordLayer dedicated server
Creating a VPN Star community
- Create a new Star Community
- Fill in the following information:
- Specify an Object Name of your own choice
- Add your NordLayer gateway as Center Gateway
- Add your external Firewall IP as Satellite Gateways
Go to Shared Secret
Add a Shared Secret and write it down as we will also need this value on our end. Please note: Check Point recommends choosing a shared secret that contains at least 20 characters
- Go to Encryption and set IKE Security
Go to Tunnel Management
Set VPN Tunnel Sharing to One VPN tunnel per Gateway pair
- Select OK
Additional settings at the Check Point Smart Console
Under Check Point firewall policy, add a rule for any to any, in and out to 10.6.0.0/20
Create a Network group with All local networks to be trusted with the VPN tunnels
Adding the NordLayer gateway IP and remote subnet
Open the NordLayer object you created
Go to Topology
Select New at the top
Under the General tab, fill in Name, IP Address, and Net Mask
Add NordLayer remote subnet 10.6.0.0 as IP Address
Add "255.255.240.0" as Net Mask
- Open the Topology tab. Select Network defined by the interface IP and Net Mask
Select OK
Go to Topology
Select New at the top
Under the General tab, fill in Name, IP Address, and Net Mask
Add the IP of your NordLayer gateway xxx.xxx.xxx.xxx as IP Address
Add "255.255.255.255" as Net Mask
Open the Topology tab. Select External (leads out to the internet)
Select OK
Publish and Install Policy
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.