Setting up site-to-site on Check Point

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


Creating a gateway object at the Check Point Smart Console

1. Open the Check Point Smart Console

2. Go to Security Policies

3. Add NordLayer Private Gateway as an object as shown in the image below. Please make sure you have the IP of your NordLayer dedicated server




Creating a VPN Star community

1. Create a new Star Community


2. Fill in the following information:

  • Specify an Object Name of your own choice
  • Add your NordLayer gateway as Center Gateway
  • Add your external Firewall IP as Satellite Gateways

3. Go to Shared Secret

4. Add a Shared Secret and write it down as we will also need this value on our end. Please note: Check Point recommends choosing a shared secret that contains at least 20 characters


5. Go to Encryption and set IKE Security


6. Go to Tunnel Management

7. Set VPN Tunnel Sharing to One VPN tunnel per Gateway pair


8. Select OK


Additional settings at the Check Point Smart Console

1. Under Check Point firewall policy, add a rule for any to any, in and out to

2. Create a Network group with All local networks to be trusted with the VPN tunnels



Adding the NordLayer gateway IP and remote subnet

1. Open the NordLayer object you created

2. Go to Topology

3. Select New at the top

4. Under the General tab, fill in Name, IP Address, and Net Mask

5. Add NordLayer remote subnet as IP Address

6. Add "" as Net Mask


7. Open the Topology tab. Select Network defined by the interface IP and Net Mask


8. Select OK

9. Go to Topology

10. Select New at the top

11. Under the General tab, fill in Name, IP Address, and Net Mask

12. Add the IP of your NordLayer gateway as IP Address

13. Add "" as Net Mask

14. Open the Topology tab. Select External (leads out to the internet)

15. Select OK

16. Publish and Install Policy


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top