Setting up site-to-site on Check Point


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Creating a gateway object at the Check Point Smart Console

1. Open the Check Point Smart Console

2. Go to Security Policies

3. Add NordLayer Private Gateway as an object as shown in the image below. Please make sure you have the IP of your NordLayer dedicated server

01_Setting_up_site-to-site_on_Check_Point.png

02_Setting_up_site-to-site_on_Check_Point.png

 

Creating a VPN Star community

1. Create a new Star Community

03_Setting_up_site-to-site_on_Check_Point.png

2. Fill in the following information:

  • Specify an Object Name of your own choice
  • Add your NordLayer gateway as Center Gateway
  • Add your external Firewall IP as Satellite Gateways

3. Go to Shared Secret

4. Add a Shared Secret and write it down as we will also need this value on our end. Please note: Check Point recommends choosing a shared secret that contains at least 20 characters

04_Setting_up_site-to-site_on_Check_Point.png

5. Go to Encryption and set IKE Security

05_Setting_up_site-to-site_on_Check_Point.png

6. Go to Tunnel Management

7. Set VPN Tunnel Sharing to One VPN tunnel per Gateway pair

06_Setting_up_site-to-site_on_Check_Point.png

8. Select OK

 

Additional settings at the Check Point Smart Console

1. Under Check Point firewall policy, add a rule for any to any, in and out to 10.6.0.0/16

2. Create a Network group with All local networks to be trusted with the VPN tunnels

07_Setting_up_site-to-site_on_Check_Point.png

 

Adding the NordLayer gateway IP and remote subnet

1. Open the NordLayer object you created

2. Go to Topology

3. Select New at the top

4. Under the General tab, fill in Name, IP Address, and Net Mask

5. Add NordLayer remote subnet 10.6.0.0 as IP Address

6. Add "255.255.240.0" as Net Mask

08_Setting_up_site-to-site_on_Check_Point.png

7. Open the Topology tab. Select Network defined by the interface IP and Net Mask

09_Setting_up_site-to-site_on_Check_Point.png

8. Select OK

9. Go to Topology

10. Select New at the top

11. Under the General tab, fill in Name, IP Address, and Net Mask

12. Add the IP of your NordLayer gateway xxx.xxx.xxx.xxx as IP Address

13. Add "255.255.255.255" as Net Mask

14. Open the Topology tab. Select External (leads out to the internet)

15. Select OK

16. Publish and Install Policy

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top