Checkpoint VPN Configuration

In SMP

Select the VPN tab and select the following

VPN Server From Plan

  • Allow SecuRemote users to connect from the Internet
  • Bypass NAT Do not perform Network Address Translation (NAT) to the internal network for authenticated remote users.
  • Bypass the Firewall Bypass the firewall to the internal network for authenticated remote users.
  • Allow SecuRemote users to connect from my internal networks
  • Bypass NAT (should be selected and grayed out) Do not perform Network Address Translation (NAT) to the network for authenticated remote users.
  • Bypass the Firewall Bypass the firewall for authenticated users.

Site-to-Site (IPSec) Tunnels

  • Click 'Communities' under 'Groups' in the SMP.
  • Specify a name for the community, and checkmark 'Dynamic VPN'.
  • Define the customer layer1 and layer2 IKE settings if needed.
  • Save the community.
  • You will then need to add the customers community to the gateway in the SMP.
  • Select the community created in the first step
  • Save

Navigate back to the Gateway(firewall) in SMP

  • Under Internal Network Topology, click New and define the remote customer side network.
  • Click save,
  • Under the checkpoint firewall's Configure tab in SMP, uncheck From Plan and checkmark enable Community. Select the same community as the remote firewall, member, and save. Navigate to the VPN tab, and select "Automatically get topology from internal networks", then save.
  • This completes the setup of the site-to-site vpn.

Checking VPN Tunnel Status

You cannot check the status of the tunnel from within the SMP, you must log into the firewall itself.

From the SMP:

  • Click the Status tab in the SMP
  • Click 'my.firewall' link at the bottom of the status page.
  • Log into the firewall locally.
  • From the local firewall, click Reports.
  • Select the VPN Tunnels tab.

Remote Access (L2tp) Tunnels

WE DO NOT ADVISE OF A CUSTOMER USING THIS PROTOCOL FOR VPN DUE TO CONNECTIVITY ISSUES.

Checkpoint firewalls do not support the traditional PPTP VPN connectivity, only L2tp protocol. If a customer wants a remote user access VPN configuration setup with the firewall, they will need to download the checkpoint SecuRemote L2Sec VPN client: http://www.checkpoint.com/techsupport/downloads/bin/securemote/r60/SC_NGX_R60_HFA1_598001019.exe

  • Click 'Communities' under 'Groups' in the SMP. Specify a name for the community, and checkmark 'User Authentication', and click Save.
  • Click the 'Members' tab, 'Add Gateway' button, then follow the steps to add the customer firewall.
  • Click the 'Users' tab, click 'Add' and follow the steps to 'Create a New User'.

Note that for this information, you can specify any nullified information for the first name, last name, and email address (ex: user,user,usr@local)

  • Click the username in the list to edit, and select the 'Access' tab.
  • Click the 'password' button to assign the user password.
  • Assign the following permissions to the user:
May connect using VPN client 
May override Web filtering
  • Click save.
  • You're done. That was easy now wasn't it?

Password Authentication

Simply specifying the user in the Community through SMP doesn't always work for Checkpoint password authentication VPNs. You may need to log into the firewall itself and add the user to the user's section and enable VPN access to the user.