Site-to-Site VPN

In a nutshell

Check Point Site-to-Site VPN

Two options for VPN topologies

Hub and Spoke:

Full Mesh:

IPSec VPN Solution

The Security Gateway uses the IPsec suite to encrypt and decrypt traffic to and from other Security Gateways. The protocols must match between the SGWs

Internet Key Exchange (IKE)

IKE and Deffie-hellman are used for the key exchange (public keys); IKEv1 is the default version, Check Point Remote VPNs can only use this version.

VPN Phases

• Phase 1

  • Establish a Control Tunnel between the two SGWs

  • Protocols must match on both ends

  • This is initiated using certificates or a PSK

• Phase 2

  • Establish the Data Tunnel between the two SGWs

  • Again protocols must match on both ends

VPN Communities

VPN Considerations

VPN Creation Workflow

Practice Questions