Site-to-Site Checkpoint to Cisco

Learning Outcomes:

For this project section we learned many concepts such as:

Understanding VPN technologies: Working with IPSec, encryption and the Checkpoint firewall GUI.
Configuration:

We had to figure out how to configure the Cisco router using the correct authentication methods and encryptions through the CLI. Also, we had to set the correct static routes and follow best practices by setting up an ACL. Essentially we were also using core and fundamental concepts we have learned previously.

Troubleshooting Skills: We had to troubleshoot a few errors that took us some time. We had to use various commands to try to find errors and logs to help resolve our problems. But overall, this helped reinforce previous concepts we learned and also learn some new concepts as well for the future.

Diagram:

Table of IP Addresses:

Device Name

IP Addresses

PC-1

192.168.1.224/24

Checkpoint

142.232.197.149/24

Cisco Router

G0/0 - 142.232.197.191/24

G1/0 – 192.168.2.1/24

Webterm

192.168.2.2/24

Steps:

R1 Config: G0/0 - we used DHCP and is the interface connected to the WAN.

R1 Config: G1/0 - we assigned the interface connecting to the webterm 192.168.2.1.

Also added static routes(0.0.0.0 0.0.0.0) for both interfaces so it can pass through the WAN connection

Webterm config

We assigned the webterm ip address 192.168.2.2, with the DNS for 8.8.8.8

PC-A Settings

We used the default IP address for the PC and the gateway assigned to the checkpoint was 192.168.1.1

Checkpoint Site to Site VPN Configuration

This is the settings we used to implement Site to Site.

The IP address is of the Cisco Router, the preshared key we used has to be the same (even on Cisco Router) in order for the site to site VPN to work.

Remote Site Encryption

We had to add the networks (PC-A,Webterm) below in order for the pings to work across vpn, otherwise it would be dropped.

Show Run of Cisco Router

Settings that we used for the cisco router is shown. We created the crypto isakmp policy and used the number 10. We used the encryption aes 256 and hashing sha256. We also specified the authentication to be using a pre-shared key and used group 2. We set the peer address using the checkpoint ip to find the ipsec tunnel.

Tunnel Confirmation

We used the command show crypto isakmp sa to verify the ipsec tunnel has been created between the destination 142.232.197.191 and the source 142.232.197.149.

Verification

For the final step we pinged the GNS3 Webterm address from our PC-1 to verify connectivity of the Site-to-Site VPN. As seen here we got 2 successful replies.

Resources:

Checkpoint User Manual

https://dl3.checkpoint.com/paid/2a/2a431d1abd043d79f52b3d5cb889ab09/1550_QSG_PN708046.pdf?HashKey=1715625061_11c36df36df0130854b4eb647f9c0178&xtn=.pdf

Team:

Huang, Ming-Hao

Johal, Bishmanjot

Kamdar, Arya

Liu, Wei Chen

Velasco, Victor Vince

PreviousSite-to-Site Checkpoint to Checkpoint NextSite to Site CheckPoint PaloAlto

Last updated 1 year ago