====== IPSec ======

===== General =====
{{ipsec-ike1.png|}}
----
{{ipsec-ike2.png|}}
----
{{ipsec-transf.png|}}

===== Configuration =====

==== Center Gateway ====
  * Assign encryption domain behind the center gateway.
    * These are IP addresses behind the local center gateway that will be encrypted
    * Traffic is only encrypted between the addresses in the encryption domain of the center and satellite gateway.
  * The center gateway is usually the local checkpoint firewall cluster
{{ipsec-conf1.png|}}

==== Satellite Gateway ====
  * The satellite gateway is the other end of the IPSec tunnels connecting with the Center Gateway
  * Create new satellite gateway
    * If not checkpoint, create new **interoperable devices**
    * If checkpoint, create new **Checkpoint > Externally Managed VPN Gateway**

  * Configure Name and IP
{{ipsec-conf2.png|}}

  * If the satellite gateway is using a different source IP address than what we have configured, add it under the topology
    * Otherwise the local center gateway will reject the IKE with the following message:
<code>
IKE: Main Mode local machine configured not to respond to unknown IP addresses (i.e. not exportable for SR, and/or not included in the RemoteAccess community, and/or no DAIP's defined)
IKE: Main Mode Sent Notification to Peer: invalid id information
</code>
<note important>In R65, the default is to use the Main IP of the center gateway cluster as the source. In R55, the default is to used the IP address of the exiting interface</note>
  * Assign encryption domain to the Satellite gateway
    * Traffic is only encrypted between the addresses in the encryption domain of the satellite and center gateway. 
{{ipsec-conf3.png|}}

==== VPN Community ====
  * Create **Star Community** to configure IPSec parameters
  * Add **Center Gateway** which is usually the local checkpoint firewall
{{ipsec-conf4.png|}}

  * Add **Satellite Gateway** which is remote end of the IPSec termination
{{ipsec-conf5.png|}}

  * Configure IKE and IPSec parameters
{{ipsec-conf6.png|}}

  * Configure preshared secret
{{ipsec-conf7.png|}}

  * Configure the Diffie Hellman parameters
{{ipsec-conf8.png|}}

==== Policy ====
  * Assign VPN community as target for policy
{{ipsec-conf9.png|}}
{{ipsec-conf10.png|}}

===== Debug =====
  * To Clear the All the IKE and IPSec SA
  * SSH to the VPN-1 firewall
  * Need to be in expert mode in R55
<code>
[vpn-1-fw]# vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

0
</code>

  * To monitor status of VPN tunnel
  * Use SmartView Monitor and select **Tunnels on Gateway**
    * Only work from R65 onward
{{ipsec-conf11.png|}}