IPSec

• Assign encryption domain behind the center gateway.
  • These are IP addresses behind the local center gateway that will be encrypted
  • Traffic is only encrypted between the addresses in the encryption domain of the center and satellite gateway.
• The center gateway is usually the local checkpoint firewall cluster

• The satellite gateway is the other end of the IPSec tunnels connecting with the Center Gateway
• Create new satellite gateway
  • If not checkpoint, create new interoperable devices
  • If checkpoint, create new Checkpoint > Externally Managed VPN Gateway

• Configure Name and IP

• If the satellite gateway is using a different source IP address than what we have configured, add it under the topology
  • Otherwise the local center gateway will reject the IKE with the following message:

IKE: Main Mode local machine configured not to respond to unknown IP addresses (i.e. not exportable for SR, and/or not included in the RemoteAccess community, and/or no DAIP's defined)
IKE: Main Mode Sent Notification to Peer: invalid id information

<note important>In R65, the default is to use the Main IP of the center gateway cluster as the source. In R55, the default is to used the IP address of the exiting interface</note>

• Assign encryption domain to the Satellite gateway
  • Traffic is only encrypted between the addresses in the encryption domain of the satellite and center gateway.

• Create Star Community to configure IPSec parameters
• Add Center Gateway which is usually the local checkpoint firewall

• Add Satellite Gateway which is remote end of the IPSec termination

• Configure IKE and IPSec parameters

• Configure preshared secret

• Configure the Diffie Hellman parameters

• Assign VPN community as target for policy

• To Clear the All the IKE and IPSec SA
• SSH to the VPN-1 firewall
• Need to be in expert mode in R55

[vpn-1-fw]# vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

0

• To monitor status of VPN tunnel
• Use SmartView Monitor and select Tunnels on Gateway
  • Only work from R65 onward