Configuring a Site-to-Site IPSEC VPN with a

Check Point Embedded NG Security

Appliance and a Fortinet FortiGate Security
Appliance

Note: This document assumes the reader is familiar with the basic network installation of a Check
Point Embedded NG appliance and a Fortinet FortiGate security appliance.
Overview
This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG
security appliance and a Fortinet FortiGate security appliance. In particular, it describes the configuration of the
following sample network:

Figure 1: Site-to-Site VPN with Check Point Embedded NG and Fortinet FortiGate Security Appliances
This sample network uses the parameters shown in the table below; however, you can change any of these parameters
as desired, so long as they are the same on both appliances.
2
Table 1: Site-to-Site VPN Configuration Parameters
Par amet er Val ue
Encryption 3DES
Integrity SHA1
Authentication Pre-shared Key (Shared Secret)
Diffie-Hellman (DH) Group 2
Perfect Forward Secrecy (PFS) Disabled
Phase-1 key lifetime 24 hours (86400 seconds)
Phase-2 key lifetime 1 hour (3600 seconds)


Note: The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.
Configuring the FortiGate Security Appliance
To configure the FortiGate security appliance for Site-to-Site VPN
1. Configure the encryption domain.
The encryption domain represents the networks to and from which you want to encrypt. These are the networks
behind the VPN gateways.
Do the following:
a. Create an object for the Embedded NG VPN gateways internal network.
See Creating an Object for the Embedded NG VPN Gateways Internal Network, page 3.
b. Create an object for the FortiGate VPN gateways internal network.
See Creating an Object for the FortiGate VPN Gateways Internal Network, page 4.
2. Configure the IPSEC parameters, by doing the following:
a. Configure a Phase-1 profile.
See Configuring a Phase-1 Profile, page 5.
b. Configure a Phase-2 profile.
See Configuring a Phase-2 Profile, page 6.
3
3. Configure VPN rules, by doing the following:
a. Configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway
network.
See Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN
Gateway Network, page 8.
b. Configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway
network.
See Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN
Gateway Network, page 9.
Configuring the Encryption Domain
Creating an Object for the Embedded NG VPN Gateways Internal Network
To create an object for the Embedded NG VPN gateways internal network
1. In the main menu, click Firewall.
The Firewall submenu opens.
2. In the Firewall submenu, click Address.
The Address page appears.
3. Click Create New.
The New Address page appears.

4
4. In the Address Name field, type a name for the Embedded NG VPN gateway internal network object.
For example: CP_Internal.
5. In the IP Range/Subnet field, type the IP address and subnet mask of the Embedded NG VPN gateways internal
network.
For example: 192.168.100.0/24.
6. Click OK.
Creating an Object for the FortiGate VPN Gateways Internal Network
To create an object for the FortiGate VPN gateways internal network
1. In the main menu, click Firewall.
The Firewall submenu opens.
2. In the Firewall submenu, click Address.
The Address page appears.
3. Click Create New.
The New Address page appears.

4. In the Address Name field, type a name for the FortiGate VPN gateway internal network object.
For example: FG_Internal.
5. In the IP Range/Subnet field, type the IP address and subnet mask of the FortiGate VPN gateways internal
network.
For example: 192.168.1.0/255.255.255.0.
5
6. Click OK.
Configuring IPSEC Parameters
Configuring a Phase-1 Profile
To configure a Phase-1 profile
1. In the main menu, click VPN.
The VPN submenu opens.
2. In the VPN submenu, click IPSEC.
The Phase 1 page appears.
3. Click Create New.
The New VPN Gateway page appears.
4. Click Advanced.
Additional fields appear.

5. Fill in the fields as described in the table below.
Do not change the default settings of fields that are not listed in the table.
6. Click OK.
6
Table 2: Phase-1 Profile Fields
In t hi s f i el d Do t hi s In t he sampl e
net wor k
Gateway Name Type a name for the gateway. Site2Site
Remote Gateway Type the remote gateways static IP address.
IP address Type the Embedded NG VPN gateways IP address. 212.150.8.85
Authentication
Method
Select the authentication method to use. Preshared Key
Pre-shared Key Type the pre-shared key.

Use the same pre-shared
key as configured on the
Embedded NG VPN
gateway.
For example: Secret123
Encryption Select the type of encryption to use to secure the VPN
connection.
3DES
Authentication Select the authentication algorithm to use. SHA1
DH Group Select the Diffie-Hellman group to use. 2
Keylife Type the Phase-1 key lifetime in seconds. 86400
This parameter must
match the Phase-1 keylife
on the Embedded NG
appliance VPN gateway.
Configuring a Phase-2 Profile
To configure a Phase-2 profile
1. In the main menu, click VPN.
The VPN submenu opens.
2. In the VPN submenu, click IPSEC.
The Phase 1 page appears.
3. Click on the Phase 2 tab.
The Phase 2 page appears.
4. Click Create New.
The New VPN Tunnel page appears.
7
5. Click Advanced.
Additional fields appear.

6. Fill in the fields as described in the table below.
Do not change the default settings of fields that are not listed in the table.
7. Click OK.
Table 3: IPSEC Phase-2 Profile Fields
In t hi s f i el d Do t hi s In t he sampl e
net wor k
Tunnel Name Enter a name for the tunnel. Check Point
Remote Gateway Select the Phase-1 profile you created for this tunnel. Site2Site
1-Encryption Select the type of encryption to use to secure the VPN
connection.
3DES
Authentication Select the authentication algorithm to use. SHA1
Enable perfect
forward secrecy
(PFS)
Specify whether to use PFS. Clear this option.
Keylife Use the fields provided to specify the Phase-2 keylife in
seconds.
3600
This parameter must
match the Phase-2 keylife
on the Embedded NG
appliance VPN gateway.
8
Configuring VPN Rules
Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the
Embedded NG VPN Gateway Network
To configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway
network
1. In the main menu, click Firewall.
The Firewall submenu opens.
2. In the Firewall submenu, click Policy.
The Policy page appears.
3. Click Create New.
The New Policy page appears.

4. Fill in the fields as described in the table below.
Do not change the default settings of fields that are not listed in the table.
5. Click OK.
9
Table 4: Encrypt Rule from the FortiGate Network to the Embedded NG Network Fields
In t hi s f i el d Do t hi s In t he sampl e
net wor k
Interface/Zone In the Source drop-down list, select Internal.
In the Destination drop-down list, select External.

Address Name In the Source drop-down list, select the internal FortiGate
VPN gateway address object from which you want traffic to
be encrypted.
In the Destination drop-down list, select the internal
Embedded NG VPN gateway address object to which you
want traffic to be encrypted.
FG_Internal


CP_External
Action Select ENCRYPT.
VPN Tunnel Select the Phase-2 profile you created. CheckPoint
Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the
FortiGate VPN Gateway Network
To configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway
network
1. In the main menu, click Firewall.
The Firewall submenu opens.
2. In the Firewall submenu, click Policy.
The Policy page appears.
3. Click Create New.
10
The New Policy page appears.

4. Fill in the fields as described in the table below.
Do not change the default settings of fields that are not listed in the table.
5. Click OK.
Table 5: Encrypt Rule from the Embedded NG Network to the FortiGate Network Fields
In t hi s f i el d Do t hi s In t he sampl e
net wor k
Interface/Zone In the Source drop-down list, select Internal.
In the Destination drop-down list, select External.

Address Name In the Source drop-down list, select the Embedded NG VPN
gateway address object from which you want traffic to be
encrypted.
In the Destination drop-down list, select the internal
FortiGate VPN gateway address object to which you want
traffic to be encrypted.
CP_Internal


FG_External
Action Select ENCRYPT.
VPN Tunnel Select the Phase-2 profile you created. CheckPoint
11
Configuring the Embedded NG Security Appliance
To configure the Embedded NG security appliance for Site-to-Site VPN
1. Add the FortiGate security appliance as a Site-to-Site gateway.
See Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway, page 11.
2. Configure IPSEC parameters to match those you configured on the FortiGate appliance.
Do the following:
a. Modify IKE Phase-1 encryption parameters.
See Modifying IKE Phase-1 Encryption Parameters, page 16.
b. Modify IKE Phase-2 encryption parameters.
See Modifying IKE Phase-2 Encryption Parameters , page 17.
c. Modify the IKE Phase-1 key lifetime.
See Modifying the IKE Phase-1 Key Lifetime , page 17.
d. Modify the IKE Phase-2 key lifetime.
See Modifying the IKE Phase-2 Key Lifetime , page 18.
Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway
To add the FortiGate appliance as a Site-to-Site VPN gateway
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears.

2. Click New Site.
12
The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Select Site-to-Site VPN.
4. Click Next.
The VPN Gateway Address dialog box appears.

5. In the VPN Gateway field, type the IP address of the FortiGate VPN gateway.
6. Select Bypass NAT.
This setting enables the FortiGate VPN gateway to bypass NAT when connecting to the Embedded NG VPN
gateway internal network.
7. Select Bypass the firewall.
This setting enables the FortiGate VPN gateway to bypass the firewall and access the Embedded NG VPN
gateways internal network without restriction over the VPN tunnel only.
13
8. Click Next.
The VPN Network Configuration dialog box appears.

9. Select Specify Configuration.
10. Click Next.
A second VPN Network Configuration dialog box appears.

11. In the Destination network fields, type up to three destination network addresses at the FortiGate VPN gateway.
12. In the Subnet mask fields, select the subnet masks for the destination network addresses.
14
13. Click Next.
The Authentication Method dialog box appears.

14. Select Shared Secret.
15. Click Next.

The Authentication dialog box appears.

16. In the Use Shared Secret field, type the shared secret to use for secure communications with the FortiGate VPN
gateway.
This should be the pre-shared key you configured on the FortiGate VPN gateway in Configuring a Phase-1
Profile, page 5.
15
17. Click Next.
The Connect dialog box appears.

18. If you configured the FortiGate appliance as described in Configuring the FortiGate Security Appliance, page 2,
select the Try to Connect to the VPN Gateway check box to try to connect to it.
This allows you to test the VPN connection.


Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will
be terminated.
19. Click Next.
If you selected Try to Connect to the VPN Gateway, the Connecting screen appears, and then the
Contacting VPN Site screen appears.
The Site Name dialog box appears.

20. Type a name for the VPN site.
You may choose any name. For example: FortiGate.
16

Note: Do not select Keep this site alive.
21. Click Next.
The VPN Site Created screen appears.

22. Click Finish.
The VPN Sites page reappears. The new site appears in the VPN Sites list.
Configuring IPSEC Parameters
Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliances command
line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax,
refer to the Check Point Embedded NG CLI Reference Guide.
Modifying IKE Phase-1 Encryption Parameters
To modify IKE Phase-1 encryption parameters
Use the following command syntax:
set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |
aes128/sha1 | aes256/md5 | aes256/sha1]
where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG
Portal.
For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the
Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run
the command:
set vpn si t es 2 phase1i keal gs 3des/ sha1
17
Modifying IKE Phase-2 Encryption Parameters
To modify IKE Phase-2 encryption parameters
Use the following command syntax:
set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |
aes128/sha1 | aes256/md5 | aes256/sha1]
where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG
Portal.
For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the
Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run
the command:
set vpn si t es 2 phase2i keal gs 3des/ sha1
Modifying the IKE Phase-1 Key Lifetime
To modify the IKE Phase-1 key lifetime
Use the following command syntax:
set vpn sites number phase1exptime seconds
where:
number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal.
seconds is the length of the IKE Phase-1 key lifetime in seconds.
For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the
Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run
the command:
set vpn si t es 2 phase1expt i me 86400
18
Modifying the IKE Phase-2 Key Lifetime
To modify IKE Phase-2 key lifetime
Use the following command syntax:
set vpn sites number phase2exptime seconds
where:
number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal.
seconds is the length of the IKE Phase-2 key lifetime in seconds.
For example, if the FortiGate VPN gateway appears in row 2 in the VPN Sites table, and you want to set the
Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the
command:
set vpn si t es 2 phase2expt i me 3600