Check Point CloudGuard Connect with Aviatrix Site2Cloud (S2C) Gateway

Design Notes

  • Check Point CloudGuard Connect only supports Policy-Based IPSec
  • Aviatrix does not support FQDN based IPSec destinations today

There are two design pattrens possible with Aviatrix

  1. Aviatrix standalone S2C Gateway interconnecting with CloudGuard Connect
  2. Aviatrix Transit Gateway interconnecting with CloudGuard Connect

Deployment Details with Single Aviatrix S2C GW

In this document we will be using design pattren#1 where we will interconnect Check Point CloudGuard Connect to Aviatrix standalone S2C gateway using L3 IPSec connectivity.

CloudGuard Connect Configuration

  • Login to CloudGuard Infinity portal and create a new site for Aviatrix GW.
  • This Aviatrix S2C standalone gateway is running in GCP but it really does not matter as it could be running in Azure, OCI or AWS as well.



Then provide the connection details.

  • The Device Type is Generic Router.
  • The Tunnel is type: IPSec - Pre-Shared Key
  • DPD enabled
  • External IP address of is the Aviatrix S2C GW IP address


Then final step to provide the sub-network. In our case is the subnet we have in GCP. This is where Aviatrix S2C GW is deployed.


Ignore the warnings because for production ClougGuard Connect recommends deploying two gateways and we are running only one right now so it warns you because of that


Now check the configuration of the site that we need to apply to the Aviatrix S2C GW.



Check Point CloudGuard Connect Complete configuration

Connect your device to Check Point by creating 2 IPsec tunnels.
General IPsec properties for both tunnels:
MSS: 1360
MTU: 1400
Pre-Shared Key: Aviatrix123
Encryption Method: IKEv1 or IKEv2. IKEv2 is preferred for security reasons. IKEv1 Aggressive Mode is not supported.

Phase 1 Properties:
Encryption algorithm: aes-256
Data integrity: sha1
DH Group (Diffie-Hellman Group): Group 2 (1024 bit)
Re-negotiate every: 24 hours

Phase 2 Properties:
Encryption algorithm: aes-256
Data integrity: sha1
Re-negotiate every: 1 hour
Make sure DPD is on

Create the first IPsec tunnel:
Destination: g-085978b8182117b97ca8776264d81662.checkpoint.cloud
Test the tunnel:
Add a route to destination IP
Test the tunnel by running: ping

Create the second IPsec tunnel:
Destination: g-391e8a5f3d04730e8a5e875b226f62dc.checkpoint.cloud
Test the tunnel:
Add a route to destination IP
Test the tunnel by running: ping


Aviatrix S2C Gateway Configuration

First we will deploy an standalone Aviatrix S2C Gateway



Create S2C Connection





S2C Connection Details

You can also take a look at connection details

IKE Version: 2
Connection Type: unmapped
DPD config: enable
BGP status: disabled
Insane mode: disabled
Load balancing: undefined
Local Subnet:
Remote Subnet:
Phase 1 Authentication: SHA-1
Phase 2 Authentication: HMAC-SHA-1
Phase 1 DH Groups: 2
Phase 2 DH Groups: 2
Phase 1 Encryption: AES-256-CBC
Phase 2 Encryption: AES-256-CBC
Tunnel Type: Site2Cloud_Policy


Aviatrix S2C Complete Configuration

Aviatrix Site2Cloud configuration.

This connection has a single IPsec tunnel between customer gateway and Aviatrix gateway in the cloud.
Tunnel #1
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Version                  : 2
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : Aviatrix123
  - Encryption Algorithm     : AES-256-CBC
  - Authentication Algorithm : SHA-1
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2
  - DPD threshold            : 10 seconds
  - DPD retry interval       : 3 seconds
  - DPD retry count          : 3

#2: IPSec Configuration
Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Encryption Algorithm     : AES-256-CBC
  - Authentication Algorithm : HMAC-SHA-1
  - Lifetime                 : 3600
  - Mode                     : tunnel
  - Type                     : policy
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. Traffic that should go through the tunnel
should be specified by following your gateway's configuration guide, using the
information below.
Gateway IP addresses:
  - Customer Gateway                :
  - Aviatrix Gateway Public IP        :
  - Aviatrix Gateway Private IP     :

  - Customer Network(s)             :
  - Cloud Networks(s)               :
Tunnel Inside IP addresses:
  - Customer Gateway                :
  - Aviatrix Gateway                :
Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes
#4. Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem
network. Each BGP router has an Autonomous System Number (ASN).
BGP Configuration:
  - BGP Mode                        : false
  - Customer Gateway ASN            : 0
  - Aviatrix Gateway ASN            : 0
Configure BGP to receive routes from on-prem network. Aviatrix Transit gateway will announce
prefixes to your on-prem  gateway based upon the spokes you have attached

For vendor specific instructions, please go to the following URL:


After deployment is done, you will notice that tunnel is UP


Aviatrix S2C Diagnostics and Troubleshooting

Aviatrix S2C Diagnostics area provide the tools and options necessary to troubleshoot IPSec connectivity related issues


show log

2020-06-17T21:21:20.594746+00:00 avx-s2c-gw-gc-sin charon: 16[IKE] <gw-54_188_208_203|1856> sending DPD request
2020-06-17T21:21:10.760885+00:00 avx-s2c-gw-gc-sin charon: 05[ENC] <gw-54_188_208_203|1856> parsed INFORMATIONAL response 2 [ ]
2020-06-17T21:21:10.594645+00:00 avx-s2c-gw-gc-sin charon: 13[ENC] <gw-54_188_208_203|1856> generating INFORMATIONAL request 2 [ ]
2020-06-17T21:21:10.594572+00:00 avx-s2c-gw-gc-sin charon: 13[IKE] <gw-54_188_208_203|1856> sending DPD request
2020-06-17T21:20:54.595195+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> CHILD_SA net-10_30_102_0_24-100_126_0_0_24{2} established with SPIs c484793d_i e7d24cb7_o and TS ===
2020-06-17T21:20:54.594234+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2020-06-17T21:20:54.594165+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> maximum IKE_SA lifetime 30072s
2020-06-17T21:20:54.594096+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> scheduling rekeying in 27192s
2020-06-17T21:20:54.594023+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> IKE_SA gw-54_188_208_203[1856] established between[]...[]
2020-06-17T21:20:54.593959+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> authentication of '' with pre-shared key successful
2020-06-17T21:20:54.593846+00:00 avx-s2c-gw-gc-sin charon: 07[ENC] <gw-54_188_208_203|1856> parsed IKE_AUTH response 1 [ IDr AUTH N(CRASH_DET) SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
2020-06-17T21:20:54.425797+00:00 avx-s2c-gw-gc-sin charon: 09[ENC] <gw-54_188_208_203|1856> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2020-06-17T21:20:54.425727+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> establishing CHILD_SA net-10_30_102_0_24-100_126_0_0_24{2} reqid 1
2020-06-17T21:20:54.425669+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> authentication of '' (myself) with pre-shared key
2020-06-17T21:20:54.425602+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> remote host is behind NAT
2020-06-17T21:20:54.425536+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> local host is behind NAT, sending keep alives
2020-06-17T21:20:54.425465+00:00 avx-s2c-gw-gc-sin charon: 09[ENC] <gw-54_188_208_203|1856> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
2020-06-17T21:20:54.167739+00:00 avx-s2c-gw-gc-sin charon: 11[ENC] <gw-54_188_208_203|1845> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2020-06-17T21:20:54.167675+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> initiating IKE_SA gw-54_188_208_203[1856] to
2020-06-17T21:20:54.167584+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> restarting CHILD_SA net-10_30_102_0_24-100_126_0_0_24
2020-06-17T21:20:54.167516+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> giving up after 3 retransmits
2020-06-17T21:20:51.335566+00:00 avx-s2c-gw-gc-sin charon: 06[NET] received unencrypted informational: from[500] to[500]
2020-06-17T21:20:51.166529+00:00 avx-s2c-gw-gc-sin charon: 13[IKE] <gw-54_188_208_203|1845> retransmit 3 of request with message ID 2
2020-06-17T21:20:50.870942+00:00 avx-s2c-gw-gc-sin charon: 07[CFG] <1854> looking for peer configs matching[%any]...[]


show security association details[4500][4500]
    esp-udp mode=tunnel spi=402365618(0x17fb9cb2) reqid=4(0x00000004)
    E: aes-cbc  205b1fef 59a1cc1b 79140a17 b47cb22c 3e192add bef8a88e be8d41aa 99f87b1a
    A: hmac-sha1  4ec01980 5302f1cc de57ab9a 1e8d0cd9 39b5c30a
    seq=0x00000000 replay=0 flags=0x00000000 state=mature
    created: Jun 17 21:24:03 2020    current: Jun 17 22:02:37 2020
    diff: 2314(s)    hard: 3960(s)    soft: 3391(s)
    last: Jun 17 21:25:03 2020    hard: 0(s)    soft: 0(s)
    current: 190512(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 2268    hard: 0    soft: 0
    sadb_seq=1 pid=16020 refcnt=0[4500][4500]
    esp-udp mode=tunnel spi=3272557011(0xc30f41d3) reqid=4(0x00000004)
    E: aes-cbc  113b387a 4d503598 e06929c6 e311085c c968ab43 34267e64 50c18017 1179620c
    A: hmac-sha1  a4a56a21 ec85d5e5 7e6ba0a5 e50c6105 694b24ad
    seq=0x00000000 replay=32 flags=0x00000000 state=mature
    created: Jun 17 21:24:03 2020    current: Jun 17 22:02:37 2020
    diff: 2314(s)    hard: 3960(s)    soft: 3258(s)
    last: Jun 17 21:25:03 2020    hard: 0(s)    soft: 0(s)
    current: 189168(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 2252    hard: 0    soft: 0
    sadb_seq=0 pid=16020 refcnt


show configuration


    "connections": {
        "gw-54_188_208_203": {
            "dpd_delay": "10s",
            "children": {
                "net-10_30_102_0_24-100_126_0_0_24": {
                    "local_ts": [
                    "esp_proposals": [
                    "remote_ts": [
                    "start_action": "start",
                    "dpd_action": "start",
                    "rekey_time": 3600
            "rekey_time": 28800,
            "remote": {
                "id": "",
                "auth": "psk"
            "dpd_timeout": "30s",
            "proposals": [
            "keyingtries": 0,
            "version": 2,
            "mobike": "no",
            "remote_addrs": [
            "local": {
                "id": "",
                "auth": "psk"
    "secrets": {
        "data": "Aviatrix123",
        "owners": [
        "type": "IKE",
        "id": "ike-"


show security policy details[any][any] 255
    in prio high + 1073366401 ipsec
    created: Jun 17 21:24:03 2020  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=448 seq=3 pid=16164
    refcnt=1[any][any] 255
    out prio high + 1073366401 ipsec
    created: Jun 17 21:24:03 2020  lastused: Jun 17 22:04:44 2020
    lifetime: 0(s) validtime: 0(s)
    spid=465 seq=1 pid=16164



Deployment Details with Aviatrix S2C GW in HA Mode

Here we have deployed two S2C GW to provide HA. This is the production deployment setup because both Aviatrix and Check Point recommends multiple tunnels for HA.

Deploy Second Aviatrix S2C Gateway

From Aviatrix Controller Gateway page, enable the HA option. This will automatically deploy the second S2C gateway


[15:35:09] Starting to create GW avx-s2c-gw-gc-sin-hagw.
[15:35:10] Connected to GCE.
[15:35:13] Project check complete.
[15:35:14] License check is complete.
[15:35:23] Updating IGW for new gateway...
[15:35:24] Launching compute instance in GCE....
[15:36:28] GCE compute instance created successfully.
[15:36:28] Updating DB.
[15:36:28] Added GW info to Database.
[15:36:29] avx-s2c-gw-gc-sin-hagw AVX SQS Queue created.
[15:36:29] Creating Keys.
[15:37:03] Initializing GW.....
[15:37:04] Copy configuration to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:06] Copy new software to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:08] Copy misc new software to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:09] Copy scripts to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:09] Copy sdk to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:25] Copy libraries to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:25] Installing software ....
[15:37:27] Issuing certificates ...
[15:37:38] Issue certificates done
[15:37:49] GW software started.
[15:38:15] Software Installation done.
[15:38:18] Run self diagnostics done.


Create New S2C Connection

From Aviatrix Controller --> Site2Cloud --> Setup --> Create New Connection

This time, all the other information remains the same, just enable the HA option as shown in the diagram below


Click on the following diagram to see the details

If you click on Edit, you can see more details about this connection


Security Association






IKE Version: 2
Connection Type: unmapped
DPD config: enable
BGP status: disabled
Insane mode: disabled on primary tunnel, disabled on backup tunnel
Load balancing: undefined
Local Subnet:
Remote Subnet:
Phase 1 Authentication: SHA-1
Phase 2 Authentication: HMAC-SHA-1
Phase 1 DH Groups: 2
Phase 2 DH Groups: 2
Phase 1 Encryption: AES-256-CBC
Phase 2 Encryption: AES-256-CBC
Tunnel Type: Site2Cloud_Policy


CloudGuard Connect Still Shows the warning. Not sure why. You can ignore it for now


Verification Testing

Ping test to CloudGuard shows both tunnels are up

Following traceroute shows that packets are taking two different tunnels depending on the tunnel interfaces

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$ traceroute
traceroute to (, 30 hops max, 60 byte packets

1 avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal ( 1.555 ms avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal ( 1.351 ms avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal ( 1.409 ms
2 ( 171.648 ms 171.653 ms ( 170.247 ms

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$
[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$


[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$ traceroute

traceroute to (, 30 hops max, 60 byte packets

1 avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal ( 1.426 ms avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal ( 1.287 ms avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal ( 1.388 ms
2 ( 171.372 ms ( 171.838 ms ( 171.381 ms

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$



Disclaimer: Planned roadmap

  • We will be working on providing a drop down so that customers can easily connect
  • Check Point team is also looking into providing a drop down for Aviatrix gateway from their side
  • Aviatrix to support FQDN based IPSec destinations
Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 1 mth agoLast active
  • 18Views
  • 1 Following