0

Check Point CloudGuard Connect with Aviatrix Site2Cloud (S2C) Gateway

Design Notes

  • Check Point CloudGuard Connect only supports Policy-Based IPSec
  • Aviatrix does not support FQDN based IPSec destinations today

There are two design pattrens possible with Aviatrix

  1. Aviatrix standalone S2C Gateway interconnecting with CloudGuard Connect
  2. Aviatrix Transit Gateway interconnecting with CloudGuard Connect

Deployment Details with Single Aviatrix S2C GW

In this document we will be using design pattren#1 where we will interconnect Check Point CloudGuard Connect to Aviatrix standalone S2C gateway using L3 IPSec connectivity.

CloudGuard Connect Configuration

  • Login to CloudGuard Infinity portal and create a new site for Aviatrix GW.
  • This Aviatrix S2C standalone gateway is running in GCP but it really does not matter as it could be running in Azure, OCI or AWS as well.

 

 

Then provide the connection details.

  • The Device Type is Generic Router.
  • The Tunnel is type: IPSec - Pre-Shared Key
  • DPD enabled
  • External IP address of 35.198.209.242 is the Aviatrix S2C GW IP address

 

Then final step to provide the sub-network. In our case 10.30.102.0/24 is the subnet we have in GCP. This is where Aviatrix S2C GW is deployed.

 

Ignore the warnings because for production ClougGuard Connect recommends deploying two gateways and we are running only one right now so it warns you because of that

 

Now check the configuration of the site that we need to apply to the Aviatrix S2C GW.

 

 

Check Point CloudGuard Connect Complete configuration

Connect your device to Check Point by creating 2 IPsec tunnels.
General IPsec properties for both tunnels:
MSS: 1360
MTU: 1400
Pre-Shared Key: Aviatrix123
Encryption Method: IKEv1 or IKEv2. IKEv2 is preferred for security reasons. IKEv1 Aggressive Mode is not supported.

Phase 1 Properties:
Encryption algorithm: aes-256
Data integrity: sha1
DH Group (Diffie-Hellman Group): Group 2 (1024 bit)
Re-negotiate every: 24 hours

Phase 2 Properties:
Encryption algorithm: aes-256
Data integrity: sha1
Re-negotiate every: 1 hour
Make sure DPD is on

Create the first IPsec tunnel:
Destination: g-085978b8182117b97ca8776264d81662.checkpoint.cloud
Test the tunnel:
Add a route to destination IP 100.126.0.4
Test the tunnel by running: ping 100.126.0.4

Create the second IPsec tunnel:
Destination: g-391e8a5f3d04730e8a5e875b226f62dc.checkpoint.cloud
Test the tunnel:
Add a route to destination IP 100.126.0.5
Test the tunnel by running: ping 100.126.0.5

 


Aviatrix S2C Gateway Configuration

First we will deploy an standalone Aviatrix S2C Gateway

 

 

Create S2C Connection
 

 

 

 

 

S2C Connection Details

You can also take a look at connection details

IKE Version: 2
Connection Type: unmapped
DPD config: enable
BGP status: disabled
Insane mode: disabled
Load balancing: undefined
Local Subnet: 10.30.102.0/24
Remote Subnet: 100.126.0.0/24
Phase 1 Authentication: SHA-1
Phase 2 Authentication: HMAC-SHA-1
Phase 1 DH Groups: 2
Phase 2 DH Groups: 2
Phase 1 Encryption: AES-256-CBC
Phase 2 Encryption: AES-256-CBC
Tunnel Type: Site2Cloud_Policy

 

Aviatrix S2C Complete Configuration

Aviatrix Site2Cloud configuration.

This connection has a single IPsec tunnel between customer gateway and Aviatrix gateway in the cloud.
Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Version                  : 2
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : Aviatrix123
  - Encryption Algorithm     : AES-256-CBC
  - Authentication Algorithm : SHA-1
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2
  - DPD threshold            : 10 seconds
  - DPD retry interval       : 3 seconds
  - DPD retry count          : 3

#2: IPSec Configuration
Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Encryption Algorithm     : AES-256-CBC
  - Authentication Algorithm : HMAC-SHA-1
  - Lifetime                 : 3600
  - Mode                     : tunnel
  - Type                     : policy
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. Traffic that should go through the tunnel
should be specified by following your gateway's configuration guide, using the
information below.
Gateway IP addresses:
  - Customer Gateway                : 54.188.208.203
  - Aviatrix Gateway Public IP        : 35.198.209.242
  - Aviatrix Gateway Private IP     : 10.30.102.4

Subnets:
  - Customer Network(s)             : 100.126.0.0/24
  - Cloud Networks(s)               : 10.30.102.0/24
Tunnel Inside IP addresses:
  - Customer Gateway                :
  - Aviatrix Gateway                :
Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes
#4. Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used to exchange routes from the VPC to on-prem
network. Each BGP router has an Autonomous System Number (ASN).
BGP Configuration:
  - BGP Mode                        : false
  - Customer Gateway ASN            : 0
  - Aviatrix Gateway ASN            : 0
Configure BGP to receive routes from on-prem network. Aviatrix Transit gateway will announce
prefixes to your on-prem  gateway based upon the spokes you have attached

For vendor specific instructions, please go to the following URL:
http://docs.aviatrix.com/#site2cloud

 

After deployment is done, you will notice that tunnel is UP

 

Aviatrix S2C Diagnostics and Troubleshooting

Aviatrix S2C Diagnostics area provide the tools and options necessary to troubleshoot IPSec connectivity related issues

 

show log

2020-06-17T21:21:20.594746+00:00 avx-s2c-gw-gc-sin charon: 16[IKE] <gw-54_188_208_203|1856> sending DPD request
2020-06-17T21:21:10.760885+00:00 avx-s2c-gw-gc-sin charon: 05[ENC] <gw-54_188_208_203|1856> parsed INFORMATIONAL response 2 [ ]
2020-06-17T21:21:10.594645+00:00 avx-s2c-gw-gc-sin charon: 13[ENC] <gw-54_188_208_203|1856> generating INFORMATIONAL request 2 [ ]
2020-06-17T21:21:10.594572+00:00 avx-s2c-gw-gc-sin charon: 13[IKE] <gw-54_188_208_203|1856> sending DPD request
2020-06-17T21:20:54.595195+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> CHILD_SA net-10_30_102_0_24-100_126_0_0_24{2} established with SPIs c484793d_i e7d24cb7_o and TS 10.30.102.0/24 === 100.126.0.0/24
2020-06-17T21:20:54.594234+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2020-06-17T21:20:54.594165+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> maximum IKE_SA lifetime 30072s
2020-06-17T21:20:54.594096+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> scheduling rekeying in 27192s
2020-06-17T21:20:54.594023+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> IKE_SA gw-54_188_208_203[1856] established between 10.30.102.4[35.198.209.242]...54.188.208.203[54.188.208.203]
2020-06-17T21:20:54.593959+00:00 avx-s2c-gw-gc-sin charon: 07[IKE] <gw-54_188_208_203|1856> authentication of '54.188.208.203' with pre-shared key successful
2020-06-17T21:20:54.593846+00:00 avx-s2c-gw-gc-sin charon: 07[ENC] <gw-54_188_208_203|1856> parsed IKE_AUTH response 1 [ IDr AUTH N(CRASH_DET) SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
2020-06-17T21:20:54.425797+00:00 avx-s2c-gw-gc-sin charon: 09[ENC] <gw-54_188_208_203|1856> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2020-06-17T21:20:54.425727+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> establishing CHILD_SA net-10_30_102_0_24-100_126_0_0_24{2} reqid 1
2020-06-17T21:20:54.425669+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> authentication of '35.198.209.242' (myself) with pre-shared key
2020-06-17T21:20:54.425602+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> remote host is behind NAT
2020-06-17T21:20:54.425536+00:00 avx-s2c-gw-gc-sin charon: 09[IKE] <gw-54_188_208_203|1856> local host is behind NAT, sending keep alives
2020-06-17T21:20:54.425465+00:00 avx-s2c-gw-gc-sin charon: 09[ENC] <gw-54_188_208_203|1856> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
2020-06-17T21:20:54.167739+00:00 avx-s2c-gw-gc-sin charon: 11[ENC] <gw-54_188_208_203|1845> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2020-06-17T21:20:54.167675+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> initiating IKE_SA gw-54_188_208_203[1856] to 54.188.208.203
2020-06-17T21:20:54.167584+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> restarting CHILD_SA net-10_30_102_0_24-100_126_0_0_24
2020-06-17T21:20:54.167516+00:00 avx-s2c-gw-gc-sin charon: 11[IKE] <gw-54_188_208_203|1845> giving up after 3 retransmits
2020-06-17T21:20:51.335566+00:00 avx-s2c-gw-gc-sin charon: 06[NET] received unencrypted informational: from 54.188.208.203[500] to 10.30.102.4[500]
2020-06-17T21:20:51.166529+00:00 avx-s2c-gw-gc-sin charon: 13[IKE] <gw-54_188_208_203|1845> retransmit 3 of request with message ID 2
2020-06-17T21:20:50.870942+00:00 avx-s2c-gw-gc-sin charon: 07[CFG] <1854> looking for peer configs matching 10.30.102.4[%any]...54.188.208.203[100.66.135.21]

 

show security association details

10.30.102.4[4500] 54.188.208.203[4500]
    esp-udp mode=tunnel spi=402365618(0x17fb9cb2) reqid=4(0x00000004)
    E: aes-cbc  205b1fef 59a1cc1b 79140a17 b47cb22c 3e192add bef8a88e be8d41aa 99f87b1a
    A: hmac-sha1  4ec01980 5302f1cc de57ab9a 1e8d0cd9 39b5c30a
    seq=0x00000000 replay=0 flags=0x00000000 state=mature
    created: Jun 17 21:24:03 2020    current: Jun 17 22:02:37 2020
    diff: 2314(s)    hard: 3960(s)    soft: 3391(s)
    last: Jun 17 21:25:03 2020    hard: 0(s)    soft: 0(s)
    current: 190512(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 2268    hard: 0    soft: 0
    sadb_seq=1 pid=16020 refcnt=0
54.188.208.203[4500] 10.30.102.4[4500]
    esp-udp mode=tunnel spi=3272557011(0xc30f41d3) reqid=4(0x00000004)
    E: aes-cbc  113b387a 4d503598 e06929c6 e311085c c968ab43 34267e64 50c18017 1179620c
    A: hmac-sha1  a4a56a21 ec85d5e5 7e6ba0a5 e50c6105 694b24ad
    seq=0x00000000 replay=32 flags=0x00000000 state=mature
    created: Jun 17 21:24:03 2020    current: Jun 17 22:02:37 2020
    diff: 2314(s)    hard: 3960(s)    soft: 3258(s)
    last: Jun 17 21:25:03 2020    hard: 0(s)    soft: 0(s)
    current: 189168(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 2252    hard: 0    soft: 0
    sadb_seq=0 pid=16020 refcnt

 

show configuration

 

{
    "connections": {
        "gw-54_188_208_203": {
            "dpd_delay": "10s",
            "children": {
                "net-10_30_102_0_24-100_126_0_0_24": {
                    "local_ts": [
                        "10.30.102.0/24"
                    ],
                    "esp_proposals": [
                        "aes256-sha1-modp1024"
                    ],
                    "remote_ts": [
                        "100.126.0.0/24"
                    ],
                    "start_action": "start",
                    "dpd_action": "start",
                    "rekey_time": 3600
                }
            },
            "rekey_time": 28800,
            "remote": {
                "id": "54.188.208.203",
                "auth": "psk"
            },
            "dpd_timeout": "30s",
            "proposals": [
                "aes256-sha1-modp1024"
            ],
            "keyingtries": 0,
            "version": 2,
            "mobike": "no",
            "remote_addrs": [
                "54.188.208.203"
            ],
            "local": {
                "id": "35.198.209.242",
                "auth": "psk"
            }
        }
    },
    "secrets": {
        "data": "Aviatrix123",
        "owners": [
            "35.198.209.242",
            "54.188.208.203"
        ],
        "type": "IKE",
        "id": "ike-54.188.208.203"
    }
}

 

show security policy details

100.126.0.0/24[any] 10.30.102.0/24[any] 255
    in prio high + 1073366401 ipsec
    esp/tunnel/54.188.208.203-10.30.102.4/unique:4
    created: Jun 17 21:24:03 2020  lastused:
    lifetime: 0(s) validtime: 0(s)
    spid=448 seq=3 pid=16164
    refcnt=1
10.30.102.0/24[any] 100.126.0.0/24[any] 255
    out prio high + 1073366401 ipsec
    esp/tunnel/10.30.102.4-54.188.208.203/unique:4
    created: Jun 17 21:24:03 2020  lastused: Jun 17 22:04:44 2020
    lifetime: 0(s) validtime: 0(s)
    spid=465 seq=1 pid=16164
    refcnt=1

 

 

Deployment Details with Aviatrix S2C GW in HA Mode

Here we have deployed two S2C GW to provide HA. This is the production deployment setup because both Aviatrix and Check Point recommends multiple tunnels for HA.

Deploy Second Aviatrix S2C Gateway

From Aviatrix Controller Gateway page, enable the HA option. This will automatically deploy the second S2C gateway

 

[15:35:09] Starting to create GW avx-s2c-gw-gc-sin-hagw.
[15:35:10] Connected to GCE.
[15:35:13] Project check complete.
[15:35:14] License check is complete.
[15:35:23] Updating IGW for new gateway...
[15:35:24] Launching compute instance in GCE....
[15:36:28] GCE compute instance created successfully.
[15:36:28] Updating DB.
[15:36:28] Added GW info to Database.
[15:36:29] avx-s2c-gw-gc-sin-hagw AVX SQS Queue created.
[15:36:29] Creating Keys.
[15:37:03] Initializing GW.....
[15:37:04] Copy configuration to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:06] Copy new software to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:08] Copy misc new software to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:09] Copy scripts to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:09] Copy sdk to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:25] Copy libraries to GW avx-s2c-gw-gc-sin-hagw done.
[15:37:25] Installing software ....
[15:37:27] Issuing certificates ...
[15:37:38] Issue certificates done
[15:37:49] GW software started.
[15:38:15] Software Installation done.
[15:38:18] Run self diagnostics done.

 

Create New S2C Connection

From Aviatrix Controller --> Site2Cloud --> Setup --> Create New Connection

This time, all the other information remains the same, just enable the HA option as shown in the diagram below

 

Click on the following diagram to see the details

If you click on Edit, you can see more details about this connection

 

Security Association

Tunnel1

 

 

Tunnel#2

 

IKE Version: 2
Connection Type: unmapped
DPD config: enable
BGP status: disabled
Insane mode: disabled on primary tunnel, disabled on backup tunnel
Load balancing: undefined
Local Subnet: 10.30.102.0/24
Remote Subnet: 100.126.0.0/24
Phase 1 Authentication: SHA-1
Phase 2 Authentication: HMAC-SHA-1
Phase 1 DH Groups: 2
Phase 2 DH Groups: 2
Phase 1 Encryption: AES-256-CBC
Phase 2 Encryption: AES-256-CBC
Tunnel Type: Site2Cloud_Policy

 

CloudGuard Connect Still Shows the warning. Not sure why. You can ignore it for now

 

Verification Testing

Ping test to CloudGuard shows both tunnels are up

Following traceroute shows that packets are taking two different tunnels depending on the tunnel interfaces

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$ traceroute 100.126.0.4
traceroute to 100.126.0.4 (100.126.0.4), 30 hops max, 60 byte packets

1 avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal (10.30.102.4) 1.555 ms avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal (10.30.102.5) 1.351 ms avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal (10.30.102.4) 1.409 ms
2 100.66.135.21 (100.66.135.21) 171.648 ms 171.653 ms 100.66.148.118 (100.66.148.118) 170.247 ms

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$
[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$


 

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$ traceroute 100.126.0.5

traceroute to 100.126.0.5 (100.126.0.5), 30 hops max, 60 byte packets

1 avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal (10.30.102.5) 1.426 ms avx-s2c-gw-gc-sin.c.shahzad-aviatrix.internal (10.30.102.4) 1.287 ms avx-s2c-gw-gc-sin-hagw.c.shahzad-aviatrix.internal (10.30.102.5) 1.388 ms
2 100.66.148.118 (100.66.148.118) 171.372 ms 100.66.135.21 (100.66.135.21) 171.838 ms 100.66.148.118 (100.66.148.118) 171.381 ms

[shahzad_aviatrix_com@spk1-vm1-gc-sin ~]$

 

Improvements

Disclaimer: Planned roadmap

  • We will be working on providing a drop down so that customers can easily connect
  • Check Point team is also looking into providing a drop down for Aviatrix gateway from their side
  • Aviatrix to support FQDN based IPSec destinations
Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 1 mth agoLast active
  • 18Views
  • 1 Following