Configuring Check Point Redundant IPsec Tunnel (2025)

Introduction

This topic explains how to establish a single Site-to-Site VPN tunnel between your Harmony SASE Network and Check Point Firewall.

Pre-requisites

• Harmony SASE Administrator Portal account.
• Device with Harmony SASE Agent installed.
• Administrator account with Firewall, Router, and the Cloud Management Portal.
• A cluster of two Quantum gateways, each with a public IP.
• Configuration with ISP redundancy PMTR-68991 is not supported.

Part 1 - Configuration in SmartConsole

Step 1: Creating Interoperable Device Object in the Check Point SmartConsole

1. Log in to the Check Point SmartConsole.
2. Click Security Policies.
   
3. In the Objects pane, click New and select More > Network Object> More > Interoperable Device.
   
   TheInteroperable Device window appears.
   
4. In the Name field, enter a name for the Harmony SASE gateway, for example, Harmony_SASE_Gateway.
5. In the IPv4 Address field, enter the Harmony SASE gateway public IP address.
   To find the Harmony SASE Gateway public IP Address:
   1. Access the Harmony SASE Administrator Portal and click Networks.
   2. Select the network.
   3. Go to the Gateways section to find the Public IP address for setting up the single IPsec tunnel.
      
6. Click OK.
7. Click on the left top corner of the page.
8. Select Global properties.
9. Go to VPN> Advanced.
10. Select the Enable VPN Directional Match in VPN Columncheckbox.
11. Click OK.
12. Select the cluster from the table.
    
13. Click General Properties.
14. Select the IPSec VPN checkbox.
15. Click Network Management.
16. Click Get Interfaces.
17. Select Get Interfaces With Topology.
    The SmartConsole window appears.
18. Click Yes.
19. Double-click the Cluster Member 1.
20. In the IPv4 Address field, enter the Harmony SASE gateway public IP address.
21. To find the Harmony SASE Gateway public IP Address:
    1. Access the Harmony SASE Administrator Portal and click Networks.
    2. Select the network.
    3. Go to the Gatewayssection to find the Public IP address for setting up the single IPsec tunnel.
22. Click Modify.
23. In the Anti-Spoofing section, unselect the Perform Anti-Spoofing based on interface topology checkbox.
24. Click OK.
25. Click OK.
26. Repeat step fromp throughu for Cluster Member 2.
27. Go to IPSec VPN > Link Selection.
28. Select the Statically NATed IP checkbox and enter the Harmony SASE gateway public IP address.
29. Click Source IP address settings.
    The Link Selection - Source IP Address Settingswindow appears.
    
30. Select Manualand then select Selected address from topology table checkbox.
31. From the list, select the private IP address.
32. Click OK.
33. Click OK.
34. Publish and install the policy.

Step 2: Adding Harmony SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object

1. Log in to the Harmony SASE Administrator Portal.
2. Click Networks.
3. Verify the assigned network:
   1. Select a network, scroll to the end of the row and click.
   2. Select Edit Network.
      
   3. In the Edit Network section, check the Subnet field to verify the assigned network. The default value is 10.255.0.0/16.
      
4. Open the Interoperable Device object that you created.
5. Click Topology > New.
   
6. In the Generaltab, enter these:
   1. Name – Name of the topology, for example, Harmony SASE Network.
   2. IP Address – 10.255.0.0
   3. Net Mask– 255.255.0.0

      

7. In the Topology tab, select Internal (leads to the local network) and then select Network defined by the interface IP and Net Mask.
   

   Note:

   If the gateway is configured with an interface topology that includes a network range or a group overlapping with the encryption domain of the remote VPN peer, incoming decrypted traffic may be seen as coming from the wrong interface. This could trigger anti-spoofing measures, causing traffic to be dropped. To create an anti-spoofing exception, see sk151774.

   
   
8. Click OK.
9. In the VPN Domainsection, select User defined and click . .
10. Click New and go to Group > SimpleGroup.
    
    The New Network Group window appears.
    
11. In the Enter Object Comment field, enter a name, for example, HSASE_VTI, and click OK.
12. For the other Harmony SASE Gateway and Check Point Gateway, follow the same procedure in Creating Interoperable Device Objects in the Check Point SmartConsole and Adding Harmony SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object sections.
13. Publish and install the policy.

Step 3: Creating VPN Star community

1. Log in to the Check Point SmartConsole.
2. Click Security Policies.
3. Go to Access Tools > VPN Communities.
4. Select an object, click New and go to More > VPN Community > Star Community.
   The New Star Community window appears.
   
5. In the Enter Object Name field, enter an object name for the VPN Star Community, for example, Harmony_SASE_VPN.
6. In the Centre Gateways section, click and add the Check Point Gateway.
   The cluster is added to the table.
   1. Double-click the cluster in the table.
   2. In the VPN Domain section, select the Override checkbox and from the list, select the allow all VPN group.
      
   3. In the Interfacessection, select the Override checkbox and click .
      The Interface Settingswindow appears.
   4. Specify these:
      1. External Interface
      2. Static NAT IP Address- The Harmony SASE gateway public IP address.
   5. Click OK.
   6. Click OK.
7. In the Satellite Gateways section, click and add the Interoperable Device Object created for the Check Point Gateway. See Step 1.
   1. From the table, double-click the cluster of the first Quantum Gateway.
   2. In the VPN Domain section, select the Override checkbox and from the list, select the allow all VPN group.
      
   3. In the Interfacessection, select the Override checkbox and click .
      The Interface Settings window appears.
   4. Specify these:
      1. External Interface
      2. Static NAT IP Address- The Harmony SASE gateway public IP address.
   5. Click OK.
   6. Click OK.
   7. Repeat the steps from a through f for the cluster of the second Quantum Gateway.
8. Go to Shared Secretand click to edit the shared key.
   
9. In the Enter secretfield, enter an appropriate key.

   Notes:

   • Check Point recommends that the shared secret key is at least 20 characters in length.
   • Copy the key as it is required while configuring the IPsec Tunnel in the Harmony SASE Administrator Portal.
   
10. Click OK.
11. From the left navigation pane, click Encryptionand do these:
    1. In the Encryption Settings section, from the Encryption Methodlist, selectIKEv2 only.
    2. In the Encryption Suitesection, select Custom encryption suite.
    3. In the IKE Security Association (Phase 1)section:
       1. From the Encryption Algorithm list, select AES-256.
       2. From the Data Integrity list, select SHA256.
       3. From the Diffie Hellman group list, select Group 14 (2048 bit).
    4. In the IKE Security Association (Phase 2)section:
       1. From the Encryption Algorithm list, select AES-256.
       2. From the Data Integrity list, select SHA256.
       3. Select Use Perfect Forward Secrecy.
       4. From the Diffie Hellman group list, select Group 14 (2048 bit).
          
12. Go to Tunnel Management.
13. In the VPN Tunnel Sharingsection, select One VPN tunnel per Gateway pair.
    

    Note:

    Make sure that you enter the remote subnets specified here in the Harmony SASE Administrator Portal. A mismatch can disconnect the tunnel.

14. Go to Advanced.
15. In the IKE (Phase 1) section, set the Renegotiate IKE security associations every (minutes) field to 480.
16. In the IPsec (Phase 2) section, set the Renegotiate IPsec security associations every (seconds) field to 3600.
    
17. Click OK.
18. In the Properties section, select the Disable NAT inside the VPN community checkbox and from the list, select Both center and satellite gateways.
19. Repeat the above steps for the other Check Point Gateway and Harmony SASE Gateway.
20. Publish and install the policy.

Step 4: Additional settings in Check Point SmartConsole

1. To set up a Check Point firewall policy, add a rule for VPN traffic for the specific VPN Domain in the Check Point SmartConsole.

   In the example below, we have created a policy to allow traffic from the Harmony SASE Network 10.255.0.0/16 to specific destinations and services. Note that the network configuration may differ if you have not changed the default settings during Harmony SASE network creation. For testing purposes, you should initially allow any/any or allow before making the firewall policy more restrictive.

   Note:

   The network configuration differs if you have not changed the default settings during Harmony SASE network creation. For testing purposes, you should initially allow any/any or allow ping before making the firewall policy more restrictive.

   
2. Publish and install the policy.

Step 5: Configuring VPN Tunnel Interface and BGP Configuration

1. Log in to the Check Point Gaia Portal of the first Check Point Gateway.
2. Click Network Interfaces.
3. From theAddlist, selectVPN Tunnel.
   TheAdd VPN Tunnelpage appears.
4. Enter these:
   1. VPN Tunnel ID - Select a unique ID.
   2. Peer- Name of the interoperable device previously created for the first Harmony SASE Gateway.
   3. VPN Tunnel Type - Numbered
   4. Local Address - Internal address for the Quantum Gateway (within 169.254.x.x/30 ranges).
   5. Remote Address - Internal address for the Harmony SASE Gateway (within 169.254.x.x/30 ranges, corresponding to the above).
5. Click OK.
6. Click Network Interfaces,Add > Loopback.
7. Select Use the following IPV4 address.
   
8. In the IPv4 field, enter the Local Address entered in step 4 and click OK.
9. Go to Advanced Routing and select BGP.
   
10. In the Peer Groups section, click Add.
    
11. Enter these:
    1. Peer AS Number - The AS Number of the Harmony SASE network. If not set already, enter 65000
    2. Peer Group Type - External
    3. Local Address - The local address entered in the VTI configuration section step 4.
       
12. Click Add Peers.
13. Enter these:
    
    1. In the Peer field, enter the Remote Address set under the VTI configuration in step 4 and click Show Advanced Settings.
       
    2. Select the Graceful Restart checkbox.
       
    3. Select the eBGP Multihopcheckbox and click Save.
       

       Note:

       Without Multihop enabled, the BGP session cannot be established.

14. From the View modelist, select Advanced Routing and click Inbound Route Filter.
15. From theAddlist,select Add BGP Policy Filter (Based on AS).
    The Add BGP Policy Filter based on ASwindow appears.
16. Specify these:
    1. Add BGP Policy - Set a number from the available range
    2. AS Number - Set the AS Number of the Harmony SASE Network
    3. Action - Accept
17. Click Save.
18. From the View modelist, select Advanced Routing, click Route Redistribution.
19. From the list, select Add Redistribution From.
20. SelectStatic.

    Note:

    For BGP, no routes are accepted from a peer by default. You must configure an explicit Inbound BGP Route Filter to accept a BGP route from a peer.

21. Repeat the steps for the second Check Point Gateway and Harmony SASE Gateway. Use a different 169.254.x.x/30 range for the local and remote peer IP addresses.

Part 2 - Configuration in Harmony SASE Administrator Portal

Step 1 : Configuring Tunnel and Routes Table

1. Access the Harmony SASE Administrator Portal and click Networks.
2. Select the network.
3. Click .
4. Select Add Tunnelfor the gateway from which you want to add the IPSec Site-2-Site VPN tunnel.
   1. Click IPSec Site-2-Site Tunnel and click Continue.
   2. Click RedundantTunnelsandclickContinue.
      
   3. In the Tunnel name field, enter a logical name.
      
   4. Expand Tunnel 1 and specify these:
      • Shared Secret – The value previously set on the first star policy.
      • Harmony SASE Gateway Internal IP - The remote address of the first Check Point Gateway used under the VTI settings.
      • Remote Public IP - The public IP of the first Quantum Gateway.
      • Remote Gateway Internal IP -The local address of the first Quantum Gateway used under the VTI settings.
      • Remote Gateways ASN - The ASN of the first Quantum Gateway.
      • Remote ID - The router ID of the first Quantum Gateway used under the BGP settings above.
        
   5. Expand Tunnel 2 and specify these:
      • Gateway - Select the second Harmony SASE Gateway for the tunnel.
      • Shared Secret - The value previously set on the second star policy.
      • Harmony SASE Gateway Internal IP - The remote address of the second Quantum Gateway used under the VTI settings.
      • Remote Public IP - The public IP of the second Quantum Gateway.
      • Remote Gateway Internal IP -The local address of the second Quantum Gateway used under the VTI settings.
      • Remote Gateways ASN - The ASN of the second Quantum Gateway.
      • Remote ID - The router ID of the second Quantum Gateway used under the BGP settings above.
        
   6. Expand Shared Settings and specify these:
      • Harmony SASE Gateway Proposal Subnets- Leave Any (0.0.0.0/0)selected.
      • Remote Gateway Proposal Subnets - Leave Any (0.0.0.0/0)selected.
      • Autonomous System Number (ASN) -Default value is 65000, if not set, enter the AS Number for the Harmony SASE network.
        
   7. In the Advanced Settings section, specify these:
      
      • IKE Version: V2
      • IKE Lifetime: 8h
      • Tunnel Lifetime: 1h
      • Dead Peer Detection Delay: 10s
      • Dead Peer Detection Timeout: 30s
      • Encryption(Phase 1): aes256
      • Encryption(Phase 2): aes256
      • Integrity (Phase 1): sha256
      • Integrity (Phase 2): sha256
      • Diffie-Hellman Groups (Phase 1): 14
      • Diffie-Hellman Groups (Phase 2):14
   8. Click Add Tunnel.
5. Select Routes Table:
   1. Click Add Route.
      The Add Route window appears.
      
   2. Enter all the subnets on the remote side of the tunnel and then click Add Route.

      Note:

      Make sure that in the Tunnel list, you have selected the previously entered Tunnel name.
6. Click Apply Configuration.
   

Step 2: Verifying the Setup

Once you complete the above steps, your tunnel should be active.

1. Verify the setup in the Harmony SASE Administrator Portal:
   1. Click Networks.
   2. Locate the tunnel you created, and check the tunnel status.
      It should indicate that the tunnel is Up, signifying a successful connection.
2. Verify the setup in the Harmony SASE Agent:
   1. Connect to your network using the Harmony SASE Agent.
   2. Access one of the resources in your environment.

Troubleshooting

If you encounter issues during or after the setup, review your settings to ensure everything matches the instructions. Check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

If you have any difficulties or questions, contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com.

Was this article helpful?