Setting Up A VPN On Checkpoint Router

3 minute read

Description:

If you ever want to connect a VPN (Virtual Private Network) to work from home at your work network, follow this guide. Other setups are network to network VPN’s and Mesh VPN’s for multiple networks. Note: You will need to have a static IP address for this to work long term. This usually cost extra and must be purchased from your ISP.

Client VPN: Individual Users To A Network

  • Rules:
  • Some configuration will need to be done on the remote computer
  • Static public IP address
  • No duplicate LAN schemes

  1. For Checkpoint routers, the first thing you do is log in to the router at your work network. Do this by opening a web browser and going to the default gateway IP address or entering “my.firewall” in the website address field.

  2. Go to the “VPN” section => Check the “Allow L2TP Clients to connect”, check the “bypass firewall” option, and type a password into the Preshared key field.

  3. Go to the “Users” section => Create New User => create a username and password.

  4. Assign the user whichever rights you need and check the “VPN Remote Access” => Done.

On the remote computer:

  1. Go to “Setup a New Connection” using network connections in the control panel.

  2. Enter the “public IP address” of the network you want to connect to.

  3. Name the connection.

  4. Check the “Don’t connect now” box.

  5. Type in the same username and password for the user that you created on the router at the other end of the connection. The connection is created.

  6. Run ncpa.cpl => right click on the connection => security tab- advanced.
    • For W7 click Security => Layer 2 Tunneling Protocol => Advanced.
    • For XP click Security => IPSec settings.

  7. Select the “Use preshared key authentication” and type in the password you created.

  8. After it’s connected, ping the router’s IP address at the remote location. Try pinging the server at the location as well. You have successfully created the VPN.

Site To Site VPN: Network To Network Connection

  • Rules:
  • Modem must be bridged
  • 3 total sites is the max if using Checkpoint routers
  • Static public IP
  • No duplicate LAN schemes

  1. For Checkpoint routers, the first thing you do is log in to the router at your work network. Do this by opening a web browser and going to the default gateway IP address or entering “my.firewall” in the website address field.

  2. Go to the “VPN” section => new site => site-to-site => next => Enter the destination IP of the site you want to connection to (see below) => turn on “Bypass firewall policy” => next => specify configuration => next => specify the destination IP scheme (Make sure to place a 0 in the last octet to specify the whole network. Ex: 192.168.1.0) => Skip the backup gateway => Select the “Shared Secret” for authentication method => Type “your password” (You only get one chance at this, don’t get it wrong.) => Select “3DES/MD5” for both options => Uncheck the “Try to connect” option => Name the site something that makes sense => like the name of the network => check the “keep this site alive” box.

    • The destination IP is the IP of the Gateway accepting the tunnel. If the modem is truly bridged these numbers will match. If the modem is semi bridged and still active on the network they will be different. For example, by default, Comcast techs do not bridge their modems on install, they put it into a “pseudo-bridged” mode with a firewall and interface still active. So you would use the “IP Address of the WAN connection” on the router => not the Public IP Address.

    • An easy to to test if a modem is bridged or not is to create a rule on the router to allow port 3389 to forward to a computer on the network. Make sure that computer has RDP enabled (sysdm.cpl => Remote => Allow RDP Connections (less secure)). After creating the rule, try and RDP to the computer, if it works => the modem is bridged, if it doesn’t => the modem is not bridged.

setting-up-a-vpn-1

setting-up-a-vpn-2

  1. Do this at each site. Ping the remote Checkpoint router and server. Done.

Mesh VPN: Handled At the Cloud Level and Configured By Remote Support

  • Rules:
  • More than 3 sites can be connected.
  • Each site has to be connected to the service center.
  • Will work with DHCP public IP Addresses.
  • No duplicate LAN schemes.

Comments

You May Also Enjoy