1. Home
    2. /
  2. Manuals
    3. /
  3. Nokia
    4. /
  4. IP45
    5. /
  5. 60
Page 296 / 342 Scroll up to view Page 291 - 295
15
Working with VPNs
296
Nokia IP45 Security Platform User’s Guide v4.0
Setting Up Nokia IP45 Satellite X
Configure a VPN tunnel between an IP45 Satellite X and Check Point FP3 server.
To set up Nokia IP45 Satellite X
1.
On the IP45 GUI main page, click VPN.
The VPN Server page opens.
2.
Click Certificate > Install Certificate, browse for the certificate.
Click Upload.
3.
Enter the Certificate pass phrase that you use to create the certificate.
4.
Click OK.
When you create a VPN connection between IP45 Satellite X and Check Point FP3, select Use
Certificate instead of Use Shared Secret.
Nokia IP45 Satellite X to Check Point SmartCenter FP3/NG AI
You can use Nokia IP45 Satellite X as a VPN server to establish VPN connectivity with
SmartCenter FP3/NG AI server by using VPN-1 Edge/Embedded gateway or using VPN-1
Edge/Embedded ROBO gateway when you use Smart LSM (VPN Star Community).
Setting Up Check Point SmartCenter FP3/NG AI
Configure the Check Point SmartCenter FP3 for a VPN connection with Nokia IP45 Satellite X.
To set up Check Point SmartCenter FP3/NG AI
1.
Define a VPN-1 Edge/Embedded Gateway.
2.
Create a new Star Community.
3.
Configure a VPN central gateway as the FP3 firewall object.
4.
Configure VPN-1 Edge/Embedded gateway as a Satellite X gateway.
5.
Define access rules with the following parameters:
Source: any
Destination: any
If Via: Remote access
Action: accept
Install On: FP3 firewall object
Page 297 / 342
Nokia IP45 Tele 8 to Check Point NG AI
Nokia IP45 Security Platform User’s Guide v4.0
297
Setting Up Nokia IP45 Satellite X
for VPN Connection with SmartCenter FP3
The following sections describe how to set up Nokia IP45 Satellite X for VPN configuration
with SmartCenter FP3:
To configure IP45 Satellite X for VPN connection with SmartCenter FP3
1.
Specify the IP address of Nokia IP45 Satellite X on the VPN-1 server.
2.
Enter the shared secret (a password that is known to both the IP45 Satellite X and the VPN-
1 Server).
Setting Up Check Point SmartCenter NG AI by Using
Certificates with Smart LSM
Configure the Check Point SmartCenter NG AI for a VPN connection with Nokia IP45 Satellite
X using Certificates with Smart LSM.
To set up Check Point Smart LSM
1.
Define a VPN-1 Edge/Embedded ROBO gateway with a dynamic IP address on the Smart
LSM.
2.
Create a Check Point Smart LSM object on the Check Point Smart Dashboard.
3.
Create a new Star Community.
4.
Configure a VPN central gateway as the NG AI firewall object.
5.
Configure VPN-1 Edge/Embedded gateway as a Satellite X gateway.
6.
Define access rules with the following parameters:
Source: Any
Destination: Any
If Via: Star Community
Action: Accept
Install On: NG AI firewall object
To configure IP45 Satellite X for VPN connection with SmartCenter NG AI using
Certificates.
1.
Choose Services from the IP45 main menu, and choose Connect.
The Subscription Services wizard appears.
2.
Enter the IP address of the Check Point NG AI Management station.
The Connecting window opens.
3.
Enter the Gateway ID and Registration Key that is used while creating the IP45 dynamic
object on the LSM.
Page 298 / 342
15
Working with VPNs
298
Nokia IP45 Security Platform User’s Guide v4.0
4.
The Connecting window opens.
After the connection is complete, the list of Services downloaded page opens.
5.
Click Finish.
6.
Choose VPN from the main menu and click the VPN Certificate tab.
7.
Click the VPN Sites tab and click New Site.
8.
Specify the IP address of the Check Point NG AI management station and check
Unrestricted.
9.
Click Next.
10.
Select Specify Configuration.
11.
Enter the Destination network and the subnet mask.
12.
Click Next.
13.
Click Use Certificate.
14.
Click Next.
15.
Click Finish.
Note
To download the certificate from Check Point NG AI and create a VPN site manually on
Nokia IP45, use the VPN-1 Edge/Embedded gateway on the Smart Dashboard and create a
Star VPN community.
Site-to-Site VPN with Windows 2000
You can configure for VPN connectivity between Nokia IP45 Satellite X and Microsoft
Windows 2000 / XP IPSec for site-to-site VPN.
Authentication supported: preshared secret
The following scenarios are supported:
±
Windows Gateway to Nokia IP45 Satellite X
in
bypass NAT mode
NAT is not
performed to the internal network for authenticated remote users.
±
Windows gateway to Nokia IP45 Satellite X
in
bypass firewall mode
firewall rules are
not applied to the internal network for authenticated remote users.
±
Windows host to Nokia IP45 Satellite X
in
bypass NAT mode
NAT is not performed to
the internal network for authenticated remote users.
±
Windows host to Nokia IP45 Satellite X
in
bypass firewall mode
firewall rules are not
applied to the internal network for authenticated remote users.
For more information about how to configure the Windows 2000 server, see
SofaWare’s
Configuring Windows 2000/ XP IPSec to Site-to-Site VPN
.
Page 299 / 342
Nokia IP45 Tele 8 to Check Point NG AI
Nokia IP45 Security Platform User’s Guide v4.0
299
Site-to-Site VPN with Nokia CryptoCluster
You can configure for VPN connectivity between Nokia IP45 Satellite X and a Nokia VPN
Gateway (CryptoCluster) for site-to-site VPN.
Authentication supported: preshared secret
Perfect Forward Secrecy: supported
The following scenario is supported:
±
Nokia VPN gateway to Nokia IP45 Satellite X
in
bypass NAT and bypass firewall
mode
NAT is not performed to the internal network for authenticated remote users.
For more information about how to configure CryptoCluster, see
Configuring Nokia
CryptoCluster to Nokia IP45 Site-to-Site VPN
.
Site-to-Site VPN with Cisco PIX
You can configure for VPN connectivity between Nokia IP45 Satellite X and the Cisco secure
PIX firewall (using PDM 2.0 and above) for site-to-site VPN.
Authentication supported: preshared secret
The following scenario is supported:
±
Cisco PIX Gateway to Nokia IP45 Satellite X in Bypass NAT mode
NAT is not
performed to the internal network for authenticated remote users.
For more information about how to configure CISCO PIX, see SofaWare’s
Configuring Site-to-
Site VPN with CISCO PIX
.
VPN Routing Between two Nokia IP45 Security Platforms
VPN routing is designed to fulfill the need for gateways to encrypt with each other indirectly,
through a central VPN-1 module that acts as a VPN router by decrypting the traffic coming from
one gateway and encrypting it to forward to another gateway. This feature is useful in scenarios
such as:
±
DAIP (VPN-1 Module with a Dynamic IP address) to DAIP encryption. Since the DAIP
Modules are not aware of each others dynamically assigned IP address, one solution is to
forward traffic through a central VPN-1 router, to which both DAIP modules connect.
±
Using the IPSec VPN to mimic the architecture of Frame Relay networks for an easier
migration from traditional networks to IP based network.
±
Enabling simple configuration for branch offices by hiding the entire network from them,
while allowing them full connectivity.
IPSec NAT Traversal
Nokia IP45 v4.0 can establish site-to-site VPN tunnels along with remote-to-site VPNs that pass
through NAT devices. VPN peers automatically negotiate NAT traversal mode when needed.
Page 300 / 342
15
Working with VPNs
300
Nokia IP45 Security Platform User’s Guide v4.0
Mesh VPN Support
This section describes mesh VPN support between different Nokia IP45 security platforms using
Check Point R55 with HotFix 4 and above. Nokia IP45 v4.0 also supports mesh VPN between
different Nokia IP45 security platforms using SofaWare management Portal v4.11 and later.
The Nokia IP45 security platform supports mesh VPN topology using Check Point where
different IP45 security platforms are configured as site-to-site VPNs within a mesh topology.
The limitation in this scenario is that the IP45 configured on Check Point should have a static
WAN IP address.
Enhanced MEP Support
Nokia IP45 v4.0 supports all multiple entry point (MEP) and interface resolving options
available in SmartCenter NG AI R55, including:
±
MEP load distribution
±
Partially overlapping encryption domains
±
Fully overlapping encryption domains
±
Interface resolving (automatically determining the closest reachable interface for VPN
connections to gateways with multiple interfaces)
The following three basic configurations are tested:
Primary backup
—multiple backup gateways provide high availability for a primary gateway.
The remote VPN peer is configured to work with the primary gateway, and switches to the
backup gateway if the primary gateway stops functioning.
You might use this configuration if you have two Check Point gateways in a MEP environment.
The computer with high performance can be configured as primary gateway and the other
computer as secondary gateway.
Figure 17
Partially Overlapping Encryption Domain

Rate

3.5 / 5 based on 2 votes.

Popular Nokia Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top