7/31/2019 How to Create VTI

1/3

How to create VTI (VPN Tunnel Interface) based VPNs

Solution ID: sk38521

Product: Security GatewayVersion: R70, NGX R65, R71

Date Created: 14-abr-2009Last Modified: 30-nov-2010

Did this solution solve your problem?

[Click on the stars to rate]

Solution

A VPN Tunnel Interface (VTI) is a virtual interface on a VPN-1 component which isassociated with an existing VPN tunnel, and is used by IP routing as a point-to-point

interface directly connected to a VPN peer gateway. Each VTI is associated with a single

tunnel to a VPN peer gateway. The tunnel behaves just like a point-to-point link betweentwo gateways. The tunnel and its properties are defined by a VPN Community linking the

two gateways. The peer gateways should also be configured with a VTI. The native IP

routing mechanism on each gateway can then direct traffic into the tunnel, just as the

mechanism would do for any other type of interface. Numbered VTIs have a unique IPaddress assigned to them, while unnumbered VTIs do not. The IPSO operating system

currently only supports unnumbered VTIs.

Following steps are needed to configure a VTI based VPN on the IP Security Platforms.

Please note that it is assumed that you have a fully functional firewall/vpn module installthat is able to properly pass all other traffic and communicate correctly with the Security

Management (SmartCenter) Server. And you are familiar with the creation and definition of

the various types of objects within SmartDashboard and familiar with the IPSO command

line and Voyager interface.

Step1: Configure Local Encryption Domain

1. Go to SmartDashboard and edit the local Security Gateway object.2. Navigate to the topology section, and select 'Manually Defined' under the VPN

Domain section.3. Click "New" and create a 'Simple Group'.4. Leave the group blank. The encryption domain of VTI based end points are left

blank, as all traffic will be routed based on static routes added pointing to the VTIs.

However, if you plan to create VPNs to non-NGX modules, managed by this sameSecurity Management (SmartCenter), you need to define a proper encryption

domain.

Step2: Create & Configure Remote Security Gateway Object & Encryption Domain

1. Create the remote end point Security Gateway.2. Under the topology section, again select 'Manually Defined' under the VPN Domain

section.3. Click "New" and create a 'Simple Group'.

7/31/2019 How to Create VTI

2/3

4. Leave the group blank.

Step3: Configure VPN Community

1. Create a new Star/Meshed VPN Community and add the VPN peers to it, making

sure to verify the VPN Phase 1 and Phase 2 properties, and preshared secrets andother VPN properties, as necessary.

Step4: Configure Appropriate Access Rules

1. Create appropriate VPN access rules in the Security rulebase.2. Do not include the newly created VPN community under the VPN section of the

security rule.

3. Install the security policy.

Step5: Configure the VPN Tunnel Interface (VTI)

Note: The VTI may be added via Voyager OR via the command line using the vpn shell.

To add the VTI via Voyager:1. Login to Voyager and navigate to 'Config > Checkpoint Firewall-1 >

FWVPN Configuration'.

2. Enter the name of the remote peer Security Gateway object,configured in SmartDashboard and select the interface which willproxy the connection and then click "Apply".

3. If you have done the above steps in order, you should now have aVTI created and showing a status of 'OK'.

4. Click "Save" to save your configuration.5. Take a note of the interface name. You will need this in the next step.

To add the VTI via the command line:

1. Login to the IPSO unit and run the command vpn shell to enter the vpnshell.

2. Next, run the following command to create a VTI.

interface/add/unnumbered [name of peer object]

[logical name of proxy interface]Note: The 'proxy interface' shoud be the interface of theSecurity Gateway facing the remote peer.

3. This will create the appropriate VTI. You may run the following commandto view the VTI created.

show/interface/summary all

7/31/2019 How to Create VTI

3/3

Step6: Configure Static Routes

Note: You may configure this static route via Voyager or via command line using clish.

To configure the route via Voyager:

1. Navigate to the 'Static Routes' page in Voyager and add a new static route,selecting 'Logical Address' as the 'Gateway Type'.

2. Click "Apply" and choose the VTI name from the drop-down list as thenexthop gateway.

3. Click "Apply" and "Save".

To configure the route via clish:

1. Login to the IPSO unit via the command line and run clish to enter thecommand line shell.

2. Next run the following commands to create the static routes for the VTI:

Nokia> set static-route [network/mask_length] nexthop gatewaylogical [VTI Interface] on

3. Next, run the following commands to save the configuration:

Nokia> save config

Step7: Test Newly Created VPN

Note: For more detailed information regarding the new VTI based VPNs, refer toVPN R71

Administration Guide.

http://downloads.checkpoint.com/dc/download.htm?ID=10320http://downloads.checkpoint.com/dc/download.htm?ID=10320http://downloads.checkpoint.com/dc/download.htm?ID=10320http://downloads.checkpoint.com/dc/download.htm?ID=10320http://downloads.checkpoint.com/dc/download.htm?ID=10320http://downloads.checkpoint.com/dc/download.htm?ID=10320