Checkpoint VPN to ZyWALL Tunneling

  1. Setup ZyWALL VPN
  2. Setup Checkpoint VPN

This page guides us to setup a VPN connection between Checkpoint VPN and ZyWALL router. 

As the figure shown below, the tunnel between ZyWALL and Checkpoint ensures the packets flow between them are secure. Because the packets go through the IPSec tunnel are encrypted. To setup this VPN tunnel, the required settings for the software and ZyWALL are explained in the following.

  The IP addresses we use in this example are as shown below. 

LAN  1

Checkpoint

ZyWALL 

LAN 2

172.16.16.0/24

62.2.237.177

217.20.195.73

192.168.99.0/24

1. Setup ZyWALL VPN  

  1. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Go to SECURITY->VPN->Press Add button
  3. check Active check box and give a name to this policy.
  4. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in ZyWALL's peer side .
  5. In Local section, select Subnet Address as Address Type, enter the Network IP and Subnet Mask of ZyWALL's LAN.
  6. In Remote section, select Single as Address Type, enter the IP address of ZyWALL's peer.
  7. My IP Addr is the WAN IP of ZyWALL.
  8. Secure Gateway IP Addr is the ZyWALL's peer side's IP, that is PC 2 in this example.
  9. Select Encapsulation Mode to Tunnel.
  10. Check the ESP check box. (AH can not be used in SUA/NAT case)
  11. Select Encryption Algorithm to 3DES and Authentication Algorithm to MD5, as we configured in ZyWALL's peer side .
  12. Enter the key string 12345678 in the Preshared Key text box, and click Apply.
  13. Press Advanced button to set IKE phase 1 and phase 2 parameters.

See the VPN rule screen shot

Set IKE Phase 1 and Phase 2 parameters.

2. Setup Checkpoint VPN  

Creating Network objects.

Click on New/Network, define the LAN segment of ZyWALL. Select Locationa as External.

(Note-Internal and external refer to whether this network is protected behind the Checkpoint or not.)

Define the LAN segment of Checkpoint. Select Location as Internal.

If there are more than one network  would like to utilize the VPN tunnel. You can merge the networks into one group.

Creating VPN Objects  

Define ZyWALL box as a tunnel end point. (Name: SOHO_TEST)

Select VPN tab to define the protected domain of ZW, and the Encryption schemes used by the tunnel.  

 

Define checkpoint box as a tunnel endpoint.

Select VPN tab to define the protected domain of Checkpoint, and the Encryption schemes used by the tunnel.

Choose IKE and press Edit¡K to edit the Phase1 parameters and pre-shared key.

Edit pre-shared key by selecting Pre-Shared Secret in Authentication Method. Choose Pre-Shared Secret then press Edit-Secretes¡K

Select SOHO_TEST as peer, and input the pre-shared key.

Define VPN policy.

Create a new rule at or near the top of the policy. This rule should include both encryption domains as both source and destination and the action should be encrypt as shown below.

Double click on the "encrypt" action to edit the encryption properties. Select IKE as the form of encryption, and click on edit and select the Phase 2 parameters.