Checkpoint Firewall: How to configure VPN Site to Site between Sophos Firewall XG230 and Checkpoint Firewall 1590.


With VPN Site to Site you can activate the appliance’s ability to create VPN tunnels with remote sites. Site to Site VPN can connect two networks separated by the Internet through a secure encrypted VPN tunnel. This allows for seamless secure interaction between the two networks within the same organization even though they are physically distant from each other.

2. Network Diagram

This article will guide you how to configure site to site VPN on the Checkpoint Firewall site connected to the Sophos XG230 site.

3. Instructions

Step 1: Configure VPN site to site on Checkpoint

On the administrative interface of Checkpoint Firewall > VPN > Site to site > Blade Control. Click On Site to Site VPN.

Scroll down to VPN Sites > New.

In the New VPN Site section. Fill in the following parameters:

Site name: Enter the name of the VPN connection you want.

Connection Type: select hostname or IP address.

IP address: Enter the IP WAN of SOPHOS XG site

Authentication: select Pre-Shared secret.

Password + Confirm: Enter and re-enter the pre-share key (You will generate this key yourself, the key will be reused to configure connection creation on Sophos site).

In Remote Site Encryption Domain > New.

Select Type is Network

Network address: Enter the remote network of Sophos Site

Object name: Name the remote network. Click Apply.

You can add multiple LAN Networks by click New to create.

Switch to the Encryption tab. You enter the IKE (Phase 1) and IPsec (Phase 2) parameters agreed between the two sites as shown below.

Switch to the Advanced tab. Select Encryption Method is IKEv2. Finally click Apply.

Finished configuring the VPN on Site Checkpoint.

Step 2: Configure VPN site to site on Sophos XG.

2.1. Configure IPsec Profiles.

On the Sophos XG admin interface > Configure > Site to Site VPN > IPsec Profiles.

To create IPsec Profile click Add.

In the IPsec Profile, enter the following parameters:

Name: Enter a name for the profile

Key Exchange: choose IKEv2

Authentication Mode: select Main Mode.

Fill in the Phase 1 and 2 parameters as agreed between the 2 sites. Click Save.

2.2. Create Local Network and Remote Network.

Next, create Local Networks for Sophos Site (LAN_SOPHOS) and Remote Network (LAN_CHECKPOINT) for Checkpoint Sites.

2.3 Configure IPsec VPN site to site connection.

On the Sophos XG admin interface > Configure > Site to Site VPN > IPsec > Add.

In the General Setting, enter the following parameters:

Name: Enter a name for the VPN connection you want

Connection type: select Site-to-site

Gateway type: Respond only.

Click Active on save and Create firewall rule.

Scroll down to the Encryption section:

Profile: select the IPsec Profile created in step 2.1

Authentication type: select Preshared key.

Enter and confirm the pre-shared key as configured on the Checkpoint site.

Scroll down to the Gateway settings section:

Listening interface: select IP port WAN of Sophos site

Gateway address: Enter the IP WAN on the Checkpoint site

Local Subnet: Select LAN_SOPHOS created in step 2.2

Remote Subnet: Select LAN_CHECKPOINT created in step 2.2

Click Save.

2.4 Active VPN site to site connection

Under the Status section of the Active section, click the red dot icon and click OK.

Connected to VPN Site to Site successfully when the Status of the Active and Connection sections both show green dots.

Check the Checkpoint Site. Go to the VPN Tunnels section and check the Status is Active, the VPN connection is successful.

To test the connection between 2 sites. You use 1 machine on Checkpoint Site ping to 1 machine on Sophos Site.

Successful ping results.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.