The Check Point IPSec VPN Software Blade provides secure connectivity to corporate networks for remote and mobile users, branch offices and business partners. The Software Blade integrates access control, authentication and encryption to guarantee the security of network connections over the public Internet.

Benefits

Secure VPN connectivity for remote and mobile users, branch offices
  • Simple, centralized management of remote access and site-to-site VPNs
  • Enhanced IPSec VPN security against Denial of Service (DoS) attacks
  • Security policy may be applied in varying degrees based on encryption level
Flexibility to build the VPN solution that meets your specific needs
  • Multiple remote access VPN connectivity modes to support road warriors
  • Comprehensive set of remote access VPN client choices
  • Multiple VPN creation methods, including route-based and domain-based VPNs
Integrated into Check Point Software Blade Architecture
  • Simple activation of IPSec VPN on any Check Point security gateway
  • Centralized logging and reporting via a single console

Features

The IPSec VPN Software Blade simplifies the creation and management of complex VPNs. SmartDashboard enables administrators to define participating gateways—including third-party gateways—in large-scale VPNs. VPN gateways can be configured in minutes for both star and mesh topologies with an integrated certificate authority to manage keys.

The IPSec VPN Software Blade supports the creation of VPNs via multiple methods, including:

  • Route-based VPNs:  Administrators set VPN rules to define which traffic should be encrypted, enabling the creation of complex large-scale site-to-site VPNs in dynamic environments. Route-based VPNs also support the extension of dynamic routing and multicast communities across VPNs.
  • Domain-based VPNs:  Administrators identify the resources behind the gateway  for which VPN traffic should be encrypted.

VPN connectivity should always be matched with a high level of security. The IPSec VPN Software Blade enables remote users, sites and partners to connect securely. Security policies may be applied to all encrypted traffic or a subset of traffic.

In addition, the IPSec VPN Software Blade provides strong security for the VPN against Denial of Service (DoS) attacks such as those directed against the Internet Key Exchange (IKE) mechanism. The IPSec VPN Software Blade implements a unique solution for IKE DoS, requiring that unknown gateways solve a computationally-intensive problem before allowing them to connect.

Every enterprise has unique requirements for remote access. The IPSec VPN Software Blade offers a comprehensive set of remote access VPN client choices that allow you to design a solution that meets your specific needs. These choices include:

  • Check Point Endpoint Security:  a complete endpoint security solution
    • IPSec VPN client
    • desktop firewall
    • Network Access Control (NAC)
    • program control
    • antivirus and anti-spyware
    • full disk encryption
    • port protection and other data security features
    • managed by Endpoint Policy Management Blade
  • Endpoint Security VPN R75
    • Windows IPSec VPN client
    • desktop firewall
    • compliance checks
    • remote connection enhancements
    • managed by Network Policy Management Blade
  • SecuRemote
    • free Windows IPSec VPN Client
  • SecureClient Mobile
    • SSL VPN client for Windows Mobile phones
  • L2TP Support
    • for clients with Layer 2 Tunneling Protocol (L2TP) VPN support

The IPSec VPN Software Blade provides various modes to address a variety of connectivity and routing issues faced by remote users, including:

  • Office mode:  Addresses routing issues between the client and the gateway by encapsulating IP packets with the remote user’s original IP address, thereby enabling users to appear as if they were “in the office” while connecting remotely. Office mode also provides enhanced anti-spoofing by ensuring that the IP address encountered by the gateway is authenticated and assigned to the user.
  • Visitor mode: Enables employees to access resources while they are working at a remote location such as a hotel or a customer office, where Internet connectivity may be limited to Web browsing using the standard HTTP and HTTPS ports.
  • Hub mode: Enables rigorous, centralized inspection of all client traffic.  This eliminates the need to deploy security functions to multiple offices and gives employees secure client-to-client communications such as Voice over IP (VoIP) or Internet conferencing using applications like Microsoft NetMeeting.

The IPSec VPN Software Blade is integrated into the Software Blade Architecture. It can be easily and rapidly activated on existing Check Point Security Gateways saving time and reducing costs by leveraging existing security infrastructure.

Specifications

 Feature
Detail
Authentification MethodsPassword, RADIUS, TACACS, X.509, SecurID, LDAP
Certification AuthorityIntegrated X.509 certificate authority
VPN CommunitiesAutomatically sets up site-to-site connections as objects are created
Topology SupportStar and mesh
Route-based VPNUtilizes virtual tunnel interfaces, numbered/un-numbered interfaces
VPN ResiliencyMultiple Entry Point (MEP), wire mode
VPN Route InjectionRoute Injection Mechanism (RIM)
Site-to-site VPN ModesDomain-based, Route-based
Directional VPNEnforcement between or within community
IKE (Phase 1) Key ExchangeAES-128, AES-256, 3DES, DES, CAST
IKE (Phase 1) Data IntegrityMD5, SHA1, SHA2-256, SHA2-384, AES-XCBC
IKE (Phase 2) Data Encryption3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40, NULL
IKE (Phase 2) Data IntegrityMD5, SHA1, SHA2-256, SHA2-384, AES-XCBC
IKE (Phase 1) & IPSec (Phase 2) Diffie-Hellman GroupsGroup 1 (768 bit), Group 2 (1024 bit), Group 5 (1536 bit), Group 14 (2048 bit), Group 19 (256-bit), Group 20 (384-bit)
IKE (Phase 1) OptionsMain, Hybrid, Aggressive mode
IPSec (Phase 2) OptionsPerfect forward secrecy, IP compression
Mobile Device SupportL2TP support for iPhone, SecureClient Mobile for Windows Mobile
Multiple IPSec VPN ClientsCheck Point Endpoint Security, Endpoint Security VPN R75, SecuRemote