---
title: "Check Point"
slug: "configuring-perimeter-site-to-site-with-check-point-firewall-using-the-check-point-smart-console"
updated: 2026-04-07T08:59:10Z
published: 2026-04-07T08:59:10Z
canonical: "support.perimeter81.com/configuring-perimeter-site-to-site-with-check-point-firewall-using-the-check-point-smart-console"
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Check Point
## Introduction
This guide helps you establish a single Site-to-Site VPN tunnel between your Check Point SASE Network and Check Point Firewall.
## Pre-requisites
- Check Point SASE Administrator Portal account.
- Make sure that you have installed the Check Point SASE Agent on your device.
- Administrator account with Firewall/Router/Cloud Management Portal.
## Configuration Steps
## Creating Interoperable Device Object in the Check Point SmartConsole
1. Log in to the Check Point SmartConsole.
2. Click **Security Policies**.
3. On the top right, click **New** and select **More** > **Network Object**> **More** > **Interoperable Device**.
The**Interoperable Device** window appears.
4. In the **Name** field, enter a name for the Check Point SASE gateway, for example, *Harmony_SASE_Gateway*.
5. In the **IPv4 Address** field, enter the Check Point SASE gateway public IP address.
To find the SASE Gateway public IP Address:
1. Access the Check Point SASE Administrator Portal and click **Networks**.
2. Select the network.
3. Go to the **Gateways** section to find the Public IP address for setting up the single IPsec tunnel.
6. Click **OK**.
## Adding Check Point SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object
1. Log in to the Check Point SASE Administrator Portal.
2. Click **Networks**.
3. Verify the assigned network. The default value is 10.255.0.0/16.
To verify:
1. Select a network, scroll to the end of the row and click.
2. Select **Edit Network**.
3. In the **Edit Network** section, check the **Subnet** field to verify the assigned network. The default value is 10.255.0.0/16.
****
4. Open the Interoperable Device object that you created.
5. Click **Topology** > **New**.
6. In the **General**tab, enter these:
1. **Name** – Name of the topology, for example, *Check Point SASE Network*.
2. **IP Address** – 10.255.0.0
3. **Net Mask**– 255.255.0.0
7. In the **Topology** tab, select **Internal (leads to the local network)** and then select **Network defined by the interface IP and Net Mask**.
Note:
If the gateway is configured with an interface topology that includes a network range or a group overlapping with the encryption domain of the remote VPN peer, incoming decrypted traffic may be seen as coming from the wrong interface. This could trigger anti-spoofing measures, causing traffic to be dropped. To create an anti-spoofing exception, see [sk151774](https://support.checkpoint.com/results/sk/sk157074).
8. Click **Topology** > **New**.
9. In the **General**tab, enter these:
1. **Name**– Name for the topology, for example, Harmony_SASE_Gateway
2. **IP Address** – Public IP address of the Check Point SASE gateway
3. **Net Mask** – 255.255.255.255
10. Click the **Topology**tab.
12. Select **External (leads out to the internet)**. 
11. Click **OK**.
12. Click **OK**.
13. Publish and install the policy.
## Creating VPN Star community
1. Log in to the Check Point SmartConsole.
2. Click **Security Policies**.
3. Go to **Access Tools** > **VPN Communities**.
4. Select an object, click **New** and go to **More** > **VPN Community** > **Star Community**.
The **New Star Community** window appears.
.png)
5. In the **Enter Object Name** field, enter an object name for the VPN Star Community, for example, *Harmony_SASE_VPN*.
6. In the **Link Selection Mode**section, select one of these:
- **Enhanced (Recommended)**- Uses dynamic, intelligent, probe-based logic to choose the optimal VPN link. It evaluates:
- Interface status
- Multiple external IP addresses
- Multiple ISP circuits
- Reachability through Next-Hop Probing
- SLA-like behavior for tunnel selection
- **Legacy**- Uses static or basic logic to select the VPN interface or IP address. Selection is based on:
- Main IP (default)
- Selected interface
- Selected IP
- IP address determined by topology
7. In the **Centre Gateways** section, click  and add the Check Point Gateway.
8. In the **Satellite Gateways** section, click  and add the previously created Interoperable Device Object for the Check Point SASE gateway. See step 3 in ***Creating An Interoperable Device Object in the Check Point SmartConsole***.
9. Go to **Shared Secret**.
10. To edit the shared key, click .
.png)
11. In the **Enter secret** field, enter an appropriate key. Make a note of it as it is used while configuring the IPsec Tunnel in the Check Point SASE Administrator Portal.
Note:Check Point recommends that the shared secret key is at least 20 characters in length.
12. Click **OK**.
13. Go to **Encryption**and specify these:
1. In the **Encryption Settings** section, from the **Encryption Method**list, select**IKEv2 only**.
2. In the **Encryption Suite**section, select **Custom encryption suite**.
3. In the **IKE Security Association (Phase 1)**section:
1. From the **Encryption Algorithm** list, select **AES-256**.
2. From the **Data Integrity** list, select **SHA256**.
3. From the **Diffie Hellman group** list, select **Group 14 (2048 bit)**.
4. In the **IKE Security Association (Phase 2)**section:
1. From the **Encryption Algorithm** list, select **AES-256**.
2. From the **Data Integrity** list, select **SHA256**.
3. Select **Use Perfect Forward Secrecy**.
4. From the **Diffie Hellman group** list, select **Group 14 (2048 bit)**.
14. Go to **Tunnel Management**.
15. In the **Permanent Tunnels** section, select the **Set Permanent Tunnels** checkbox and then select **On all tunnels in the community**.
16. In the **VPN Tunnel Sharing**section, select **One VPN tunnel per Gateway pair**.
Note:Make sure that you enter the remote subnets specified here in the Check Point SASE Administrator Portal. A mismatch can disconnect the tunnel.
17. Go to **Advanced**.
1. In the **IKE (Phase 1)** section, set the **Renegotiate IKE security associations every (minutes)** field to **480**.
2. In the **IPsec (Phase 2)** section, set the **Renegotiate IPsec security associations every (seconds)** field to **3600**.
18. Click **OK**.
## Additional settings in Check Point SmartConsole
1. To set up a Check Point firewall policy, add a rule for VPN traffic for the specific VPN Domain in the Check Point SmartConsole.
In the example below, we have created a policy to allow traffic from the Check Point SASE Network 10.255.0.0/16 to specific destinations and services. Note that the network configuration may differ if you have not changed the default settings during Check Point SASE network creation. For testing purposes, you should initially allow any/any or allow before making the firewall policy more restrictive.
2. Publish and install the policy.
## Configuring Tunnel and Routes Table
1. Access the Check Point SASE Administrator Portal and click **Networks**..png)
2. Select the network.
3. Click .
4. Select **Add Tunnel**for the gateway from which you want to add the IPSec Site-2-Site VPN tunnel.
1. Click **IPSec Site-2-Site Tunnel** and click **Continue**.
2. Click **Single Tunnel**and****click**Continue.**
3. In the **General Settings**section, enter these:
1. **Name**- Name for the tunnel.
2. **Shared Secret** - Secure pre-shared key or click Generate to generate it.
3. **Public IP** - Public or Egress IP address of Check Point Firewall.
4. **Remote ID** - Public or Egress IP address of Check Point Firewall.
5. **Check Point SASE Gateway Proposal Subnets**- Leave **Any (0.0.0.0/0**) selected.
6. **Remote Gateway Proposal Subnets**- Leave **Any (0.0.0.0/0**) selected.
4. In the **Advanced Settings** section, specify these:
- **IKE Version:** V2
- **IKE Lifetime:** 8h
- **Tunnel Lifetime:** 1h
- **Dead Peer Detection Delay:** 10s
- **Dead Peer Detection Timeout:** 30s
- **Phase 1**:
- **Encryption****(Phase 1):** aes256
- **Integrity (Phase 1):** sha256
- **Key Exchange Method:** modp2048
- **Phase 2**:
- **Encryption****(Phase 2):** aes256
- **Integrity (Phase 2):** sha256
- **Key Exchange Method****:**modp2048
5. Click **Add Tunnel**.
5. Select **Routes Table**:
1. Click **Add Route.**
**T**he **Add Route** window appears.
2. Enter all the subnets on the remote side of the tunnel and then click **Add Route**.
Note:Make sure that in the Tunnel list, you have selected the previously entered Tunnel name.
6. Click Apply Configuration.
## Verifying the Setup
Once you complete the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you created, and check the tunnel status. It should indicate that the tunnel is Up, signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.
## Troubleshooting
If you encounter issues during or after the setup, review your settings to ensure everything matches the instructions. Check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
## Support Contacts
If you have any difficulties or questions, contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com.