https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66400#M2585 <P>Are you aiming to have a IPSEC tunnel across Express Route?</P><P>Or are you trying to stand up a tunnel across the internet to your CloudGuard gateways for backup?</P><P>Or are you trying to stand up tunnels to your CloudGuard gateways from external internet peers and you need internal resources to go across ER to your CloudGuard gateway and then out to the internet?</P> Fri, 01 Nov 2019 13:34:55 GMT Tommy_Forrest 2019-11-01T13:34:55Z https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66381#M2584 <P>Hello Everybody</P><P>I have the following request,</P><P>We have an environment on Azure (R80.20 Cluster) and access to On-premises networks through ExpressRoute. We' configuring a tunnel VPN using VTIs with 3rd Party (Cisco). So,&nbsp;&nbsp;I would like to know if possible to announce the networks behind remote peer VPN, for example (10.236.150.128/27) on my virtual network gateway in order to announce it on the BGP to on-premises networks.&nbsp;&nbsp;</P><P>Thank you so much for your attention and comments</P><P>Best regards</P><P>Everest</P><P>&nbsp;</P> Thu, 31 Oct 2019 19:06:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66381#M2584 Everest_Aponte 2019-10-31T19:06:02Z https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66400#M2585 <P>Are you aiming to have a IPSEC tunnel across Express Route?</P><P>Or are you trying to stand up a tunnel across the internet to your CloudGuard gateways for backup?</P><P>Or are you trying to stand up tunnels to your CloudGuard gateways from external internet peers and you need internal resources to go across ER to your CloudGuard gateway and then out to the internet?</P> Fri, 01 Nov 2019 13:34:55 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66400#M2585 Tommy_Forrest 2019-11-01T13:34:55Z https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66404#M2586 <P>Hello Tommy</P><P>Thanks for your contact</P><P>Basically, We're configuring a Site to Site VPN with a Customer.&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Site to Site VPN based VTIs</P><P>Peer Remote (Customer) ------------INTERNET --------------- Peer CheckPoint on AZURE&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Enviroment Azure</P><P>Peer CheckPoint on AZURE --------------ER-------------- ON-Premises&nbsp;</P><P>&nbsp;</P><P>Network Remote Peer: 10.236.150.128/29&nbsp;</P><P>Network Peer CheckPoint on Azure: 10.236.1.0/24</P><P>Network ON Premises: 10.0.0.0/8&nbsp;</P><P>The flow of Traffic: Bidirectional between 10.236.150.128/29 (remote peer network) and 10.0.0.0/8 (OnPremises network)&nbsp;</P><P>&nbsp;</P><P>Yes, This traffic has to go across the Express Route, We need to announce these VPNs networks so that Virtual Gateway.&nbsp;&nbsp;</P><P>Thank you so much</P><P>&nbsp;</P><P>Everest</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Nov 2019 18:36:54 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66404#M2586 Everest_Aponte 2019-11-01T18:36:54Z https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66468#M2587 <P>Hi <SPAN>Everest,</SPAN></P><P><SPAN>I am not sure if this is working and I can not test it in my Azure environment as I do not have a ER running, but may be it´s worth trying:</SPAN></P><P>You could add the&nbsp;<SPAN>remote peer network as additional Address space on the VNET, where your Checkpoint GW is&nbsp; deployed:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Unbenannt.png" style="width: 482px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2941iBB18A8FBE9C711AC/image-dimensions/482x300?v=v2" width="482" height="300" role="button" title="Unbenannt.png" alt="Unbenannt.png" /></span></P><P><SPAN>This should cause BGP to propagate that network to OnPrem.</SPAN></P><P><SPAN>In addition you may have to modify your UDRs, so that the&nbsp;remote peer network is actually routed to the Checkpoint GW (you should already have such UDRs I guess)</SPAN></P><P>&nbsp;</P><P><SPAN>Matthias</SPAN></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> Mon, 04 Nov 2019 07:26:10 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Announce-networks-behind-remote-peer-VPN-to-Virtual-Network/m-p/66468#M2587 Matthias_Haas 2019-11-04T07:26:10Z