https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/178000#M329 <P>Hi,</P> <P>we don't use the LB for VPN at all , the LBs don't pass ESP traffic so it will never work.</P> <P>you need to configure it with the Cluster's VIP which attached to the ACTIVE member , like we do with any other regular deployments.</P> <P>check the Azure HA admin guide:</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm#Step_10__Configure_VPN" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm#Step_10__Configure_VPN</A></P> <P>&nbsp;</P> Thu, 13 Apr 2023 05:51:45 GMT Nir_Shamir 2023-04-13T05:51:45Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177966#M326 <P>Hello Team,<BR /><BR />Have a question and apologies in advance if its not very precise.</P><P>Have deployed a cluster in Azure, classic cloudguard Iaas HA topology.</P><P>&nbsp;</P><P>everything seems to work fine when i dont nat anything behind the external VIP (private).</P><P>&nbsp;</P><P>Now the question is regarding VPN, do you usually need extra config on the load balancers or anywhere in azure to permit 500/4500/ESP towards the gateway from the load-balnacers public IP?<BR /><BR />As i dont seem to get anything except if there is a rule in the lB in azure for it.<BR /><BR />Hope its more or less clear.<BR /><BR /><BR />Thanks</P><P>Juan</P> Wed, 12 Apr 2023 16:22:46 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177966#M326 Machine_Head 2023-04-12T16:22:46Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177975#M327 <P>I dont recall one of our customers having to do any extra config on load balancer end for this couple of years ago. We have pay as you go Azure subscription, so I can fire up a lab in it this week and verify for you. I know Azure is super limited when it comes to doing any sort of troubleshooting (certainly nothing like any major vendor's firewall).</P> Wed, 12 Apr 2023 17:19:25 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177975#M327 the_rock 2023-04-12T17:19:25Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177977#M328 <P>I don't believe you can use Load Balancers with VPN (either Site-to-Site or Remote Access).<BR />That's suggested by:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk109360" target="_blank">https://support.checkpoint.com/results/sk/sk109360</A>&nbsp;<BR />You would need to set up an active/passive cluster pair for VPN.</P> Wed, 12 Apr 2023 17:27:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/177977#M328 PhoneBoy 2023-04-12T17:27:48Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/178000#M329 <P>Hi,</P> <P>we don't use the LB for VPN at all , the LBs don't pass ESP traffic so it will never work.</P> <P>you need to configure it with the Cluster's VIP which attached to the ACTIVE member , like we do with any other regular deployments.</P> <P>check the Azure HA admin guide:</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm#Step_10__Configure_VPN" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm#Step_10__Configure_VPN</A></P> <P>&nbsp;</P> Thu, 13 Apr 2023 05:51:45 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-S2S-vpn/m-p/178000#M329 Nir_Shamir 2023-04-13T05:51:45Z