https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238014#M5183 <P>Extra SK's to check but I suspect it is not the issue but worth to check</P> <P><A href="https://support.checkpoint.com/results/sk/sk138012" target="_blank">https://support.checkpoint.com/results/sk/sk138012</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk129112" target="_blank">https://support.checkpoint.com/results/sk/sk129112</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk108975" target="_blank">https://support.checkpoint.com/results/sk/sk108975</A></P> <P>&nbsp;</P> Wed, 08 Jan 2025 19:04:53 GMT Lesley 2025-01-08T19:04:53Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238007#M5181 <P>Hello All,</P><P>&nbsp;</P><P>I am trying to establish a test site-to-site vpn from my on premise checkpoint appliance (R81.20 3000 appliance) to my test cloudguard instance in azure (R81.20). I've tried it as a star and a mesh, neither work.</P><P>Following all the help I got yesterday on getting access to the objects behind the gateway, the vpn is still not playing ball.</P><P>I've got it configured as per my other s2s vpns, except I've set the link selection to a static nat address using the azure public ip, but whatever I try, it logs</P><P>&nbsp;</P><P>[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] GetEntryIsakmpObjectsHash: received ipaddr: xx.xx.xx.xx as key, found fwobj: GATEWAYNAME<BR />[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for xx.xx.xx.xx returned obj: 0x8d96f7c<BR />[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] GetEntryCommunityHashX: called before hash initialization, could be because this entity is not in a community<BR />[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] FindCommonCommunity: Did not find common community for GATEWAYNAME<BR />[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26][ikev2] getConfiguredIkeVersion: could not find community for GATEWAYNAME.</P><P>&nbsp;</P><P>which is odd - it's taking the policy ok, and resolves the gateway object names etc correctly so it's odd. A look at the checkpoint kb hasn't turned anything up for this version.</P><P>&nbsp;</P><P>Any ideas gratefully received.</P><P>&nbsp;</P><P>Thank you</P><P>Ian</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Jan 2025 17:40:54 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238007#M5181 ibrown 2025-01-08T17:40:54Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238013#M5182 <P>Are you useing the link selection option on the gateway object itself or in the vpn community (last one will not work).</P> <P>Also are both systems managed by the same mgmt?&nbsp;</P> Wed, 08 Jan 2025 18:58:44 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238013#M5182 Lesley 2025-01-08T18:58:44Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238014#M5183 <P>Extra SK's to check but I suspect it is not the issue but worth to check</P> <P><A href="https://support.checkpoint.com/results/sk/sk138012" target="_blank">https://support.checkpoint.com/results/sk/sk138012</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk129112" target="_blank">https://support.checkpoint.com/results/sk/sk129112</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk108975" target="_blank">https://support.checkpoint.com/results/sk/sk108975</A></P> <P>&nbsp;</P> Wed, 08 Jan 2025 19:04:53 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238014#M5183 Lesley 2025-01-08T19:04:53Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238015#M5184 <P>is it failing on phase 1 or 2? I cant tell 100% based on those logs. If you run vpn tu and option 3 for ike SAs, it would tell us if even phase 1 is completing.</P> <P>See if below post I made helps you, as I pretty much listed all the steps needed to make this work using VTIs.</P> <P>Andy</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950</A></P> <P>Mind you, this type of tunnel can also be domain based.</P> Wed, 08 Jan 2025 19:18:16 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238015#M5184 the_rock 2025-01-08T19:18:16Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238074#M5186 <P>Hello,</P><P>Unfortunately I don't even get phase 1.</P><P>Your post is brilliant, but I am trying to do what I thought would be simple. CP and management on prem to CP cloudguard in azure, both managed by the on prem management, so it's all configured from there. That's partly why I am surprised it doesn't work and&nbsp; thinks there isn't a community given it's all pushed from management. The on premise gateway I am using is a quantum 3000 appliance which is already participating in some VPNs and has been for some time.</P><P>&nbsp;</P><P>However, whilst writing this, I've spotted the problem.. and I feel bad now. The policy deployed to the Azure Cloudguard has 'traditional mode vpn' selected. No wonder nothing worked.</P><P>&nbsp;</P><P>Apologies for wasting people's time.</P><P>Thanks</P><P>Ian</P> Thu, 09 Jan 2025 10:47:32 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238074#M5186 ibrown 2025-01-09T10:47:32Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238077#M5187 <P>Dont look at it like that Ian. We are always here to help, no matter what. Glad its working, great job!</P> <P>Andy</P> Thu, 09 Jan 2025 12:08:50 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238077#M5187 the_rock 2025-01-09T12:08:50Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238082#M5188 <P>Though this is always now by default, if you ever have this issue again, just make sure below is ticked.</P> <P>Andy</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29138i8DA3C158DAC88242/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> Thu, 09 Jan 2025 12:59:01 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238082#M5188 the_rock 2025-01-09T12:59:01Z https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238092#M5189 <P>Thank you, i suspect it is because the mgmt was built R65 or earlier and has been upgraded and upgraded and upgraded to R81.20 !</P> Thu, 09 Jan 2025 14:51:52 GMT https://community.checkpoint.com/t5/Cloud-Firewall/on-prem-to-cloudguard-Azure-site-to-site-vpn/m-p/238092#M5189 ibrown 2025-01-09T14:51:52Z