topic Re: Azure Site-to-Site VPn fail in Firewall and Security Management

Azure Site-to-Site VPn fail

Sagar_Manandhar — Mon, 04 Dec 2017 04:58:42 GMT

Hi,

I have been trying to establish the IP sec vpn with Azure site. I have followed the sk101275 for the same but was not able to establish the VPN. Does anybody successfully done it and it would be great if the configuration can be shared.

Regards,

Sagar Manandhar

Re: Azure Site-to-Site VPn fail

PhoneBoy — Tue, 05 Dec 2017 05:55:03 GMT

I'd start with basic troubleshooting, as described here: VPN Site-to-Site with 3rd party

Note that most of this is generic to "third parties" (i.e. not a Check Point gateway you control) and should also apply to Azure.

Re: Azure Site-to-Site VPn fail

Sagar_Manandhar — Tue, 23 Jan 2018 04:14:08 GMT

hi,

we have finally configure the VPN. we got to know that the parameter given in the checkpoint doc for Azure VPN is outdated and we have replace it with the new parameter given by the azure team and now its working fine

Re: Azure Site-to-Site VPn fail

PhoneBoy — Tue, 23 Jan 2018 06:04:10 GMT

So that we can update our docs, can you share what the incorrect parameters are and what we should replace them with?

Re: Azure Site-to-Site VPn fail

Sagar_Manandhar — Tue, 23 Jan 2018 06:50:16 GMT

Change MTU of interface: 1350 (1500 default)
Encryption Method: IKEv2 only
Custom Encryption suite:
IKE Security Association (Phase 1)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1
-Diffie-Hellman group : Group 2 (1024bit)

IKE Security Association (Phase 2)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1

VPN Tunnel Sharing
-Select One VPN Tunnel per Gateway Pair

IKE(phase1)
-Renegotiate IKE security associations every (min): 480
IPsec(phase2)
-Renegotiate IPsec security associations every(sec):27000

Re: Azure Site-to-Site VPn fail

Igor_Roytman — Mon, 06 Aug 2018 08:09:36 GMT

Sagar Manandhar‌ can you please elaborate what was incorrect in the SK that caused VPN not work, so we will update the SK? I see different SA lifetimes, it should not cause issue to establish the tunnel.. Of course still SK should be updated, but I wonder if there are some other parameters to be fixed..
Thank you in advance!

Re: Azure Site-to-Site VPn fail

Amir_Rehman — Wed, 03 Apr 2019 19:15:18 GMT

Did you anyone figure out what parameters are outdated ?

Re: Azure Site-to-Site VPn fail

Gaurav_Pandya — Thu, 04 Apr 2019 10:44:33 GMT

We have also established tunnel checkpoint gateway to AWS successfully but it sometimes disconnect the connection and we have to reset the tunnel every time to establish flow again.

Re: Azure Site-to-Site VPn fail

Henrique_Sauer_ — Sun, 13 Oct 2019 14:41:46 GMT

It worked for me!

Thanks dude

Re: Azure Site-to-Site VPn fail

John_Richards — Mon, 09 May 2022 14:45:03 GMT

Can someone please post what the settings should be or a link to the documentation for a Check Point site-to-site VPN between a on-prem cluster to a single to Azure GW? I have have a TAC case open and even they are having trouble. We use Smart-1 to manage both GW's and I suspect that may be causing the issue.

Re: Azure Site-to-Site VPn fail

fllangari — Fri, 23 Sep 2022 00:34:09 GMT

Hi John

Do you were successful in being able to create the vpn between the 2 checkpoint fw, managed by the same management.?

In one case, with TAC apply the sk21156, where disable the CRL.

Best regards

Re: Azure Site-to-Site VPn fail

John_Richards — Fri, 23 Sep 2022 15:32:48 GMT

I believe it came down to the settings in the topology for the MAAS tunnel on the GW. Once we corrected the topo the tunnel worked.