topic Re: Route-based VPN with Azure - BGP problem in Firewall and Security Management

Route-based VPN with Azure - BGP problem

abihsot__ — Thu, 29 Sep 2022 07:13:23 GMT

Hello,

Gateway R80.40

I am setting up route based (VTI) site to site VPN tunnel between on-premise and Azure. VPN tunnel is up, however bgp traffic from Azure does not seem to pass VPN blade correctly. The opposite direction works fine

VPN tunnel as per instructions, empty group in topology.

Now I am not too sure about VPN column in the policy. I might "borrowed" directional match configuration from aws, but I can't find any document to confirm what should I put in VPN column for Azure.

Internal_clear > AWS VPN community
AWS VPN community > AWS VPN community
AWS VPN community > Internal_clear

Re: Route-based VPN with Azure - BGP problem

G_W_Albrecht — Thu, 29 Sep 2022 10:42:28 GMT

Ask CP TAC how to resolve that !

Re: Route-based VPN with Azure - BGP problem

abihsot__ — Thu, 29 Sep 2022 11:55:13 GMT

Thanks for your time!

What is the purpose of this forum then if all questions should be directed to TAC?

Re: Route-based VPN with Azure - BGP problem

G_W_Albrecht — Thu, 29 Sep 2022 13:01:34 GMT

To discuss issues and versions as well as answering questions is the purpose of this forum - but you seem not to have an academical question but a big issue in production that should be resolved quickly, therefore i have suggested to contact TAC instead of waiting for a miracle from CheckMates (as you give no details of the VTI config that would be important here...)...

CheckMates is not an alternative for TAC but a low-level discussion group also containing technical suggestions.

Re: Route-based VPN with Azure - BGP problem

abihsot__ — Thu, 29 Sep 2022 14:57:07 GMT

Not sure where you get the idea of "big issue in production"?

I started my post with "I am setting up ...", which would indicate a completely new configuration. I was not able to find complete instruction in Checkpoint documentation which led to interpretation of some settings and I ran out of options to test, hence this post. I could also go to TAC, but I thought this is also the right place to discuss.

What exactly you would like to know about VTI config? My understanding is that VPN tunnel is up, VTI config is fine too, because I can receive and send traffic based on the log, however one direction is not processed by correct firewall rule and therefore dropped.

Re: Route-based VPN with Azure - BGP problem

abihsot__ — Thu, 29 Sep 2022 15:07:38 GMT

As a side note, in my opinion Checkmates is in some sense an alternative to TAC. It is I believe funded by Checkpoint, there are representatives from the company too, and it is just another channel for Checkpoint to help out customers. If you think I am non-paying customer you are very wrong. If I can resolve a problem with the help of community this is saved money/time for TAC so everyone is happy.

Re: Route-based VPN with Azure - BGP problem

_Val_ — Thu, 29 Sep 2022 15:44:42 GMT

Just to clarify, CheckMates is owned and run by Check Point. We are quite happy to hear you want to ask the community before going to the official support channels. I agree it helps everyone if we all share the issue resolution here.

That said, @abihsot__ If you have to open a ticket with TAC for this, do not forget to share the actual resolution with us.

@G_W_Albrecht both academic questions and huge production issue questions are welcome in the community. We are all friends and colleagues here, please do not forget that.

Re: Route-based VPN with Azure - BGP problem

nickdegroot — Fri, 30 Sep 2022 11:54:35 GMT

I had this issue in AWS exactly the same.

In AWS the "encryption domain" was setup with a specific subnet ( lets say: 10.10.10.0/24 ) instead of 0.0.0.0/0 , so the BGP peers (169.254.1.1) traffic is not correctly encrypted from the AWS site.

This looks like the same issue on your config , because traffic to azure gets encrypted correctly

Re: Route-based VPN with Azure - BGP problem

the_rock — Fri, 30 Sep 2022 12:46:28 GMT

@abihsot__ ...do you see any drops on the CP firewall if filtering for BGP? For example -> fw ctl zdebug + drop | grep ":179"...if you run that command, it should give you something if its dropped.

Andy

Re: Route-based VPN with Azure - BGP problem

Colin_Campbell1 — Sat, 01 Oct 2022 00:47:54 GMT

Hi,

The Gaia Admin Guide contains a section on setting up VTIs for route based VPNs and states (paraphrased):

Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN
column in the rule. This is because without bi-directional matching, the rule only applies to
connections between a community and an encryption domain (Domain Based Routing).

The directional rule must contain these directional matching conditions:

Community > Community
Community > Internal_Clear
Internal_Clear > Community

Notes:

Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.
It is not necessary to define bidirectional matching rules if the VPN column contains the value Any.

So, to answer your question, the VPN column needs to have the three matching conditions specified above replacing "Community" with the name of your community.

Colin