https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/181902#M33292 <P>The first problem was solved by changing the alias of the vpnt interfaces. The alias of the interface needs to be exactly the same as the name of the interopable device object where this interface will be used for.&nbsp;</P><P>The second problem is solved by using NAT with the correct vpnt interfaces.</P> Wed, 24 May 2023 12:04:04 GMT Wesley_van_der_ 2023-05-24T12:04:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180636#M33017 <P>Hi,</P><P>&nbsp;</P><P>A nice new feature in VSX R81 is that we can create vpnt interfaces on a virtual firewall, using vsx_provisioning_tool on the SMS/MDS. We have a VSX setup with SMS, running both on R81.10 with JHF take 87.&nbsp;</P><P>We want to setup a new S2S VPN (routebased) with Azure. I managed to do that using&nbsp;sk176249.&nbsp;</P><P>Now the tunnel is up (phase 1 and 2) and BGP traffic from azure arives at our firewall. We will use BGP over the tunnel and now I am facing 2 different issues causing the BGP peer in active state instead of&nbsp;established.</P><P><STRONG>1) BGP traffic from azure arives at our firewall, but is dropped with the reason "According to the policy the packet should not have been decrypted"</STRONG></P><P>Normally with a policy based VPN, the VPN domains is the first thing I look at. But now we do use routed based and I have configured empty VPN domains as mentoined in the sk.&nbsp;</P><P>There is a route for the BGP peer in Azure (connected to vpnt interface).&nbsp;</P><P><STRONG>2) BGP traffic initiated from our firewall, uses a funny ip as its source ip.</STRONG></P><P>This traffic was first dropped ofcourse on our firewall since the rule I created uses the expected source ip. I tried to accept the traffic and use source NAT for this specifc traffic. Now the traffic is accepted, but not encrypted and routed over the tunnel.&nbsp;</P><P>&nbsp;</P><P>Any tips to troubleshoot any further are welcome.&nbsp;</P> Thu, 11 May 2023 14:28:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180636#M33017 Wesley_van_der_ 2023-05-11T14:28:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180666#M33025 <P>Are you using a configuration similar to:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk176249" target="_blank">https://support.checkpoint.com/results/sk/sk176249</A>&nbsp;?</P> Thu, 11 May 2023 19:31:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180666#M33025 PhoneBoy 2023-05-11T19:31:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180862#M33066 <P>Yes. I used the sk to configure the VPN.</P> Mon, 15 May 2023 06:39:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180862#M33066 Wesley_van_der_ 2023-05-15T06:39:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180991#M33109 <P>Recommend a TAC case here to investigate: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A></P> Mon, 15 May 2023 21:34:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/180991#M33109 PhoneBoy 2023-05-15T21:34:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/181902#M33292 <P>The first problem was solved by changing the alias of the vpnt interfaces. The alias of the interface needs to be exactly the same as the name of the interopable device object where this interface will be used for.&nbsp;</P><P>The second problem is solved by using NAT with the correct vpnt interfaces.</P> Wed, 24 May 2023 12:04:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-and-routebased-VPN-Azure/m-p/181902#M33292 Wesley_van_der_ 2023-05-24T12:04:04Z