Route based VPN tunnel to Azure

the_rock — Thu, 15 Feb 2024 13:49:40 GMT

Hey guys,

Since I had seen lots of posts about this, figured would post couple of docs I created in hopes it helps others who may have issues with it. It has screenshots and also a text file with how you would set up things on Azure side and the word doc is for CP end. Im fairly experienced in this, as I had done lots of testing in the lab for this kind of config.

If any questions, as always, be free to reach out directly, I always respond to everyone.

Best and happy weekend!

Woohooo, weekend 🙂

Andy

Re: Route based VPN tunnel to Azure

nkfs — Thu, 04 Sep 2025 06:57:22 GMT

Hi,
Is it possible to re-upload the azure part (the txt) it seems I'm not able to see that part

Thank you for your work!

Re: Route based VPN tunnel to Azure

the_rock — Thu, 04 Sep 2025 13:58:41 GMT

There you go 🙂

Andy

*************

VPN CONFIG EXAMPLE:

Steps to build the route based VPN tunnel

Azure portal:

Create new VNG

SK Basic (100 Mbps Limit)

Route Based

No BGP/Active to Active (because basic SK)

New Resource Group

New VNET

10.0.0.0/16

New Public IP

VIP = x.x.x.x

New Local Network Gateway (This is a reference object for the Checkpoint Cluster/Lab Checkpoint)
DEVCheckpoint

IP address: x.x.x.x

Address space: 172.16.10.0/24, x.x.x.x/x, 192.168.10.0/24 (Must include internal/local subnets and the external WAN facing subnets)

Click , click Add Connection

Type: Site to Site

PSK Pleasework1!

IKEv2

Click the connection

Download Config (Cisco > IOS > IKEv2)

Verify Default Settings/VTI IPs

IKE aes-cbc-256, sha1, DH 2, SA lifetime 3600S

IPSec esp-aes 256, esp-sha256-hmac, SA lifetime 3600s, SA lifetime 102400000 KB

Configure an APIPA (169.254.x.x) address that does NOT overlap with any

! other address on this device. This is not visible from the Azure gateway.

Local on Checkpoint Side VTI IP 169.254.0.1/32

Remote (Azure) 169.254.0.2/32

If there is another tunnel use DIFFERENT IPs that DO NOT OVERLAP WITH PREVIOUS RouteBASED TUNNEL

-------

Access to Lab Checkpoint

SmartConsole x.x.x.x

SmartConsole Settings

Global Properties > VPN > Advanced > Enable VPN Directional Match

Add Interoperable Object for Azure GW with configured VIP

"AzureLabGW"
Topology > VPN Domain > Add an Empty Group

Publish & Install

Go to Gaia WebUi (172.16.10.189:4434)

Network Interface

Add VPN-Tunnel

vpnt1

Peer Name should be EXACT SAME AS INTEROPERABLE DEVICE NAME

Local IP 169.254.0.5 (Not used anywhere else)

Remote IP 169.254.0.6 (Not used anywhere else)

Add Static Route

Local IP/Subnet of Azure GW (Virtual Network = 10.0.0.0/16)

Gateway (IP) of Remote IP from VTI configured previously (169.254.0.6)

Go back to SmartConsole

Open Gateway Object/Cluster

Network Management > Topology > Get Interfaces WITHOUT Topology

Make sure VTI interface shows up, may need to set up vip obj for vpnt tunnel in cluster (make sure no overlap)

Install Policy

Create a new VPN Community (Star Topology)

Ensure both gateways use an EMPTY group for domain

Encryption (IKEv2 Only)

AES256, SHA1, Group2

AES 256, SHA256

Tunnel Management

Set perm tunnels on all tunnels in the community

One tunnel per gateway pair

VPN Routing

To center only

SharedSecret

Pleasework1!

Advanced

IKE Phase 1 480 Min

IPSec Phase 2 27000 seconds

Disable NAT inside VPN Community

Policies

Source & Destination

- Local Subnets included in the Local Gateway Object Config/Applicable Subnets

- Remote (AzureNetwork 10.0.0.0/16)

- RServ (Radius Server used for testing)

VPN > Directional Match

Internal to Community

Community to Internal

Community to Community

Publish & Install

GUIDBEdit DPD Enabled (Tunnel Test Settings)

Reset Connection on Azure Side

MAY NOT BE NEEDED REFRESH AND CHECK IF CONNECTED

Test

Create VM LabUbuntu

VIP x.x.x.x

Private IP 10.0.0.4

Enable Rule to allow Pings & SSH traffic in

topic Route based VPN tunnel to Azure in Firewall and Security Management

Route based VPN tunnel to Azure

Re: Route based VPN tunnel to Azure

Re: Route based VPN tunnel to Azure