https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216629#M41275 <P>Official documentation:</P> <UL> <LI><A href="https://support.checkpoint.com/results/sk/sk176249" target="_blank">https://support.checkpoint.com/results/sk/sk176249</A>&nbsp;</LI> <LI><A href="https://support.checkpoint.com/results/sk/sk101275" target="_blank">https://support.checkpoint.com/results/sk/sk101275</A></LI> </UL> <P>Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.<BR />See:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/MEP.htm" target="_blank" rel="noopener"><SPAN>R81.20 Site to Site VPN Administration Guide -&nbsp;<STRONG>Multiple</STRONG>&nbsp;<STRONG>Entry</STRONG>&nbsp;<STRONG>Point</STRONG>&nbsp;(<STRONG>MEP</STRONG>) VPNs</SPAN></A><BR />How well that will work is a separate question.</P> Thu, 06 Jun 2024 01:35:52 GMT PhoneBoy 2024-06-06T01:35:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216388#M41238 <P>I'm looking to setup an IPSEC VPN to Azure, and make use of both of the VPN endpoints in Azure. My security platform is:</P><P>Gateway is: Quantum Security Cluster of 2 units (81.10)</P><P>What are my options here? Is VTI with BGP the only option or is there a more simple way to achieve this?&nbsp;</P><P>I found this document below which is pretty good but I need to know how this will work with a cluster. I'm guessing the VTI tunnels will need some special config because they will need to be created on each member of the cluster?</P><P><A href="https://community.checkpoint.com/t5/Security-Gateways/BGP-peer-Throught-IPSEC-tunnel/td-p/177032" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/BGP-peer-Throught-IPSEC-tunnel/td-p/177032</A></P><P>If someone has a guide like above but for a cluster, that would be appreciated. Or if there is a more simple way to achieve this (e.g. multiple IPs in the VPN config, but I think this only works for CP to CP)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Jun 2024 14:29:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216388#M41238 velo 2024-06-04T14:29:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216629#M41275 <P>Official documentation:</P> <UL> <LI><A href="https://support.checkpoint.com/results/sk/sk176249" target="_blank">https://support.checkpoint.com/results/sk/sk176249</A>&nbsp;</LI> <LI><A href="https://support.checkpoint.com/results/sk/sk101275" target="_blank">https://support.checkpoint.com/results/sk/sk101275</A></LI> </UL> <P>Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.<BR />See:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/MEP.htm" target="_blank" rel="noopener"><SPAN>R81.20 Site to Site VPN Administration Guide -&nbsp;<STRONG>Multiple</STRONG>&nbsp;<STRONG>Entry</STRONG>&nbsp;<STRONG>Point</STRONG>&nbsp;(<STRONG>MEP</STRONG>) VPNs</SPAN></A><BR />How well that will work is a separate question.</P> Thu, 06 Jun 2024 01:35:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216629#M41275 PhoneBoy 2024-06-06T01:35:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216664#M41280 <P>Thank you. It's a nice document but unfortunately doesn't answer my main question. For the tunnel interface section, are you supposed to create those interfaces on both members of the cluster? It doesn't say. Some of the sections of config, e.g. route-map etc it says to do it on FW1 and FW2. But for the VTI section it doesn't tell say.</P><P>Thanks</P> Thu, 06 Jun 2024 07:27:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216664#M41280 velo 2024-06-06T07:27:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216672#M41281 <P>hi Velo,</P> <P>Yes the VTIs need to be configured on both cluster members in Gaia as well as in the topology of the cluster object.</P> <P>Make sure the destination matches EXACTLY the object name used in SmartDashboard for the Azure IP(s)&nbsp;</P> Thu, 06 Jun 2024 08:35:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/216672#M41281 Peter_Lyndley 2024-06-06T08:35:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/221570#M42427 <P>it won´t let me use the same local address for both virtual tunnel interface 1 and 2.</P><TABLE><TBODY><TR><TD>add vpn tunnel 1 type numbered local 100.64.220.1 remote 10.250.0.12 peer vwan01&nbsp;<BR />add vpn tunnel 2 type numbered local 100.64.220.1 remote 10.250.0.13 peer vwan02</TD></TR></TBODY></TABLE> Mon, 22 Jul 2024 13:48:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Redundant-IPSEC-VPN-with-Azure/m-p/221570#M42427 Martin_Schagerl 2024-07-22T13:48:23Z