topic Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels) in Firewall and Security Management

Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Rafal_N — Mon, 15 Jul 2024 10:14:27 GMT

Hi Community,

Can sombody help with ClusterXL, BGP VPN tunnel to Azure configuration.

I try to follow sk176249 guide but there is strange thing in configuroration about Cluster HA and two interfaces vpnt.

Interface vpnt1 and vpnt2 use that same virtual address (10.250.0.1) is it normal and should I configure it like this:

I get confused because below is something different in routing cli and it looks like vpnt1 and vpnt2 has diffrent VIP configured:

Could you someone help me and specify what ip should be define where:

router-id: a.a.a.a

fw01 vpnt1: b.b.b.b fw02 vpnt1: d.d.d.d VIP vpnt1: f.f.f.f

fw01 vpnt2: c.c.c.c fw02 vpnt2: e.e.e.e VIP vpnt2: g.g.g.g

Maybe someone know is there in CheckPoint BGP configuration like in cisco update-source:

interface Loopback 11
ip address 100.64.200.1 255.255.255.255
exit

router bgp 65521
bgp log-neighbor-changes
neighbor 10.250.0.12 remote-as 65515
neighbor 10.250.0.12 ebgp-multihop 255
neighbor 10.250.0.12 update-source loopback 11

neighbor 10.250.0.13 remote-as 65515
neighbor 10.250.0.13 ebgp-multihop 255
neighbor 10.250.0.13 update-source loopback 11

I'll be grateful for any clarification.

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

the_rock — Mon, 15 Jul 2024 13:13:09 GMT

Wait, that does not make sense...how can they be using same IP address? If VTI us numbered, then you assign the IP yourself and if its UNNUMBERED, then you can "tie" it to any given interface, so say if its tied to eth0, then it will have exact same IP as that interface, which is totally fine.

I always found that when it comes to BGP, you should be using unnumbered vti's.

Andy

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Rafal_N — Mon, 15 Jul 2024 14:40:59 GMT

Thanks, Andy. I will try that as it is in the deployment phase. However, all SK guides and Azure download configurations mention something about VTI IP addresses.

What is your practice? Do you configure Unnumbered VTI based on a loopback interface, or do you connect to an external interface and use it as the peer in Azure?

Any other thoughts? Has anyone followed this guide with clustering and HA successfully?

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

the_rock — Mon, 15 Jul 2024 14:45:12 GMT

I never followed any guides for it. I just discovered it by doing extensive testing with my colleague and we got it working with VPN tunnel from CP cluster to Azure (route based) and BGP (using unnumbered VTIs)

Andy

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

the_rock — Mon, 15 Jul 2024 14:47:44 GMT

See if below helps, if not, we can do remote later if free (and allowed to)

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-Based-VPN-with-Static-Rouing/m-p/205256/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTQjZMWFlNTFBRMlBBfDIwNTI1NnxTVUJTQ1JJUFRJT05TfGhL#M38713

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Rafal_N — Tue, 16 Jul 2024 13:30:43 GMT

How it's deal with asymetric routing?? Does it bother if we send traffic vpnt1 and recived vpnt2?? Or do we should not care about that as far as it connected to external Interface?

fw monitor:

Outgoing traffic:

[vs_0][fw_2] eth2:I[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:o[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:O[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:Oe[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699

Incomming traffic:

[vs_0][fw_2] eth1:i[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] vpnt2:I[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] eth2:o[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] eth2:O[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699

I was trying to force Azure infrastructure to use as_path to choose prefered path but still without success and stil fighting with that using sk103047 and

(IV-3) Configuration of BGP AS PATH Prepend

Any practice with that?

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

the_rock — Tue, 16 Jul 2024 13:32:35 GMT

You need to make sure routes are correct, that is the KEY here. So say Azure side is 10.20.30.0/24, just make a route that say if thats destination, send through appropriate VTI,

Dont worry about that unnumbered vti config, make sure that anti spoofing is DISABLED, thats important.

Lets do remote if you are not clear.

Andy

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Rafal_N — Thu, 18 Jul 2024 06:47:47 GMT

Still trying to get deep understanding in Azure VPN with BGP.

Can anyone confirm whether in the topology that Microsoft calls "Active-active VPN gateways" we can steer which VPN tunnel is utilized using AS PATH? Or is it by definition active/active, meaning we can't avoid utilizing both tunnels simultaneously and probably we have to deal with asymetric routing?

MS article about different topologies:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#activeactiveonprem

My findings:

Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device might favor one tunnel over the other.

However, according to the Microsoft FAQ about BGP:

Yes, Azure VPN gateway honors AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path is preferred in BGP path selection.

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

CheckPointerXL — Mon, 22 Jul 2024 21:40:48 GMT

In my experience, vpnt are different and routemap with local preference and as-path-prepend, to force egress and ingress traffic accordly, are your friend to avoid asimmetric routing

No experience with sk you provided

Re: Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

the_rock — Tue, 23 Jul 2024 11:20:08 GMT

Agree 100%