topic Re: VPN between on-premise cluster and Azure using VTI in Firewall and Security Management

VPN between on-premise cluster and Azure using VTI

khodgson_bts — Thu, 05 Dec 2024 15:52:16 GMT

Evening all. I'm hopeful that someone can help me with this.

In the past I have successfully managed to set up a route-based VPN between a physical Check Point cluster and an AWS VPC by following the steps in sk100726, no problems there at all. Now I'm looking to configure something similar to an Azure Virtual Gateway using VTIs, but I'm struggling to find any reference documentation or process like the AWS one.

I've been playing around with it all day and I can't see a way to make it work, and I'm starting to wonder if it even is possible at all. I've looked at sk101275 but I don't think it really applies to what I'm trying to achieve.

Has anyone successfully done this, and if so, how? What other options are there for creating an IPSEC VPN to Azure with a primary/backup configuration? BGP is not really an option in this scenario.

Thanks.

Re: VPN between on-premise cluster and Azure using VTI

Alex- — Thu, 05 Dec 2024 16:07:59 GMT

The Azure VWAN guide is very good, we used it for route-based VPN to Azure VPN gateways and it worked straight away.

Re: VPN between on-premise cluster and Azure using VTI

khodgson_bts — Thu, 05 Dec 2024 16:10:12 GMT

That seems to require BGP to work though. Have you done it without BGP? What IP's do you assign to the VTI's?

Re: VPN between on-premise cluster and Azure using VTI

the_rock — Thu, 05 Dec 2024 16:36:13 GMT

See if below posts I made and responded to help. If not, message me, I have done this few times.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M26519

Re: VPN between on-premise cluster and Azure using VTI

khodgson_bts — Thu, 05 Dec 2024 16:44:08 GMT

That looks very promising, thank you. I'll give it go.

Re: VPN between on-premise cluster and Azure using VTI

the_rock — Thu, 05 Dec 2024 16:45:34 GMT

Sounds good!

Re: VPN between on-premise cluster and Azure using VTI

the_rock — Thu, 05 Dec 2024 17:42:10 GMT

By the way, since you mentioned BGP, I always found the ONLY way to make BGP work through the route based tunnel is to use UNNUMBERED VTIs, meaning it will "piggyback off" the main interface and when you configure it, it will have exact same IP in topology, but nothing to be alarmed about, its 100% normal.

Andy

Re: VPN between on-premise cluster and Azure using VTI

the_rock — Thu, 05 Dec 2024 18:17:22 GMT

I attached doc file with 3 screenshots I took, hope that also helps. Anyway, message me directly if you are not clear and we can do remote.

Andy

Re: VPN between on-premise cluster and Azure using VTI

khodgson_bts — Fri, 06 Dec 2024 09:13:33 GMT

That's good to know. In this case I'm specifically looking to not use BGP. I'll let you know how I get on.

Re: VPN between on-premise cluster and Azure using VTI

khodgson_bts — Fri, 06 Dec 2024 11:09:23 GMT

This was very useful; I've managed to get it working. It's really not that different from the AWS process.

Thank you!

Re: VPN between on-premise cluster and Azure using VTI

the_rock — Fri, 06 Dec 2024 12:33:34 GMT

Of course, glad we can help. Yes, for regular route based, you can use either numbered or unnumbered, but I find using unnumbered is better, as you simply use vti to route the traffic when you create new routes and no need to be setting up new IPs. But again, works either way 🙂

Glad you got it going.

Andy