topic Re: Azure route based VPN in SASE and Remote Access

Azure route based VPN

Michael_Hightow — Tue, 02 Jul 2019 18:30:08 GMT

I'm new to Azure and trying to create a site to site VPN route based between it and my on prem cluster. I've already referenced sk101275 for the encryption parameters so I have that part down. Unfortunately this SK doesn't seem to cover all the pieces of the configuration required.

I'm now working on the VTI interfaces on the firewall. For each firewall I configured a new public external IP as local and specified the Azure VPN IP as the remote IP. Additionally I configured a new public external IP for the cluster interface.

So the basic network config looks like this:

Firewall 1 - Local IP = New public IP

Remote IP = Azure public IP

Peer = Azure

Firewall 2 - Local IP = New Public IP

Remote IP = Azure public IP

Peer = Azure

Cluster IP = New Public IP

Then I created an interoperable device using the same name as the peer for the VTI and the IP is the Azure Public IP. I've read where that has to match. I also created a VPN Community and followed sk101275 for parameters. Policy rules were created as well as an empty network object to represent the encryption domain.

So what I'm seeing is phase 1 come up and that's it.

I opened a ticket and was initially told to check routing. Since the VTI remote IP is pointing to the Azure public IP it's creating that a directly connected route via the VTI. The thought was the traffic isn't going out to the internet properly to establish the tunnel. I've read quite a few links on the site here but nothing has seemed to give me quite enough info on what I could be missing.

thanks...

Re: Azure route based VPN

PhoneBoy — Tue, 02 Jul 2019 23:44:49 GMT

What debugging have you done?
Usually, there's error messages that might give you a clue.
You may also need to do some detailed debug, start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34467

Re: Azure route based VPN

Michael_Hightow — Wed, 03 Jul 2019 16:46:55 GMT

I have done some debugging and see two-way traffic with both tcpdump and fw monitor. I definitely see phase 1 negotiated in the ikev2.xmll.

Support is pointing out a route on my firewall that points to the azure gateway via the vti interface. Since that route is created by creating the vti interface itself I'm not sure how you get around that. The support engineer was saying the traffic is returning over the vti interface and not taking the external interface path.

I don't think any static route setting would override this directly connected route. As a matter of fact I created one just to do it and it showed up as "i" or inactive in the show route all command.

So still looking around.

thank you