This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ibrown
Contributor
Wednesday
Jump to solution

on prem to cloudguard Azure site to site vpn

Hello All,

 

I am trying to establish a test site-to-site vpn from my on premise checkpoint appliance (R81.20 3000 appliance) to my test cloudguard instance in azure (R81.20). I've tried it as a star and a mesh, neither work.

Following all the help I got yesterday on getting access to the objects behind the gateway, the vpn is still not playing ball.

I've got it configured as per my other s2s vpns, except I've set the link selection to a static nat address using the azure public ip, but whatever I try, it logs

 

[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] GetEntryIsakmpObjectsHash: received ipaddr: xx.xx.xx.xx as key, found fwobj: GATEWAYNAME
[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for xx.xx.xx.xx returned obj: 0x8d96f7c
[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] GetEntryCommunityHashX: called before hash initialization, could be because this entity is not in a community
[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26] FindCommonCommunity: Did not find common community for GATEWAYNAME
[iked0 14027 4066955712]@cloudguardtestfw[8 Jan 17:24:26][ikev2] getConfiguredIkeVersion: could not find community for GATEWAYNAME.

 

which is odd - it's taking the policy ok, and resolves the gateway object names etc correctly so it's odd. A look at the checkpoint kb hasn't turned anything up for this version.

 

Any ideas gratefully received.

 

Thank you

Ian

 

 

0 Kudos
1 Solution

Accepted Solutions
ibrown
Contributor
yesterday
In response to the_rock
Jump to solution

Hello,

Unfortunately I don't even get phase 1.

Your post is brilliant, but I am trying to do what I thought would be simple. CP and management on prem to CP cloudguard in azure, both managed by the on prem management, so it's all configured from there. That's partly why I am surprised it doesn't work and  thinks there isn't a community given it's all pushed from management. The on premise gateway I am using is a quantum 3000 appliance which is already participating in some VPNs and has been for some time.

 

However, whilst writing this, I've spotted the problem.. and I feel bad now. The policy deployed to the Azure Cloudguard has 'traditional mode vpn' selected. No wonder nothing worked.

 

Apologies for wasting people's time.

Thanks

Ian

View solution in original post

7 Replies
Lesley
Mentor Mentor
Mentor
Wednesday
Jump to solution

Are you useing the link selection option on the gateway object itself or in the vpn community (last one will not work).

Also are both systems managed by the same mgmt? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
Lesley
Mentor Mentor
Mentor
Wednesday
Jump to solution

Extra SK's to check but I suspect it is not the issue but worth to check

https://support.checkpoint.com/results/sk/sk138012

https://support.checkpoint.com/results/sk/sk129112

https://support.checkpoint.com/results/sk/sk108975

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
Wednesday
Jump to solution

is it failing on phase 1 or 2? I cant tell 100% based on those logs. If you run vpn tu and option 3 for ike SAs, it would tell us if even phase 1 is completing.

See if below post I made helps you, as I pretty much listed all the steps needed to make this work using VTIs.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

Mind you, this type of tunnel can also be domain based.

ibrown
Contributor
yesterday
In response to the_rock
Jump to solution

Hello,

Unfortunately I don't even get phase 1.

Your post is brilliant, but I am trying to do what I thought would be simple. CP and management on prem to CP cloudguard in azure, both managed by the on prem management, so it's all configured from there. That's partly why I am surprised it doesn't work and  thinks there isn't a community given it's all pushed from management. The on premise gateway I am using is a quantum 3000 appliance which is already participating in some VPNs and has been for some time.

 

However, whilst writing this, I've spotted the problem.. and I feel bad now. The policy deployed to the Azure Cloudguard has 'traditional mode vpn' selected. No wonder nothing worked.

 

Apologies for wasting people's time.

Thanks

Ian

the_rock
Legend
Legend
yesterday
In response to ibrown
Jump to solution

Dont look at it like that Ian. We are always here to help, no matter what. Glad its working, great job!

Andy

the_rock
Legend
Legend
yesterday
In response to ibrown
Jump to solution

Though this is always now by default, if you ever have this issue again, just make sure below is ticked.

Andy

Screenshot_1.png

ibrown
Contributor
yesterday
In response to the_rock
Jump to solution

Thank you, i suspect it is because the mgmt was built R65 or earlier and has been upgraded and upgraded and upgraded to R81.20 !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events