This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafal_N
Contributor
‎2024-07-15 03:14 AM

Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Hi Community,

Can sombody help with ClusterXL, BGP VPN tunnel to Azure configuration.

I try to follow sk176249 guide but there is strange thing in configuroration about Cluster HA and two interfaces vpnt.

Interface vpnt1 and vpnt2  use that same virtual address (10.250.0.1) is it normal and should I configure it like this:

vpnt.png

 

I get confused because below is something different in routing cli and it looks like vpnt1 and vpnt2 has diffrent VIP configured:

vpnt_2.png

 

Could you someone help me and specify what ip should be define where:

router-id: a.a.a.a

fw01 vpnt1: b.b.b.b         fw02 vpnt1: d.d.d.d         VIP vpnt1: f.f.f.f

fw01 vpnt2: c.c.c.c         fw02 vpnt2: e.e.e.e          VIP vpnt2: g.g.g.g

Maybe someone know is there in CheckPoint BGP configuration like in cisco update-source:

interface Loopback 11
ip address 100.64.200.1 255.255.255.255
exit

router bgp 65521
bgp log-neighbor-changes
neighbor 10.250.0.12 remote-as 65515
neighbor 10.250.0.12 ebgp-multihop 255
neighbor 10.250.0.12 update-source loopback 11

neighbor 10.250.0.13 remote-as 65515
neighbor 10.250.0.13 ebgp-multihop 255
neighbor 10.250.0.13 update-source loopback 11

I'll be grateful for any clarification.

 

0 Kudos
9 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-07-15 06:13 AM

Wait, that does not make sense...how can they be using same IP address? If VTI us numbered, then you assign the IP yourself and if its UNNUMBERED, then you can "tie" it to any given interface, so say if its tied to eth0, then it will have exact same IP as that interface, which is totally fine. 

I always found that when it comes to BGP, you should be using unnumbered vti's.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Rafal_N
Contributor
‎2024-07-15 07:40 AM
In response to the_rock

Thanks, Andy. I will try that as it is in the deployment phase. However, all SK guides and Azure download configurations mention something about VTI IP addresses.

What is your practice? Do you configure Unnumbered VTI based on a loopback interface, or do you connect to an external interface and use it as the peer in Azure?

Any other thoughts? Has anyone followed this guide with clustering and HA successfully?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-15 07:45 AM
In response to Rafal_N

I never followed any guides for it. I just discovered it by doing extensive testing with my colleague and we got it working with VPN tunnel from CP cluster to Azure (route based) and BGP (using unnumbered VTIs)

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-15 07:47 AM
In response to Rafal_N

See if below helps, if not, we can do remote later if free (and allowed to)

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-Based-VPN-with-Static-Rouing/m-p/205256/...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Rafal_N
Contributor
‎2024-07-16 06:27 AM
In response to the_rock

How it's deal with asymetric routing?? Does it bother if we send traffic vpnt1 and recived vpnt2?? Or do we should not care about that as far as it connected to external Interface?

fw monitor:

Outgoing traffic:

[vs_0][fw_2] eth2:I[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:o[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:O[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699
[vs_0][fw_2] vpnt1:Oe[44]: onprem.ip -> azure.ip (ICMP) len=60 id=53255 ICMP: type=8 code=0 echo request id=1 seq=5699

Incomming traffic:

[vs_0][fw_2] eth1:i[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] vpnt2:I[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] eth2:o[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699
[vs_0][fw_2] eth2:O[44]: azure.ip -> onprem.ip (ICMP) len=60 id=37463 ICMP: type=0 code=0 echo reply id=1 seq=5699

I was trying to force Azure infrastructure to use as_path to choose prefered path but still without success and stil fighting with that using sk103047 and 

(IV-3) Configuration of BGP AS PATH Prepend

Any  practice with that?

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-16 06:32 AM
In response to Rafal_N

You need to make sure routes are correct, that is the KEY here. So say Azure side is 10.20.30.0/24, just make a route that say if thats destination, send through appropriate VTI,

Dont worry about that unnumbered vti config, make sure that anti spoofing is DISABLED, thats important.

Lets do remote if you are not clear.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Rafal_N
Contributor
‎2024-07-17 11:47 PM

Still trying to get deep understanding in Azure VPN with BGP.

Can anyone confirm whether in the topology that Microsoft calls "Active-active VPN gateways" we can steer which VPN tunnel is utilized using AS PATH? Or is it by definition active/active, meaning we can't avoid utilizing both tunnels simultaneously and probably we have to deal with asymetric routing?

active-active.png

MS article about different topologies:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#activeactiveonprem 

My findings:

Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device might favor one tunnel over the other.

However, according to the Microsoft FAQ about BGP:

Yes, Azure VPN gateway honors AS Path prepending to help make routing decisions when BGP is enabled. A shorter AS Path is preferred in BGP path selection.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-07-22 02:40 PM

In my experience, vpnt are different and routemap with local preference and as-path-prepend, to force egress and ingress traffic accordly, are your friend to avoid asimmetric routing 

No experience with sk you provided

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-23 04:20 AM
In response to CheckPointerXL

Agree 100%

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events