Showing results for 
Search instead for 
Did you mean: 
Create a Post

Checkpoint to Azure Route based - guide

I had a bit of struggle to get this working initially, as Azure don't provide configs for Checkpoint and they operate a bit different to AWS route based VPN's. Sk101275 will give you about 20% of what you need, so I am writing this up in case it helps others.


Steps for Checkpoint cluster to Azure Route based vpn (based on R80.20)

In this config all traffic from Azure will be tunnelled to the Checkpoint.
The Checkpoint can be participating in other Policy Based / Domain based VPN's without impacting them


Azure Side

configure for "forced tunnelling mode"
Download the generic (IOS based) config


Checkpoint side

Open smartConsole

  • Create a new interoperable device, choose a unique name and give it the Public IP of Azure. (eg. AZUREIP,
  • On topology tab, set manually defined topology, create a new simple group, with NO OBJECTS in it (ie an empty group)


Open the centre gateway, Click network management, Select VPN Domain, now you have two options:

  • if you have no other VPN's and don't expect to ever need a policy based VPN, then add grp.empty as your encryption domain
  • If you have existing policy based VPN's then open the current encryption domain group, inside that group add a new network object: network address:, net mask:

Under VPN communities, create new star VPN, name it, add your local gateway as the Center gateway, and the new interoperable device as the satellite gateway (eg AZUREIP)

Encryption tab:
Method- Prefer Ikev2, support Ikev1
Encryption suite - Custom

  • Phase 1: AES-256, SHA256, Group2
  • Phase 2: AES-256, SHA256
    (everything else unticked)

Tunnel management: Select One VPN tunnel per gateway pair

VPN Routing: select "To center, through center, Internet and other VPN targets"

Shared Secret: Add peer name (eg AZUREIP) and the PSK provided in config file

Advanced Tab -

  • Phase 1: 480
  • Phase 2: 3600


Create VPN tunnel interfaces (VTI)

SSH to your gateways and enter clish

(Find the "int tunnel 11 ip address" it is a 169.254 address with a /30 mask in the Azure provided config)

The IP address listed (eg will be your VIP, we need to extend that mask to /29 which gives more usable addresses

eg: = VIP = FW A = FW B


(peer name must be exactly the same as interoperable device name in GUI, remote IP is the public IP of the interoperable device)

A: add vpn tunnel 11 type numbered local remote peer AZUREIP
A: set interface vpnt11 mtu 1350
A: save config

B: add vpn tunnel 11 type numbered local remote peer AZUREIP
B: set interface vpnt11 mtu 1350
B: save config


Add statics routes for your Azure CIDR via the new VPN interface

A: set static-route nexthop gateway logical vpnt11 on
A: save config

B: set static-route nexthop gateway logical vpnt11 on
B: save config


Get topology and assign VIP

Ensure that you have enabled the IPsec VPN blade on your gateway.
Open your gateway or cluster object, and choose "Network Management"
Choose "Get Interfaces without toplogy" - but sure not to select WITH!

Locate new vpn interface, add virtual IP (our local 169.254 address eg
Under topology, select "leads to, override, specific" create a new group, add your Azure CIDR, your 169.254.x.x/29 subnet and your Azure Interoperable device to this group)
Enable antispoofing as desired

In checkpoint global properties, select VPN, advanced, at the bottom tick "enable VPN directional match)

Firewall Rules

Create firewall rules as required
In VPN column right click and add "Directional match condition" for each rule add three match conditions as follows:
Internal clear => AZURE-VPN-COMMUNITY
AZURE-VPN-COMMUNITY=> Internal_clear

Install policy

1 Reply

Re: Checkpoint to Azure Route based - guide

Thanks for sharing this
0 Kudos