This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Iain_Keir1
Contributor
‎2018-09-20 07:24 PM

IPsecVPN to Azure gateway (Perm tunnel + RIM)

Hi mates,

I'm hoping you can lend your expertise to this issue. The high level goal is to set up permanent VPN tunnels from an R80.10 CP gateway on prem to an Azure VPN gateway so that we can use RIM to inject routes to the Azure resources back into the internal on prem network. (Don't want to use VTI's and BGP)

The tunnel works well if permanent tunnels aren't set. The tunnel comes and Azure resources are accessible.

When enabling permanent tunnels on the VPN community (mesh) the tunnel comes up, IKE and IPSec SA's establish and resources in Azure are accessible but crucially smartview monitor sees the tunnel as down and this is reported in the logs as well. Thus RIM isn't going to inject routes.

Log details and smartview monitor showing tunnel is down

SA's are up

Azure resources accessible

Extra info

tunnel_keepalive_method set to dpd on both the on prem CP gateway and the interoperable object (guidbedit setting)

keep_IKE_SAs is enabled (adv VPN in global properties)

My question(s)

Is it achievable to have perm tunnels and RIM with an Azure VPN gateway?

If so, what settings should be used in order to achieve it?

Many thanks in advance

Iain

Iain
CISSP
3 Replies
Peter_Sandkuijl
Employee
Employee
‎2018-09-21 12:13 AM

Hi Iain,

Long time no speak 🙂

Tunnel monitoring as we use it for permanent tunnels is based on a proprietary mechanism. From the top of my head we send TCP257 packets to a listener process on the other side. Obviously Azure does not feature that. 

You can either deploy a CP gateway on the Azure side or investigate DPD which we introduced in R77.10

VPN Site-to-Site with 3rd party 

DPD won't help for RIM I think though.

BR

Peter !!

0 Kudos
Iain_Keir1
Contributor
‎2018-09-24 04:19 PM
In response to Peter_Sandkuijl

Indeed it has been, hope you're well.

Yes I've tried DPD in both responder and DPD perm tunnel modes but I think the underlying issue is that the Azure GW doesn't seem to support any type of DPD.

Appreciate the input.

cheers

Iain

Iain
CISSP
0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-24 04:46 PM

The official instructions for setting up a site-to-site VPN is here: How to setup Site-to-Site VPN between Microsoft Azure and an on premise Check Point Security Gateway 

DPD is only supported when using a route-based VPN per this SK.

If you don't mind me asking, why not use a VTI here?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top