- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi mates,
I'm hoping you can lend your expertise to this issue. The high level goal is to set up permanent VPN tunnels from an R80.10 CP gateway on prem to an Azure VPN gateway so that we can use RIM to inject routes to the Azure resources back into the internal on prem network. (Don't want to use VTI's and BGP)
The tunnel works well if permanent tunnels aren't set. The tunnel comes and Azure resources are accessible.
When enabling permanent tunnels on the VPN community (mesh) the tunnel comes up, IKE and IPSec SA's establish and resources in Azure are accessible but crucially smartview monitor sees the tunnel as down and this is reported in the logs as well. Thus RIM isn't going to inject routes.
Log details and smartview monitor showing tunnel is down
SA's are up
Azure resources accessible
Extra info
tunnel_keepalive_method set to dpd on both the on prem CP gateway and the interoperable object (guidbedit setting)
keep_IKE_SAs is enabled (adv VPN in global properties)
My question(s)
Is it achievable to have perm tunnels and RIM with an Azure VPN gateway?
If so, what settings should be used in order to achieve it?
Many thanks in advance
Iain
Hi Iain,
Long time no speak 🙂
Tunnel monitoring as we use it for permanent tunnels is based on a proprietary mechanism. From the top of my head we send TCP257 packets to a listener process on the other side. Obviously Azure does not feature that.
You can either deploy a CP gateway on the Azure side or investigate DPD which we introduced in R77.10
VPN Site-to-Site with 3rd party
DPD won't help for RIM I think though.
BR
Peter !!
Indeed it has been, hope you're well.
Yes I've tried DPD in both responder and DPD perm tunnel modes but I think the underlying issue is that the Azure GW doesn't seem to support any type of DPD.
Appreciate the input.
cheers
Iain
The official instructions for setting up a site-to-site VPN is here: How to setup Site-to-Site VPN between Microsoft Azure and an on premise Check Point Security Gateway
DPD is only supported when using a route-based VPN per this SK.
If you don't mind me asking, why not use a VTI here?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY