Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny_Lim
Participant

Primary and Backup S2S VPN with Azure

Hi All, 

I have a single VPN communities and wish to connect to Azure with primary and backup setup and route to other country via Azure. 

Each country will have 2 IPsec towards Azure. 

Checkpoint GW 1 --> Azure_Primary 

Checkpoint GW 1 --> Azure_Backup 

However, we configure route-based VPN (Gateway to Gateway) so that we have group with exclusion configure in MESH topology. However, since a single gateway and connect to Azure 2 peers, we can't have the same encryption domain as it will causes overlapping issue.

 

But the design are meant to have redundancy between each others, hence the Azure encryption domain are meant to be the same. 

When a IPsec flap, we will have some issue towards certain IP range. 

We found sk164355, is this a correct way to implement it ? 

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin

If you're configuring route-based VPNs, the encryption domain should be empty (or specifically an object that is 0.0.0.0 netmask 0.0.0.0).

0 Kudos
Reply
PredragPetrovic
Contributor

Hi,

Would you mind providing a bit more information on the gateway layout in Azure, what is Azure Primary and Azure Backup? What is the network layout in the Azure environment? What products are you using in Azure, is it Check Point CloudGuard IaaS or you're using the Microsoft VPN Gateway?

Some information to share in this scenario:

- You need to set the tunnel interface MTU's to 1400. [1]
- You will need to adjust the MSS value on all tunnel interfaces connecting to Azure to 1350. [2]
- Check the parameters on your Check Point firewalls for IPSEC and where MSS is being clamped. [6]

[1] https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning

[2] https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

[3] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[4] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[5] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[6] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Thanks,

P.

0 Kudos
Reply