This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Danny_Lim
Participant
‎2020-07-20 08:57 PM

Primary and Backup S2S VPN with Azure

Hi All, 

I have a single VPN communities and wish to connect to Azure with primary and backup setup and route to other country via Azure. 

Each country will have 2 IPsec towards Azure. 

Checkpoint GW 1 --> Azure_Primary 

Checkpoint GW 1 --> Azure_Backup 

However, we configure route-based VPN (Gateway to Gateway) so that we have group with exclusion configure in MESH topology. However, since a single gateway and connect to Azure 2 peers, we can't have the same encryption domain as it will causes overlapping issue.

 

But the design are meant to have redundancy between each others, hence the Azure encryption domain are meant to be the same. 

When a IPsec flap, we will have some issue towards certain IP range. 

We found sk164355, is this a correct way to implement it ? 

Preview file
162 KB
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-07-24 10:21 PM

If you're configuring route-based VPNs, the encryption domain should be empty (or specifically an object that is 0.0.0.0 netmask 0.0.0.0).

0 Kudos
PredragPetrovic
Contributor
‎2020-07-25 01:19 AM

Hi,

Would you mind providing a bit more information on the gateway layout in Azure, what is Azure Primary and Azure Backup? What is the network layout in the Azure environment? What products are you using in Azure, is it Check Point CloudGuard IaaS or you're using the Microsoft VPN Gateway?

Some information to share in this scenario:

- You need to set the tunnel interface MTU's to 1400. [1]
- You will need to adjust the MSS value on all tunnel interfaces connecting to Azure to 1350. [2]
- Check the parameters on your Check Point firewalls for IPSEC and where MSS is being clamped. [6]

[1] https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tcpip-performance-tuning

[2] https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

[3] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[4] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[5] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

[6] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Thanks,

P.

0 Kudos
Labels