cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Route Based VPN with Azure in Cluster Environment

Hi, I have configured the VPN with Azure and followed the sk101275 but not successful since my VPN is route based and I have R80.10 Gateway in Cluster and I already have VTI (unnumbered) and route configured for that so want to know anything missing from my side or is there any issue with route based VPN in cluster environment.

Thanks & Regards,

Pradip

14 Replies
Vladimir
Pearl

Re: Route Based VPN with Azure in Cluster Environment

If I recall correctly, VTIs in clustered environment must be numbered.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Hi Vladimir,

Thanks for the reply, is there any way to execute this without using the numbered since that azure VPN is running with multi site so I don't think I can go with numbered. Correct me If I am wrong, if I use numbered in my site then same should be configured in Azure end also.

Thanks & Regards,

Pradip

0 Kudos
Vladimir
Pearl

Re: Route Based VPN with Azure in Cluster Environment

I think you cannot use unnumbered VTIs in clustered environment. Please see "Site to Site VPN R80.10 - Part of Check Point Infinity " , "VTIs in a Clustered Environment" section.

There were a number of similar discussions pertaining to the implementation of VTIs with AWS that you can find on CPUG:

Secondary Cluster IP , but it looks more like a jury rig, than the supported solution.

The takeaway from all the discussions on the subject of clustered tunnel implementations with cloud services with RB VPN, you are better off using pair of Cisco routers, (not ASAs) with multiple HSRP IPs. 

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Hi Vladimir,

Thanks for the response this helps me a lot.

0 Kudos
Highlighted

Re: Route Based VPN with Azure in Cluster Environment

Hi Pradip,

I'm about to setup a similar VPN configuration in the near future. When reading sk101275 I was wondering if it is really necessary to use VTIs. Because it says the requirement for route based VPN in IKE2 is only relevant for the Microsoft Azure part of the configuration. I'm not sure what they are trying to say here. Further on I read about what Azure calls "route-based VPN" is actually what Check Point calls "gateway-to-gateway". The sk itself doesn't mention the use of VTIs at all, so I wonder if what Azure calls "route-based VPN" is something different from what Check Point calls "route-based VPN". I hope you succeed in getting this VPN to work and share with us how you did it 🙂

Kind regards,

     --Niels

0 Kudos
Vladimir
Pearl

Re: Route Based VPN with Azure in Cluster Environment

As far as I understand it, the VTIs are required if you'd like to use dynamic routing protocols on VPN.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Hi Niels,

Good question I am going to use microsoft support so I will ask them this question and I will update you.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Hi Niels,

I think you were right azure route based VPN doesn't mean Checkpoint's route based VPN, anyway we successfully configured VPN with azure, we (Checkpoint TAC, Azure TAC and us) discussed together and solved the issue. I hope this will help you in your future deployment.

Re: Route Based VPN with Azure in Cluster Environment

I do have VPN to Azure working using 'route based' VPN (i.e OS routes, rather than encryption domain), using unnumbered VTIs. If you are still stuck, please let me know where exactly it fails ? Does the VPN come up, just no traffic flowing ? or is the VPN failing to come up ?

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Hi Peter,

Are you using HA environment since my Checkpoint is in HA(R80.10) and while checking the VPN status it's showing 0 for encryption and decryption packets and in Azure side it's showing connecting which means there is something wrong and I re verified all the parameter and configuration in Checkpoint and it's seems fine. If possible can you share the configuration parameter.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

?We are doing something very similar in HA but with R77.30

The mistake I made, I configured the vpn tunnel endpoint as an IP address however it needed to be the name of the object in SmartDashboard that related to the Azure Endpoint.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

HI Peter,

We successfully configured the VPN with azure but we didn't configured any VTI. I think azure route based VPN doesn't means checkpoint's route based VPN, anyway we solved the issue and in checkpoint side it's policy based now.

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

Dear All,

Thank you everyone for wonderful support and for now my problem is resolved so hope to support others with the same issue.

Wish you a very happy new year.

Thanks & Regards,

Pradip

0 Kudos

Re: Route Based VPN with Azure in Cluster Environment

I started messing with this about a year and a half ago and quickly realized that building these VPN's by hand will cause issues.  I wrote a script that creates a vnet in azure, creates the VNG, sets BGP on, and a few other nifty things, and then spits out the exact commands needed to be run in clish on the firewall and also the information for the policy.  I hope to script this later on when we get to R80.10, but for now it works.  BGP works fine, and then I have some route-maps to distribute my routes into my OSPF network and done!  

I can't suggest enough to have standard IP ranges, BGP AS numbers, and names.  If you do that, then you can script this and save yourself a lot of time every time you have to build a new network in Azure.

0 Kudos