Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
AI & Machine Learning
Hi, I have configured the VPN with Azure and followed the sk101275 but not successful since my VPN is route based and I have R80.10 Gateway in Cluster and I already have VTI (unnumbered) and route configured for that so want to know anything missing from my side or is there any issue with route based VPN in cluster environment.
Thanks & Regards,
Thanks for the reply, is there any way to execute this without using the numbered since that azure VPN is running with multi site so I don't think I can go with numbered. Correct me If I am wrong, if I use numbered in my site then same should be configured in Azure end also.
Thanks & Regards,
I think you cannot use unnumbered VTIs in clustered environment. Please see "Site to Site VPN R80.10 - Part of Check Point Infinity " , "VTIs in a Clustered Environment" section.
There were a number of similar discussions pertaining to the implementation of VTIs with AWS that you can find on CPUG:
Secondary Cluster IP , but it looks more like a jury rig, than the supported solution.
The takeaway from all the discussions on the subject of clustered tunnel implementations with cloud services with RB VPN, you are better off using pair of Cisco routers, (not ASAs) with multiple HSRP IPs.
I'm about to setup a similar VPN configuration in the near future. When reading sk101275 I was wondering if it is really necessary to use VTIs. Because it says the requirement for route based VPN in IKE2 is only relevant for the Microsoft Azure part of the configuration. I'm not sure what they are trying to say here. Further on I read about what Azure calls "route-based VPN" is actually what Check Point calls "gateway-to-gateway". The sk itself doesn't mention the use of VTIs at all, so I wonder if what Azure calls "route-based VPN" is something different from what Check Point calls "route-based VPN". I hope you succeed in getting this VPN to work and share with us how you did it 🙂
I think you were right azure route based VPN doesn't mean Checkpoint's route based VPN, anyway we successfully configured VPN with azure, we (Checkpoint TAC, Azure TAC and us) discussed together and solved the issue. I hope this will help you in your future deployment.
I do have VPN to Azure working using 'route based' VPN (i.e OS routes, rather than encryption domain), using unnumbered VTIs. If you are still stuck, please let me know where exactly it fails ? Does the VPN come up, just no traffic flowing ? or is the VPN failing to come up ?
Are you using HA environment since my Checkpoint is in HA(R80.10) and while checking the VPN status it's showing 0 for encryption and decryption packets and in Azure side it's showing connecting which means there is something wrong and I re verified all the parameter and configuration in Checkpoint and it's seems fine. If possible can you share the configuration parameter.
?We are doing something very similar in HA but with R77.30
The mistake I made, I configured the vpn tunnel endpoint as an IP address however it needed to be the name of the object in SmartDashboard that related to the Azure Endpoint.
We successfully configured the VPN with azure but we didn't configured any VTI. I think azure route based VPN doesn't means checkpoint's route based VPN, anyway we solved the issue and in checkpoint side it's policy based now.
Thank you everyone for wonderful support and for now my problem is resolved so hope to support others with the same issue.
Wish you a very happy new year.
Thanks & Regards,
I started messing with this about a year and a half ago and quickly realized that building these VPN's by hand will cause issues. I wrote a script that creates a vnet in azure, creates the VNG, sets BGP on, and a few other nifty things, and then spits out the exact commands needed to be run in clish on the firewall and also the information for the policy. I hope to script this later on when we get to R80.10, but for now it works. BGP works fine, and then I have some route-maps to distribute my routes into my OSPF network and done!
I can't suggest enough to have standard IP ranges, BGP AS numbers, and names. If you do that, then you can script this and save yourself a lot of time every time you have to build a new network in Azure.