Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pradip_Upreti
Participant

Route Based VPN with Azure in Cluster Environment

Hi, I have configured the VPN with Azure and followed the sk101275 but not successful since my VPN is route based and I have R80.10 Gateway in Cluster and I already have VTI (unnumbered) and route configured for that so want to know anything missing from my side or is there any issue with route based VPN in cluster environment.

Thanks & Regards,

Pradip

15 Replies
Vladimir
Champion
Champion

If I recall correctly, VTIs in clustered environment must be numbered.

0 Kudos
Pradip_Upreti
Participant

Hi Vladimir,

Thanks for the reply, is there any way to execute this without using the numbered since that azure VPN is running with multi site so I don't think I can go with numbered. Correct me If I am wrong, if I use numbered in my site then same should be configured in Azure end also.

Thanks & Regards,

Pradip

0 Kudos
Vladimir
Champion
Champion

I think you cannot use unnumbered VTIs in clustered environment. Please see "Site to Site VPN R80.10 - Part of Check Point Infinity " , "VTIs in a Clustered Environment" section.

There were a number of similar discussions pertaining to the implementation of VTIs with AWS that you can find on CPUG:

Secondary Cluster IP , but it looks more like a jury rig, than the supported solution.

The takeaway from all the discussions on the subject of clustered tunnel implementations with cloud services with RB VPN, you are better off using pair of Cisco routers, (not ASAs) with multiple HSRP IPs. 

Pradip_Upreti
Participant

Hi Vladimir,

Thanks for the response this helps me a lot.

0 Kudos
Niels_van_Sluis
Contributor

Hi Pradip,

I'm about to setup a similar VPN configuration in the near future. When reading sk101275 I was wondering if it is really necessary to use VTIs. Because it says the requirement for route based VPN in IKE2 is only relevant for the Microsoft Azure part of the configuration. I'm not sure what they are trying to say here. Further on I read about what Azure calls "route-based VPN" is actually what Check Point calls "gateway-to-gateway". The sk itself doesn't mention the use of VTIs at all, so I wonder if what Azure calls "route-based VPN" is something different from what Check Point calls "route-based VPN". I hope you succeed in getting this VPN to work and share with us how you did it 🙂

Kind regards,

     --Niels

Vladimir
Champion
Champion

As far as I understand it, the VTIs are required if you'd like to use dynamic routing protocols on VPN.

0 Kudos
Pradip_Upreti
Participant

Hi Niels,

Good question I am going to use microsoft support so I will ask them this question and I will update you.

0 Kudos
Pradip_Upreti
Participant

Hi Niels,

I think you were right azure route based VPN doesn't mean Checkpoint's route based VPN, anyway we successfully configured VPN with azure, we (Checkpoint TAC, Azure TAC and us) discussed together and solved the issue. I hope this will help you in your future deployment.

Peter_Lyndley
Advisor
Advisor

I do have VPN to Azure working using 'route based' VPN (i.e OS routes, rather than encryption domain), using unnumbered VTIs. If you are still stuck, please let me know where exactly it fails ? Does the VPN come up, just no traffic flowing ? or is the VPN failing to come up ?

0 Kudos
Pradip_Upreti
Participant

Hi Peter,

Are you using HA environment since my Checkpoint is in HA(R80.10) and while checking the VPN status it's showing 0 for encryption and decryption packets and in Azure side it's showing connecting which means there is something wrong and I re verified all the parameter and configuration in Checkpoint and it's seems fine. If possible can you share the configuration parameter.

0 Kudos
Peter_Lyndley
Advisor
Advisor

?We are doing something very similar in HA but with R77.30

The mistake I made, I configured the vpn tunnel endpoint as an IP address however it needed to be the name of the object in SmartDashboard that related to the Azure Endpoint.

0 Kudos
Pradip_Upreti
Participant

HI Peter,

We successfully configured the VPN with azure but we didn't configured any VTI. I think azure route based VPN doesn't means checkpoint's route based VPN, anyway we solved the issue and in checkpoint side it's policy based now.

0 Kudos
Pradip_Upreti
Participant

Dear All,

Thank you everyone for wonderful support and for now my problem is resolved so hope to support others with the same issue.

Wish you a very happy new year.

Thanks & Regards,

Pradip

Blason_R
Leader
Leader

Hi there,

Can you please share the solution or config as we are having a similar setup.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Robert_Canis
Participant

I started messing with this about a year and a half ago and quickly realized that building these VPN's by hand will cause issues.  I wrote a script that creates a vnet in azure, creates the VNG, sets BGP on, and a few other nifty things, and then spits out the exact commands needed to be run in clish on the firewall and also the information for the policy.  I hope to script this later on when we get to R80.10, but for now it works.  BGP works fine, and then I have some route-maps to distribute my routes into my OSPF network and done!  

I can't suggest enough to have standard IP ranges, BGP AS numbers, and names.  If you do that, then you can script this and save yourself a lot of time every time you have to build a new network in Azure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events