- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi, I have configured the VPN with Azure and followed the sk101275 but not successful since my VPN is route based and I have R80.10 Gateway in Cluster and I already have VTI (unnumbered) and route configured for that so want to know anything missing from my side or is there any issue with route based VPN in cluster environment.
Thanks & Regards,
Pradip
If I recall correctly, VTIs in clustered environment must be numbered.
Hi Vladimir,
Thanks for the reply, is there any way to execute this without using the numbered since that azure VPN is running with multi site so I don't think I can go with numbered. Correct me If I am wrong, if I use numbered in my site then same should be configured in Azure end also.
Thanks & Regards,
Pradip
I think you cannot use unnumbered VTIs in clustered environment. Please see "Site to Site VPN R80.10 - Part of Check Point Infinity " , "VTIs in a Clustered Environment" section.
There were a number of similar discussions pertaining to the implementation of VTIs with AWS that you can find on CPUG:
Secondary Cluster IP , but it looks more like a jury rig, than the supported solution.
The takeaway from all the discussions on the subject of clustered tunnel implementations with cloud services with RB VPN, you are better off using pair of Cisco routers, (not ASAs) with multiple HSRP IPs.
Hi Vladimir,
Thanks for the response this helps me a lot.
Hi Pradip,
I'm about to setup a similar VPN configuration in the near future. When reading sk101275 I was wondering if it is really necessary to use VTIs. Because it says the requirement for route based VPN in IKE2 is only relevant for the Microsoft Azure part of the configuration. I'm not sure what they are trying to say here. Further on I read about what Azure calls "route-based VPN" is actually what Check Point calls "gateway-to-gateway". The sk itself doesn't mention the use of VTIs at all, so I wonder if what Azure calls "route-based VPN" is something different from what Check Point calls "route-based VPN". I hope you succeed in getting this VPN to work and share with us how you did it 🙂
Kind regards,
--Niels
As far as I understand it, the VTIs are required if you'd like to use dynamic routing protocols on VPN.
Hi Niels,
Good question I am going to use microsoft support so I will ask them this question and I will update you.
Hi Niels,
I think you were right azure route based VPN doesn't mean Checkpoint's route based VPN, anyway we successfully configured VPN with azure, we (Checkpoint TAC, Azure TAC and us) discussed together and solved the issue. I hope this will help you in your future deployment.
I do have VPN to Azure working using 'route based' VPN (i.e OS routes, rather than encryption domain), using unnumbered VTIs. If you are still stuck, please let me know where exactly it fails ? Does the VPN come up, just no traffic flowing ? or is the VPN failing to come up ?
Hi Peter,
Are you using HA environment since my Checkpoint is in HA(R80.10) and while checking the VPN status it's showing 0 for encryption and decryption packets and in Azure side it's showing connecting which means there is something wrong and I re verified all the parameter and configuration in Checkpoint and it's seems fine. If possible can you share the configuration parameter.
HI Peter,
We successfully configured the VPN with azure but we didn't configured any VTI. I think azure route based VPN doesn't means checkpoint's route based VPN, anyway we solved the issue and in checkpoint side it's policy based now.
Dear All,
Thank you everyone for wonderful support and for now my problem is resolved so hope to support others with the same issue.
Wish you a very happy new year.
Thanks & Regards,
Pradip
Hi there,
Can you please share the solution or config as we are having a similar setup.
I started messing with this about a year and a half ago and quickly realized that building these VPN's by hand will cause issues. I wrote a script that creates a vnet in azure, creates the VNG, sets BGP on, and a few other nifty things, and then spits out the exact commands needed to be run in clish on the firewall and also the information for the policy. I hope to script this later on when we get to R80.10, but for now it works. BGP works fine, and then I have some route-maps to distribute my routes into my OSPF network and done!
I can't suggest enough to have standard IP ranges, BGP AS numbers, and names. If you do that, then you can script this and save yourself a lot of time every time you have to build a new network in Azure.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
14 | |
12 | |
11 | |
9 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY