This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pradip_Upreti
Participant
‎2017-12-26 06:58 AM

Route Based VPN with Azure in Cluster Environment

Hi, I have configured the VPN with Azure and followed the sk101275 but not successful since my VPN is route based and I have R80.10 Gateway in Cluster and I already have VTI (unnumbered) and route configured for that so want to know anything missing from my side or is there any issue with route based VPN in cluster environment.

Thanks & Regards,

Pradip

15 Replies
Vladimir
Champion
Champion
‎2017-12-26 02:15 PM

If I recall correctly, VTIs in clustered environment must be numbered.

0 Kudos
Pradip_Upreti
Participant
‎2017-12-26 07:46 PM
In response to Vladimir

Hi Vladimir,

Thanks for the reply, is there any way to execute this without using the numbered since that azure VPN is running with multi site so I don't think I can go with numbered. Correct me If I am wrong, if I use numbered in my site then same should be configured in Azure end also.

Thanks & Regards,

Pradip

0 Kudos
Vladimir
Champion
Champion
‎2017-12-27 05:48 AM
In response to Pradip_Upreti

I think you cannot use unnumbered VTIs in clustered environment. Please see "Site to Site VPN R80.10 - Part of Check Point Infinity " , "VTIs in a Clustered Environment" section.

There were a number of similar discussions pertaining to the implementation of VTIs with AWS that you can find on CPUG:

Secondary Cluster IP , but it looks more like a jury rig, than the supported solution.

The takeaway from all the discussions on the subject of clustered tunnel implementations with cloud services with RB VPN, you are better off using pair of Cisco routers, (not ASAs) with multiple HSRP IPs. 

Pradip_Upreti
Participant
‎2017-12-27 07:12 AM
In response to Vladimir

Hi Vladimir,

Thanks for the response this helps me a lot.

0 Kudos
Niels_van_Sluis
Contributor
‎2017-12-27 06:37 AM

Hi Pradip,

I'm about to setup a similar VPN configuration in the near future. When reading sk101275 I was wondering if it is really necessary to use VTIs. Because it says the requirement for route based VPN in IKE2 is only relevant for the Microsoft Azure part of the configuration. I'm not sure what they are trying to say here. Further on I read about what Azure calls "route-based VPN" is actually what Check Point calls "gateway-to-gateway". The sk itself doesn't mention the use of VTIs at all, so I wonder if what Azure calls "route-based VPN" is something different from what Check Point calls "route-based VPN". I hope you succeed in getting this VPN to work and share with us how you did it 🙂

Kind regards,

     --Niels

Vladimir
Champion
Champion
‎2017-12-27 06:49 AM
In response to Niels_van_Sluis

As far as I understand it, the VTIs are required if you'd like to use dynamic routing protocols on VPN.

0 Kudos
Pradip_Upreti
Participant
‎2017-12-27 07:20 AM
In response to Niels_van_Sluis

Hi Niels,

Good question I am going to use microsoft support so I will ask them this question and I will update you.

0 Kudos
Pradip_Upreti
Participant
‎2017-12-30 08:13 PM
In response to Niels_van_Sluis

Hi Niels,

I think you were right azure route based VPN doesn't mean Checkpoint's route based VPN, anyway we successfully configured VPN with azure, we (Checkpoint TAC, Azure TAC and us) discussed together and solved the issue. I hope this will help you in your future deployment.

Peter_Lyndley
Advisor
Advisor
‎2017-12-27 08:23 AM

I do have VPN to Azure working using 'route based' VPN (i.e OS routes, rather than encryption domain), using unnumbered VTIs. If you are still stuck, please let me know where exactly it fails ? Does the VPN come up, just no traffic flowing ? or is the VPN failing to come up ?

0 Kudos
Pradip_Upreti
Participant
‎2017-12-27 09:23 AM
In response to Peter_Lyndley

Hi Peter,

Are you using HA environment since my Checkpoint is in HA(R80.10) and while checking the VPN status it's showing 0 for encryption and decryption packets and in Azure side it's showing connecting which means there is something wrong and I re verified all the parameter and configuration in Checkpoint and it's seems fine. If possible can you share the configuration parameter.

0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2017-12-29 02:52 PM
In response to Pradip_Upreti

?We are doing something very similar in HA but with R77.30

The mistake I made, I configured the vpn tunnel endpoint as an IP address however it needed to be the name of the object in SmartDashboard that related to the Azure Endpoint.

Preview file
4 KB
0 Kudos
Pradip_Upreti
Participant
‎2017-12-30 08:10 PM
In response to Peter_Lyndley

HI Peter,

We successfully configured the VPN with azure but we didn't configured any VTI. I think azure route based VPN doesn't means checkpoint's route based VPN, anyway we solved the issue and in checkpoint side it's policy based now.

0 Kudos
Pradip_Upreti
Participant
‎2017-12-30 08:15 PM

Dear All,

Thank you everyone for wonderful support and for now my problem is resolved so hope to support others with the same issue.

Wish you a very happy new year.

Thanks & Regards,

Pradip

Blason_R
MVP Gold
MVP Gold
‎2019-07-12 12:43 AM
In response to Pradip_Upreti

Hi there,

Can you please share the solution or config as we are having a similar setup.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Robert_Canis
Participant
‎2018-03-05 12:25 PM

I started messing with this about a year and a half ago and quickly realized that building these VPN's by hand will cause issues.  I wrote a script that creates a vnet in azure, creates the VNG, sets BGP on, and a few other nifty things, and then spits out the exact commands needed to be run in clish on the firewall and also the information for the policy.  I hope to script this later on when we get to R80.10, but for now it works.  BGP works fine, and then I have some route-maps to distribute my routes into my OSPF network and done!  

I can't suggest enough to have standard IP ranges, BGP AS numbers, and names.  If you do that, then you can script this and save yourself a lot of time every time you have to build a new network in Azure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events