This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Hightow
Participant
‎2019-07-02 11:30 AM

Azure route based VPN

I'm new to Azure and trying to create a site to site VPN route based between it and my on prem cluster.  I've already referenced sk101275 for the encryption parameters so I have that part down.  Unfortunately this SK doesn't seem to cover all the pieces of the configuration required.

I'm now working on the VTI interfaces on the firewall.  For each firewall I configured a new public external IP as local and specified the Azure VPN IP as the remote IP.  Additionally I configured a new public external IP for the cluster interface.

So the basic network config looks like this:

Firewall 1 - Local IP = New public IP

            Remote IP = Azure public IP

            Peer = Azure

Firewall 2 - Local IP = New Public IP

            Remote IP = Azure public IP

            Peer = Azure

Cluster IP = New Public IP

 

Then I created an interoperable device using the same name as the peer for the VTI and the IP is the Azure Public IP.  I've read where that has to match.  I also created a VPN Community and followed sk101275 for parameters.  Policy rules were created as well as an empty network object to represent the encryption domain.

So what I'm seeing is phase 1 come up and that's it.

I opened a ticket and was initially told to check routing.  Since the VTI remote IP is pointing to the Azure public IP it's creating that a directly connected route via the VTI.  The thought was the traffic isn't going out to the internet properly to establish the tunnel.  I've read quite a few links on the site here but nothing has seemed to give me quite enough info on what I could be missing.  

thanks...

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-07-02 04:44 PM

What debugging have you done?
Usually, there's error messages that might give you a clue.
You may also need to do some detailed debug, start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Michael_Hightow
Participant
‎2019-07-03 09:46 AM
In response to PhoneBoy

I have done some debugging and see two-way traffic with both tcpdump and fw monitor.  I definitely see phase 1 negotiated in the ikev2.xmll.

Support is pointing out a route on my firewall that points to the azure gateway via the vti interface.  Since that route is created by creating the vti interface itself I'm not sure how you get around that.  The support engineer was saying the traffic is returning over the vti interface and not taking the external interface path.

I don't think any static route setting would override this directly connected route.  As a matter of fact I created one just to do it and it showed up as "i" or inactive in the show route all command.

So still looking around.

 

thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events