Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sagar_Manandhar
Advisor
Jump to solution

Azure Site-to-Site VPn fail

Hi,

I have been trying to establish the IP sec vpn with Azure site. I have followed the sk101275 for the same but was not able to establish the VPN. Does anybody  successfully done it and it would be great if the configuration can be shared.

Regards,

Sagar Manandhar

1 Solution

Accepted Solutions
Sagar_Manandhar
Advisor

Change MTU of interface: 1350 (1500 default)
Encryption Method: IKEv2 only
Custom Encryption suite:
IKE Security Association (Phase 1)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1
-Diffie-Hellman group : Group 2 (1024bit)

IKE Security Association (Phase 2)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1


VPN Tunnel Sharing
-Select One VPN Tunnel per Gateway Pair

IKE(phase1)
-Renegotiate IKE security associations every (min): 480
IPsec(phase2)
-Renegotiate IPsec security associations every(sec):27000

View solution in original post

11 Replies
PhoneBoy
Admin
Admin

I'd start with basic troubleshooting, as described here: VPN Site-to-Site with 3rd party 

Note that most of this is generic to "third parties" (i.e. not a Check Point gateway you control) and should also apply to Azure.

Sagar_Manandhar
Advisor

hi,

we have finally configure the VPN. we got to know that the parameter given in the checkpoint doc for Azure VPN is outdated and we have replace it with the new parameter given by the azure team and now its working fine

PhoneBoy
Admin
Admin

So that we can update our docs, can you share what the incorrect parameters are and what we should replace them with?

0 Kudos
Sagar_Manandhar
Advisor

Change MTU of interface: 1350 (1500 default)
Encryption Method: IKEv2 only
Custom Encryption suite:
IKE Security Association (Phase 1)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1
-Diffie-Hellman group : Group 2 (1024bit)

IKE Security Association (Phase 2)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1


VPN Tunnel Sharing
-Select One VPN Tunnel per Gateway Pair

IKE(phase1)
-Renegotiate IKE security associations every (min): 480
IPsec(phase2)
-Renegotiate IPsec security associations every(sec):27000

Igor_Roytman
Employee
Employee

Sagar Manandhar‌ can you please elaborate what was incorrect in the SK that caused VPN not work, so we will update the SK? I see different SA lifetimes, it should not cause issue to establish the tunnel.. Of course still SK should be updated, but I wonder if there are some other parameters to be fixed..
Thank you in advance!

0 Kudos
Amir_Rehman
Contributor

Did you anyone figure out what parameters are outdated ?

0 Kudos
Henrique_Sauer_
Contributor

It worked for me!

Thanks dude

0 Kudos
Gaurav_Pandya
Advisor

We have also established tunnel checkpoint gateway to AWS successfully but it sometimes disconnect the connection and we have to reset the tunnel every time to establish flow again.

0 Kudos
John_Richards
Contributor

Can someone please post what the settings should be or a link to the documentation for a Check Point site-to-site VPN between a on-prem cluster to a single to Azure GW? I have have a TAC case open and even they are having trouble. We use Smart-1 to manage both GW's and I suspect that may be causing the issue.

0 Kudos
fllangari
Explorer
Explorer

Hi John

Do you were successful in being able to create the vpn between the 2 checkpoint fw, managed by the same management.?

In one case, with TAC apply the sk21156, where disable the CRL.

Best regards

0 Kudos
John_Richards
Contributor

I believe it came down to the settings in the topology for the MAAS tunnel on the GW. Once we corrected the topo the tunnel worked.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events