This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafal_N
Contributor
13 hours ago

Azure VPN with BGP (ClusterXL and 2 VPN Tunnels)

Hi Community,

Can sombody help with ClusterXL, BGP VPN tunnel to Azure configuration.

I try to follow sk176249 guide but there is strange thing in configuroration about Cluster HA and two interfaces vpnt.

Interface vpnt1 and vpnt2  use that same virtual address (10.250.0.1) is it normal and should I configure it like this:

vpnt.png

 

I get confused because below is something different in routing cli and it looks like vpnt1 and vpnt2 has diffrent VIP configured:

vpnt_2.png

 

Could you someone help me and specify what ip should be define where:

router-id: a.a.a.a

fw01 vpnt1: b.b.b.b         fw02 vpnt1: d.d.d.d         VIP vpnt1: f.f.f.f

fw01 vpnt2: c.c.c.c         fw02 vpnt2: e.e.e.e          VIP vpnt2: g.g.g.g

Maybe someone know is there in CheckPoint BGP configuration like in cisco update-source:

interface Loopback 11
ip address 100.64.200.1 255.255.255.255
exit

router bgp 65521
bgp log-neighbor-changes
neighbor 10.250.0.12 remote-as 65515
neighbor 10.250.0.12 ebgp-multihop 255
neighbor 10.250.0.12 update-source loopback 11

neighbor 10.250.0.13 remote-as 65515
neighbor 10.250.0.13 ebgp-multihop 255
neighbor 10.250.0.13 update-source loopback 11

I'll be grateful for any clarification.

 

0 Kudos
4 Replies
the_rock
Legend
Legend
10 hours ago

Wait, that does not make sense...how can they be using same IP address? If VTI us numbered, then you assign the IP yourself and if its UNNUMBERED, then you can "tie" it to any given interface, so say if its tied to eth0, then it will have exact same IP as that interface, which is totally fine. 

I always found that when it comes to BGP, you should be using unnumbered vti's.

Andy

0 Kudos
Rafal_N
Contributor
8 hours ago
In response to the_rock

Thanks, Andy. I will try that as it is in the deployment phase. However, all SK guides and Azure download configurations mention something about VTI IP addresses.

What is your practice? Do you configure Unnumbered VTI based on a loopback interface, or do you connect to an external interface and use it as the peer in Azure?

Any other thoughts? Has anyone followed this guide with clustering and HA successfully?

0 Kudos
the_rock
Legend
Legend
8 hours ago
In response to Rafal_N

I never followed any guides for it. I just discovered it by doing extensive testing with my colleague and we got it working with VPN tunnel from CP cluster to Azure (route based) and BGP (using unnumbered VTIs)

Andy

0 Kudos
the_rock
Legend
Legend
8 hours ago
In response to Rafal_N

See if below helps, if not, we can do remote later if free (and allowed to)

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-Based-VPN-with-Static-Rouing/m-p/205256/...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events