Re: BGP over VPN between Azure.docx

Juan_Concepcion · ‎2017-09-25

Documentation which explains how to deploy a site to site VPN between an Azure VPN Gateway and Check Point R80.10 Gateway with BGP routing exchange via route based vpn.

Raphael_Cote · ‎2017-11-14

I've read that VTI is not supported in VSX mode. Can I follow this procedure in VSX mode?

Peter_Sandkuijl · ‎2017-11-28

Sorry, vti and VSX still don't work together

Timothy_Hall · ‎2017-11-28

Confirmed, and I suspect the reason for this limitation is that VTI's are implemented by a completely separate kernel module called vpntmod. VSX runs pretty much completely in process space.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Jose_W__Castill · ‎2017-12-20

Hi, I have a R80.10 Management and a cluster gateway R77.30. Can I follow this procedure? any aditional advice?

Juan_Concepcion · ‎2017-12-20

Yes

Sent from my iPhone

PAUL_SAMWAYS1 · ‎2018-02-19

Hi All, I've been trying to setup VPN to Azure with BGP (I've had no problems setting up standard VPN to Azure but require BGP for dynamic routing and thus bigger VPN to Azure, as we don't want to by an Express Route). I don't understand what this is trying to say in the document;

RZomerman · ‎2020-02-05

Sorry to come back to this one..

On the "Interoperable Device" shouldnt the topology be the "External IP of the Azure GW" & the Azure VNET Address Space?

Why would i need to set my own CP External IP + Internal Subnet (on CP side) on the Interoperable Device referencing Azure?

Juan_Concepcion · ‎2018-02-19

For the Azure gateway object you have to manually set the topology (on normal gateway you just fetch) and the encryption domain.

Let me know if this isn’t clear.

Sent from my iPhone

Ping_Choi · ‎2020-01-30

Hi Juan,

Would you happen to know if these steps also apply to Checkpoint R80.30 ?

Juan_Concepcion · ‎2020-05-11

No, in R80.30 I was able to do this without setting topology.

MCS_LTD · ‎2020-11-05

Is there an updated guide for this? I find the steps required for the Checkpoint to be incredibly hard to follow

Juan_Concepcion · ‎2021-01-17

Can you please be more specific on which portion your having problems understanding??

Reyman2021 · ‎2021-01-17

Hi Juan,

The external IP you put here in the topology is different from the real IP of peer gateway? The VPN Peer gateway is 52.225.225.207 and the external IP in the topology is 52.184.160.26. On the other hard I would also

Juan_Concepcion · ‎2021-01-17

This should match whatever ip address is on the azure vpn gateway. Oversite in transcription as I rebuilt this several times during documentation build and with each rebuild the ip was different.

Reyman2021 · ‎2021-01-17

Okay. By the way where do I get the router-id?

Reyman2021 · ‎2021-01-17

Hi Juan,

The external IP you put here in the topology is different from the real IP of peer gateway? The VPN Peer gateway is 52.225.225.207 and the external IP in the topology is 52.184.160.26. On the other hard I would also ask where did you get the Router-ID 173.76.170.56? Thank you

Mark_Bayley · ‎2021-10-18

hi,

Can I ask why your local address in the VPN tunnel config is 50.50.50.1? Shouldn't that be a 169.254.0.0/16 address?

hemh · ‎2023-08-23

Hi, on my side I struggled a lot to get the BGP peering stably, IPSec tunne is working A1 though. I have a generic Azure VPN GW and firewall. So to make it work with an on prem checkpoint cluster, on each cluster member I configured my cluster VTI Vip as router ID. Azure Local network gateways(one for each ISP as I am dual ISP) are pointing to my VTI cluster Vip also. Since then, everything is working fine

Are you a member of CheckMates?

BGP over VPN between Azure.docx