Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Juan_Concepcion
Advisor

BGP over VPN between Azure.docx

Documentation which explains how to deploy a site to site VPN between an Azure VPN Gateway and Check Point R80.10 Gateway with BGP routing exchange via route based vpn.

18 Replies
Raphael_Cote
Contributor

I've read that VTI is not supported in VSX mode.  Can I follow this procedure in VSX mode?

Peter_Sandkuijl
Employee
Employee

Sorry, vti and VSX still don't work together

Timothy_Hall
Legend Legend
Legend

Confirmed, and I suspect the reason for this limitation is that VTI's are implemented by a completely separate kernel module called vpntmod.  VSX runs pretty much completely in process space.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Jose_W__Castill
Explorer

Hi, I have a R80.10 Management and a cluster gateway R77.30. Can I follow this procedure? any aditional advice?

Juan_Concepcion
Advisor

Yes

Sent from my iPhone

PAUL_SAMWAYS1
Participant

Hi All, I've been trying to setup VPN to Azure with BGP (I've had no problems setting up standard VPN to Azure but require BGP for dynamic routing and thus bigger VPN to Azure, as we don't want to by an Express Route). I don't understand what this is trying to say in the document;

RZomerman
Explorer

Sorry to come back to this one.. 

On the "Interoperable Device" shouldnt the topology be the "External IP of the Azure GW" & the Azure VNET Address Space?

 

Why would i need to set my own CP External IP + Internal Subnet (on CP side) on the Interoperable Device referencing Azure?

0 Kudos
Juan_Concepcion
Advisor

For the Azure gateway object you have to manually set the topology (on normal gateway you just fetch) and the encryption domain.

Let me know if this isn’t clear.

Sent from my iPhone

Ping_Choi
Participant

Hi Juan,

Would you happen to know if these steps also apply to Checkpoint R80.30 ?

 

 

Juan_Concepcion
Advisor

No, in R80.30 I was able to do this without setting topology.

0 Kudos
MCS_LTD
Explorer

 Is there an updated guide for this? I find the steps required for the Checkpoint to be incredibly hard to follow

Juan_Concepcion
Advisor

Can you please be more specific on which portion your having problems understanding??

0 Kudos
Reyman2021
Participant

Hi Juan,

The external IP you put here in the topology is different from the real IP of peer gateway? The VPN Peer gateway is 52.225.225.207 and the external IP in the topology is 52.184.160.26. On the other hard I would also 

 

 CAPTURE1.PNG

Juan_Concepcion
Advisor

This should match whatever ip address is on the azure vpn gateway.  Oversite in transcription as I rebuilt this several times during documentation build and with each rebuild the ip was different.

0 Kudos
Reyman2021
Participant

Okay. By the way where do I get the router-id? 

 

0 Kudos
Reyman2021
Participant

Hi Juan,

The external IP you put here in the topology is different from the real IP of peer gateway? The VPN Peer gateway is 52.225.225.207 and the external IP in the topology is 52.184.160.26. On the other hard I would also ask where did you get the Router-ID 173.76.170.56? Thank you

CAPTURE1.PNG

0 Kudos
Mark_Bayley
Explorer

hi,

Can I ask why your local address in the VPN tunnel config is 50.50.50.1? Shouldn't that be a 169.254.0.0/16 address?

0 Kudos
hemh
Participant

Hi, on my side I struggled a lot to get the BGP peering stably, IPSec tunne is working A1 though. I have a generic Azure VPN GW and firewall. So to make it work with an on prem checkpoint cluster, on each cluster member I configured my cluster VTI Vip as router ID. Azure Local network gateways(one for each ISP as I am dual ISP) are pointing to my VTI cluster Vip also. Since then, everything is working fine

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events