Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Advisor
Advisor
Jump to solution

BGP peer Throught IPSEC tunnel

Hello Mates!

I need to configure an iBGP peer where the peer is in the site-to-site tunnel. This environment is currently running on Fortinet Firewall and I need to migrate that from it to Check Point Firewall.

I made a lab to try to resolve this demand and when I try to put the peer up with the configuration inside the tunnel it doesn't work at all. Testing the out the tunnel, the peer goes up normally.

Does anybody know if it is possible or compatible with Check Point this iBGP inside IPSEC tunnel configuration?

Is there any specific configuration that I need to do to the peer goes up?

If you guys need prints from my configurations I can send it.

Thank you!

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Here is an example how this works with Azure.
Instead of Azure, this can also be any other VPN destination.

GAIA Web GUI



1) Create VPN Tunnel Interface (VTI)

HeikoAnkenbrand_0-1680463156508.png

HeikoAnkenbrand_1-1680463156510.png

NOTE:
THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK

2) Add Static Route for Azure VPN Peer BGP IP:

HeikoAnkenbrand_2-1680463156514.png

HeikoAnkenbrand_3-1680463156515.png

3) Setup BGP in GAIA WebUI

WARNING:
Without “ALL” of these configurations completed BGP will not be successful

HeikoAnkenbrand_4-1680463156518.png

4) Add Azure Gateway BGP Information:

HeikoAnkenbrand_5-1680463156520.png

Fill in information based on Azure Gateway BGP Settings:

HeikoAnkenbrand_6-1680463156521.png

HeikoAnkenbrand_7-1680463156522.png

HeikoAnkenbrand_8-1680463156524.png

NOTE:
Without Multihop enabled the BGP session will not be established

5) Set BGP Inbound route filters

HeikoAnkenbrand_9-1680463156526.png

NOTE:
For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment

6) Set inbound route filter settings

HeikoAnkenbrand_10-1680463156528.png

SmartConsole


7) Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:

HeikoAnkenbrand_11-1680463488594.png

 

HeikoAnkenbrand_12-1680463488595.png

8 ) Next create Azure VPN Gateway object:

HeikoAnkenbrand_13-1680463488596.png

HeikoAnkenbrand_15-1680463488600.png

9) Create VPN Community

HeikoAnkenbrand_16-1680463488602.png

HeikoAnkenbrand_25-1680463669045.png

HeikoAnkenbrand_26-1680463669048.png

HeikoAnkenbrand_27-1680463669050.png

HeikoAnkenbrand_28-1680463669053.png

10) Create VPN ruleset
...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
HeikoAnkenbrand
Champion Champion
Champion

Here is an example how this works with Azure.
Instead of Azure, this can also be any other VPN destination.

GAIA Web GUI



1) Create VPN Tunnel Interface (VTI)

HeikoAnkenbrand_0-1680463156508.png

HeikoAnkenbrand_1-1680463156510.png

NOTE:
THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK

2) Add Static Route for Azure VPN Peer BGP IP:

HeikoAnkenbrand_2-1680463156514.png

HeikoAnkenbrand_3-1680463156515.png

3) Setup BGP in GAIA WebUI

WARNING:
Without “ALL” of these configurations completed BGP will not be successful

HeikoAnkenbrand_4-1680463156518.png

4) Add Azure Gateway BGP Information:

HeikoAnkenbrand_5-1680463156520.png

Fill in information based on Azure Gateway BGP Settings:

HeikoAnkenbrand_6-1680463156521.png

HeikoAnkenbrand_7-1680463156522.png

HeikoAnkenbrand_8-1680463156524.png

NOTE:
Without Multihop enabled the BGP session will not be established

5) Set BGP Inbound route filters

HeikoAnkenbrand_9-1680463156526.png

NOTE:
For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment

6) Set inbound route filter settings

HeikoAnkenbrand_10-1680463156528.png

SmartConsole


7) Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:

HeikoAnkenbrand_11-1680463488594.png

 

HeikoAnkenbrand_12-1680463488595.png

8 ) Next create Azure VPN Gateway object:

HeikoAnkenbrand_13-1680463488596.png

HeikoAnkenbrand_15-1680463488600.png

9) Create VPN Community

HeikoAnkenbrand_16-1680463488602.png

HeikoAnkenbrand_25-1680463669045.png

HeikoAnkenbrand_26-1680463669048.png

HeikoAnkenbrand_27-1680463669050.png

HeikoAnkenbrand_28-1680463669053.png

10) Create VPN ruleset
...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
the_rock
Legend
Legend

Wow...the effort you put in your answer @HeikoAnkenbrand is truly outstanding!👌👌

0 Kudos
chueymtz
Explorer

How would this be configured on a cluster? Great explanation by the way.

the_rock
Legend
Legend

My colleague and I did this in the lab, ONLY way we could make it work with cluster and BGP was using UNNUMBERED vti.

Andy

0 Kudos
emmap
Employee
Employee

Each cluster member has its own VTI with IP Address, then you 'get' interfaces in smartconsole and create the VIP that the other end will talk to. Details are in the VPN admin guide.

0 Kudos
the_rock
Legend
Legend

@Bernardes ...just to add to what @HeikoAnkenbrand said, sometimes you may need to edit VTI in dashboard fw topology and possibly enable "dont check packets from.." to make this work 100%.

Just wanted to throw that out there...I had seen it few times, but not too too often.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events