This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-04-02 10:36 AM
Jump to solution

BGP peer Throught IPSEC tunnel

Hello Mates!

I need to configure an iBGP peer where the peer is in the site-to-site tunnel. This environment is currently running on Fortinet Firewall and I need to migrate that from it to Check Point Firewall.

I made a lab to try to resolve this demand and when I try to put the peer up with the configuration inside the tunnel it doesn't work at all. Testing the out the tunnel, the peer goes up normally.

Does anybody know if it is possible or compatible with Check Point this iBGP inside IPSEC tunnel configuration?

Is there any specific configuration that I need to do to the peer goes up?

If you guys need prints from my configurations I can send it.

Thank you!

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 12:26 PM
Jump to solution

Here is an example how this works with Azure.
Instead of Azure, this can also be any other VPN destination.

GAIA Web GUI



1) Create VPN Tunnel Interface (VTI)

HeikoAnkenbrand_0-1680463156508.png

HeikoAnkenbrand_1-1680463156510.png

NOTE:
THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK

2) Add Static Route for Azure VPN Peer BGP IP:

HeikoAnkenbrand_2-1680463156514.png

HeikoAnkenbrand_3-1680463156515.png

3) Setup BGP in GAIA WebUI

WARNING:
Without “ALL” of these configurations completed BGP will not be successful

HeikoAnkenbrand_4-1680463156518.png

4) Add Azure Gateway BGP Information:

HeikoAnkenbrand_5-1680463156520.png

Fill in information based on Azure Gateway BGP Settings:

HeikoAnkenbrand_6-1680463156521.png

HeikoAnkenbrand_7-1680463156522.png

HeikoAnkenbrand_8-1680463156524.png

NOTE:
Without Multihop enabled the BGP session will not be established

5) Set BGP Inbound route filters

HeikoAnkenbrand_9-1680463156526.png

NOTE:
For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment

6) Set inbound route filter settings

HeikoAnkenbrand_10-1680463156528.png

SmartConsole


7) Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:

HeikoAnkenbrand_11-1680463488594.png

 

HeikoAnkenbrand_12-1680463488595.png

8 ) Next create Azure VPN Gateway object:

HeikoAnkenbrand_13-1680463488596.png

HeikoAnkenbrand_15-1680463488600.png

9) Create VPN Community

HeikoAnkenbrand_16-1680463488602.png

HeikoAnkenbrand_25-1680463669045.png

HeikoAnkenbrand_26-1680463669048.png

HeikoAnkenbrand_27-1680463669050.png

HeikoAnkenbrand_28-1680463669053.png

10) Create VPN ruleset
...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

8 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 12:26 PM
Jump to solution

Here is an example how this works with Azure.
Instead of Azure, this can also be any other VPN destination.

GAIA Web GUI



1) Create VPN Tunnel Interface (VTI)

HeikoAnkenbrand_0-1680463156508.png

HeikoAnkenbrand_1-1680463156510.png

NOTE:
THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK

2) Add Static Route for Azure VPN Peer BGP IP:

HeikoAnkenbrand_2-1680463156514.png

HeikoAnkenbrand_3-1680463156515.png

3) Setup BGP in GAIA WebUI

WARNING:
Without “ALL” of these configurations completed BGP will not be successful

HeikoAnkenbrand_4-1680463156518.png

4) Add Azure Gateway BGP Information:

HeikoAnkenbrand_5-1680463156520.png

Fill in information based on Azure Gateway BGP Settings:

HeikoAnkenbrand_6-1680463156521.png

HeikoAnkenbrand_7-1680463156522.png

HeikoAnkenbrand_8-1680463156524.png

NOTE:
Without Multihop enabled the BGP session will not be established

5) Set BGP Inbound route filters

HeikoAnkenbrand_9-1680463156526.png

NOTE:
For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment

6) Set inbound route filter settings

HeikoAnkenbrand_10-1680463156528.png

SmartConsole


7) Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:

HeikoAnkenbrand_11-1680463488594.png

 

HeikoAnkenbrand_12-1680463488595.png

8 ) Next create Azure VPN Gateway object:

HeikoAnkenbrand_13-1680463488596.png

HeikoAnkenbrand_15-1680463488600.png

9) Create VPN Community

HeikoAnkenbrand_16-1680463488602.png

HeikoAnkenbrand_25-1680463669045.png

HeikoAnkenbrand_26-1680463669048.png

HeikoAnkenbrand_27-1680463669050.png

HeikoAnkenbrand_28-1680463669053.png

10) Create VPN ruleset
...

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
the_rock
MVP Platinum
MVP Platinum
‎2023-04-02 03:28 PM
In response to HeikoAnkenbrand
Jump to solution

Wow...the effort you put in your answer @HeikoAnkenbrand is truly outstanding!👌👌

Best,
Andy
0 Kudos
chueymtz
Explorer
‎2024-01-26 09:33 AM
In response to HeikoAnkenbrand
Jump to solution

How would this be configured on a cluster? Great explanation by the way.

the_rock
MVP Platinum
MVP Platinum
‎2024-01-26 09:39 AM
In response to chueymtz
Jump to solution

My colleague and I did this in the lab, ONLY way we could make it work with cluster and BGP was using UNNUMBERED vti.

Andy

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-01-28 11:40 PM
In response to chueymtz
Jump to solution

Each cluster member has its own VTI with IP Address, then you 'get' interfaces in smartconsole and create the VIP that the other end will talk to. Details are in the VPN admin guide.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-08-21 11:09 AM
In response to HeikoAnkenbrand
Jump to solution

Hello, @HeikoAnkenbrand 
Is this the same process that must be followed in a VSX environment?
I have a VS where I currently have several S2S VPNs.
There is a need to “migrate” one of the traditional VPNs we have so that it now works using BGP.
So, are there many changes that would need to be considered to achieve this?
I understand that BGP in VSX is configured only by CLI, and that CLI is also where you have to work with VTIs?
Is there any documentation or post that talks about BGP over S2S VPNs in VSX environments?
Thanks for your comments.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-08-21 04:39 PM
In response to Matlu
Jump to solution

For some hints please see: https://community.checkpoint.com/t5/Security-Gateways/VPN-SITE-TO-SITE-CHECKPOINT-VSX-ROUTE-BASED/td...

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-04-02 03:30 PM
Jump to solution

@Bernardes ...just to add to what @HeikoAnkenbrand said, sometimes you may need to edit VTI in dashboard fw topology and possibly enable "dont check packets from.." to make this work 100%.

Just wanted to throw that out there...I had seen it few times, but not too too often.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events