Create a Post
Showing results for 
Search instead for 
Did you mean: 

Checkpoint to Azure Route based - guide

I had a bit of struggle to get this working initially, as Azure don't provide configs for Checkpoint and they operate a bit different to AWS route based VPN's. Sk101275 will give you about 20% of what you need, so I am writing this up in case it helps others.


Steps for Checkpoint cluster to Azure Route based vpn (based on R80.20)

In this config all traffic from Azure will be tunnelled to the Checkpoint.
The Checkpoint can be participating in other Policy Based / Domain based VPN's without impacting them


Azure Side

configure for "forced tunnelling mode"
Download the generic (IOS based) config


Checkpoint side

Open smartConsole

  • Create a new interoperable device, choose a unique name and give it the Public IP of Azure. (eg. AZUREIP,
  • On topology tab, set manually defined topology, create a new simple group, with NO OBJECTS in it (ie an empty group)


Open the centre gateway, Click network management, Select VPN Domain, now you have two options:

  • if you have no other VPN's and don't expect to ever need a policy based VPN, then add grp.empty as your encryption domain
  • If you have existing policy based VPN's then open the current encryption domain group, inside that group add a new network object: network address:, net mask:

Under VPN communities, create new star VPN, name it, add your local gateway as the Center gateway, and the new interoperable device as the satellite gateway (eg AZUREIP)

Encryption tab:
Method- Prefer Ikev2, support Ikev1
Encryption suite - Custom

  • Phase 1: AES-256, SHA256, Group2
  • Phase 2: AES-256, SHA256
    (everything else unticked)

Tunnel management: Select One VPN tunnel per gateway pair

VPN Routing: select "To center, through center, Internet and other VPN targets"

Shared Secret: Add peer name (eg AZUREIP) and the PSK provided in config file

Advanced Tab -

  • Phase 1: 480
  • Phase 2: 3600


Create VPN tunnel interfaces (VTI)

SSH to your gateways and enter clish

(Find the "int tunnel 11 ip address" it is a 169.254 address with a /30 mask in the Azure provided config)

The IP address listed (eg will be your VIP, we need to extend that mask to /29 which gives more usable addresses

eg: = VIP = FW A = FW B


(peer name must be exactly the same as interoperable device name in GUI, remote IP is the public IP of the interoperable device)

A: add vpn tunnel 11 type numbered local remote peer AZUREIP
A: set interface vpnt11 mtu 1350
A: save config

B: add vpn tunnel 11 type numbered local remote peer AZUREIP
B: set interface vpnt11 mtu 1350
B: save config


Add statics routes for your Azure CIDR via the new VPN interface

A: set static-route nexthop gateway logical vpnt11 on
A: save config

B: set static-route nexthop gateway logical vpnt11 on
B: save config


Get topology and assign VIP

Ensure that you have enabled the IPsec VPN blade on your gateway.
Open your gateway or cluster object, and choose "Network Management"
Choose "Get Interfaces without toplogy" - but sure not to select WITH!

Locate new vpn interface, add virtual IP (our local 169.254 address eg
Under topology, select "leads to, override, specific" create a new group, add your Azure CIDR, your 169.254.x.x/29 subnet and your Azure Interoperable device to this group)
Enable antispoofing as desired

In checkpoint global properties, select VPN, advanced, at the bottom tick "enable VPN directional match)

Firewall Rules

Create firewall rules as required
In VPN column right click and add "Directional match condition" for each rule add three match conditions as follows:
Internal clear => AZURE-VPN-COMMUNITY
AZURE-VPN-COMMUNITY=> Internal_clear

Install policy

8 Replies

Thanks for putting this out there, however there's a catch with this that you would only come across when trying to do BGP peering across this IPsec VTI.


Don't follow this guidance:

(peer name must be exactly the same as interoperable device name in GUI, remote IP is the public IP of the interoperable device)

A: add vpn tunnel 11 type numbered local remote peer AZUREIP


remote is wrong


It should be the BGP peer that you want to establish neighborship with on the other side of the tunnel (a Private IP (BGP Peer) given to you within the GatewaySubnet). If you use the public IP you can't establish BGP Peering. You'll get this error in routed.log 

bgp_check_invalid_nexthop(7086): (External AS 65515) Route 10.0 rtn_gateway[0] Nexthop is unspecified


If your Vnet CIDR is and your GatewaySubnet is, and you aren't doing Active-Active VPN tunnels/BGP peering with Azure, then they'll give you to peer with, and your config should be:


A: add vpn tunnel 11 type numbered local remote peer AZUREIP


If you are doing Active-Active, they'll give you and (in this example).


Also, under the Interoperable Gateway object > Topology tab > add the internal IP (BGP Peer IP) in there: (or in Active-Active, both .4 and .5)


Interesting that you are using numbered VTI with Azure as always had to use UnNumbered and then use the External Interface as the Proxy IP for the VTI interface to do route based VPN.

All I bother with for Azure is the External IP and is it Static or Dynamic and that tells me which settings to use.

Has Azure changed to use Numbered VTI now as previously always had to use UnNumbered for Azure and Numbered for AWS.

0 Kudos

Hello, which Is the functional difference between numbered and unnumbered? Why some Cloud provider needs unnumbered?

0 Kudos

Hi Ryan,


many thanks for the guide.

I just have one question - is there a need to specify the local encryption domain with explicitly, or is our currently defined group with all relevant local subnets also fine?



0 Kudos

If you're using route-based VPNs, you generally explicitly set the encryption domain to be

0 Kudos

But we have also multiple policy-based VPNs (15) and need to change one of them now to route based (Azure - Microsoft Support recommendation).
I'm not sure what the side effects for the other VPNs would be, if we change the enc domain.

I know that we had some pain to get everything working there properly, because of tunnel-to-tunnel communication, some issues with routing to the tunnels and issues with unencrypted communication to the remote site, where we had to edit the crypt.def exclusions.

Now it's running properly, but it's a fragile construct - if the is not mandatory, we would prefer not to use it.

But if it is mandatory, then we'll have to schedule a maintenance window at night and try to change this and resolve the possible unwanted side-effects.


0 Kudos

0 Kudos

I know this is an old post, but I just wanted to share my experience...followed CP guide for route based vpn, sk for cp to azure vpn config, tried permanent tunnel, no luck...oddly enough, when you disable option for permanent tunnel, CP side shows tunnel as up, but on azure side, its very intermittent. If you enable permanent tunnel setting, tunnel never comes up no matter what you do...we followed VTI settings to exactly what guide advised, but no luck. Any ideas? WE would like to make this work as permanent tunnel if at all possible.

0 Kudos