I had a bit of struggle to get this working initially, as Azure don't provide configs for Checkpoint and they operate a bit different to AWS route based VPN's. Sk101275 will give you about 20% of what you need, so I am writing this up in case it helps others.
Steps for Checkpoint cluster to Azure Route based vpn (based on R80.20)
In this config all traffic from Azure will be tunnelled to the Checkpoint.
The Checkpoint can be participating in other Policy Based / Domain based VPN's without impacting them
configure for "forced tunnelling mode"
Download the generic (IOS based) config
- Create a new interoperable device, choose a unique name and give it the Public IP of Azure. (eg. AZUREIP, 188.8.131.52)
- On topology tab, set manually defined topology, create a new simple group, with NO OBJECTS in it (ie an empty group)
Open the centre gateway, Click network management, Select VPN Domain, now you have two options:
- if you have no other VPN's and don't expect to ever need a policy based VPN, then add grp.empty as your encryption domain
- If you have existing policy based VPN's then open the current encryption domain group, inside that group add a new network object: network address: 0.0.0.0, net mask: 0.0.0.0
Under VPN communities, create new star VPN, name it, add your local gateway as the Center gateway, and the new interoperable device as the satellite gateway (eg AZUREIP)
Method- Prefer Ikev2, support Ikev1
Encryption suite - Custom
- Phase 1: AES-256, SHA256, Group2
- Phase 2: AES-256, SHA256
(everything else unticked)
Tunnel management: Select One VPN tunnel per gateway pair
VPN Routing: select "To center, through center, Internet and other VPN targets"
Shared Secret: Add peer name (eg AZUREIP) and the PSK provided in config file
Advanced Tab -
- Phase 1: 480
- Phase 2: 3600
Create VPN tunnel interfaces (VTI)
SSH to your gateways and enter clish
(Find the "int tunnel 11 ip address" it is a 169.254 address with a /30 mask in the Azure provided config)
The IP address listed (eg 169.254.0.1) will be your VIP, we need to extend that mask to /29 which gives more usable addresses
169.254.0.1 = VIP
169.254.0.2 = FW A
169.254.0.3 = FW B
(peer name must be exactly the same as interoperable device name in GUI, remote IP is the public IP of the interoperable device)
A: add vpn tunnel 11 type numbered local 169.254.0.2 remote 184.108.40.206 peer AZUREIP
A: set interface vpnt11 mtu 1350
A: save config
B: add vpn tunnel 11 type numbered local 169.254.0.3 remote 220.127.116.11 peer AZUREIP
B: set interface vpnt11 mtu 1350
B: save config
Add statics routes for your Azure CIDR via the new VPN interface
A: set static-route 192.168.55.0/24 nexthop gateway logical vpnt11 on
A: save config
B: set static-route 192.168.55.0/24 nexthop gateway logical vpnt11 on
B: save config
Get topology and assign VIP
Ensure that you have enabled the IPsec VPN blade on your gateway.
Open your gateway or cluster object, and choose "Network Management"
Choose "Get Interfaces without toplogy" - but sure not to select WITH!
Locate new vpn interface, add virtual IP (our local 169.254 address eg 169.254.0.1/29)
Under topology, select "leads to, override, specific" create a new group, add your Azure CIDR, your 169.254.x.x/29 subnet and your Azure Interoperable device to this group)
Enable antispoofing as desired
In checkpoint global properties, select VPN, advanced, at the bottom tick "enable VPN directional match)
Create firewall rules as required
In VPN column right click and add "Directional match condition" for each rule add three match conditions as follows:
Internal clear => AZURE-VPN-COMMUNITY
AZURE-VPN-COMMUNITY => AZURE-VPN-COMMUNITY