This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Contributor
‎2024-06-04 07:29 AM
Jump to solution

Redundant IPSEC VPN with Azure

I'm looking to setup an IPSEC VPN to Azure, and make use of both of the VPN endpoints in Azure. My security platform is:

Gateway is: Quantum Security Cluster of 2 units (81.10)

What are my options here? Is VTI with BGP the only option or is there a more simple way to achieve this? 

I found this document below which is pretty good but I need to know how this will work with a cluster. I'm guessing the VTI tunnels will need some special config because they will need to be created on each member of the cluster?

https://community.checkpoint.com/t5/Security-Gateways/BGP-peer-Throught-IPSEC-tunnel/td-p/177032

If someone has a guide like above but for a cluster, that would be appreciated. Or if there is a more simple way to achieve this (e.g. multiple IPs in the VPN config, but I think this only works for CP to CP)

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-06-05 06:35 PM
Jump to solution

Official documentation:

Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.
See: R81.20 Site to Site VPN Administration Guide - Multiple Entry Point (MEP) VPNs
How well that will work is a separate question.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2024-06-05 06:35 PM
Jump to solution

Official documentation:

Without VTIs, you'd probably have to configure MEP with DPD using instructions similar to sk101275.
See: R81.20 Site to Site VPN Administration Guide - Multiple Entry Point (MEP) VPNs
How well that will work is a separate question.

0 Kudos
velo
Contributor
‎2024-06-06 12:27 AM
In response to PhoneBoy
Jump to solution

Thank you. It's a nice document but unfortunately doesn't answer my main question. For the tunnel interface section, are you supposed to create those interfaces on both members of the cluster? It doesn't say. Some of the sections of config, e.g. route-map etc it says to do it on FW1 and FW2. But for the VTI section it doesn't tell say.

Thanks

0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2024-06-06 01:35 AM
In response to velo
Jump to solution

hi Velo,

Yes the VTIs need to be configured on both cluster members in Gaia as well as in the topology of the cluster object.

Make sure the destination matches EXACTLY the object name used in SmartDashboard for the Azure IP(s) 

0 Kudos
Martin_Schagerl
Participant
‎2024-07-22 06:48 AM
In response to Peter_Lyndley
Jump to solution

it won´t let me use the same local address for both virtual tunnel interface 1 and 2.

add vpn tunnel 1 type numbered local 100.64.220.1 remote 10.250.0.12 peer vwan01 
add vpn tunnel 2 type numbered local 100.64.220.1 remote 10.250.0.13 peer vwan02
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events