Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FredH
Explorer
Jump to solution

Route-Based VPN with Static Rouing

We are currently implementing a VSX cluster running R81.10, one of the VS firewalls on the cluster will connect to Azure via a route-based VPN.

We have followed the instructions in the R81.10 Admin guide and the Azure guides, and the tunnel is up (eventually).  We now face the issue that traffic is not flowing across the VPN tunnel to/from Azure.

There is a static route for the Azure traffic pointing to the VTI on the Checkpoint and fw monitor shows that the traffic is passed to the VTI.

My question is should the route point to the VTI or where should it point for static routing?  All the documentation shows dynamic routing, but the subnets on both sides of the tunnel are static and it seems overkill for the scenario.

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Have a quick read what I had provided in below link, hope it helps. If not, let me know.

Andy

 

So say in example I gave, .60 IP can be used to route to 10.2.0.0 (say if thats Azure subnet)

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

View solution in original post

(1)
3 Replies
the_rock
Legend
Legend

Have a quick read what I had provided in below link, hope it helps. If not, let me know.

Andy

 

So say in example I gave, .60 IP can be used to route to 10.2.0.0 (say if thats Azure subnet)

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

(1)
Chris_Atkinson
Employee Employee
Employee

Pretty certain route-based VPN (VTI) on VSX is supported only with dynamic routing.

It was first introduced in R81 as below:

"Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode."

Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Whats-New.htm#Securit... 

 

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

As a side note, if what @Chris_Atkinson mentioned is indeed the case, keep this in mind...I am 100% sure of this, as my colleague and I did extensive testing on it with BGP through VPN tunnel. I can speak just for Azure, but ONLY way we could even make tunnel come up from Cp to Azure was to use unnumbered VTI, it would never work with numbered ones. If you do decide to do this, dont freak out if say you tie unnumbered VTI to say eth1 (just as an example if thats your external interface), because it will have exact same IP addresses as the actual real interface, but thats totally normal, it will be simply /32 subnet and it will show as 0.0.0.0 in the actual topology under VPN. MAKE SURE to give it same peer name as interoperable object, thats super important, otherwise, it will never work. So to make my super long story short (lol), tunnel without dynamic routing, use numbered VTI, if there is dynamic routing, use unnumbered.

If you need help, let me know, I have totally functional lab on this, both onprem and in Azure.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events