Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Collaborator

Route-based VPN from CheckPoint CloudGuard IaaS in GCP to Palo Alto VM-300 in AWS

Jump to solution

Side A is a CheckPoint CloudGuard IaaS R80.30 in GCP, deployed as HA.  

Side B is a Palo Alto VM-300 in AWS, software 8.1.14, deployed in as a standalone.  

Per the R80.30 GCP HA deployment guide, I've set the link selection and VPN domain configuration on the gateway.  In the VPN Community, I've selected "Accept all encrypted traffic" and "One VPN Tunnel per Gateway pair"

On the Palo Alto side, I basically followed this guide, created custom IKE and IPSec profiles to match the CheckPoint defaults, set the Palo Alto's public IP address as Local Identification, then added a static route to the tunnel interface with next hop as "None"

Both Phase 1 and Phase 2 are up, but I can't get traffic flowing through the tunnel.  On the Palo Alto, IPSec tunnels, clicking on Tunnel Info, I can see the "pkt encap" counter does increase when I'm sending test traffic from that end.  On the CheckPoint side, the command vpn tu tlist in expert mode shows the Phase 2 SA with 0.0.0.0/0 as the TS in both directions.  A packet capture shows ESP traffic leaving the CheckPoint to the Palo Alto's public IP.  

Both the Palo and CheckPoint are terminating other VPN tunnels that are working fine, so seems like it's a very particular issue between the two. 

0 Kudos
1 Solution

Accepted Solutions
johnnyringo
Collaborator

Figured this out.  The Palo Alto need to have NAT-T enabled on the connection.  

View solution in original post

0 Kudos
1 Reply
johnnyringo
Collaborator

Figured this out.  The Palo Alto need to have NAT-T enabled on the connection.  

View solution in original post

0 Kudos