Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
abihsot__
Advisor

Route-based VPN with Azure - BGP problem

Hello,

Gateway R80.40

I am setting up route based (VTI) site to site VPN tunnel between on-premise and Azure. VPN tunnel is up, however bgp traffic from Azure does not seem to pass VPN blade correctly. The opposite direction works fine

 

image.png

 

VPN tunnel as per instructions, empty group in topology.

 

Now I am not too sure about VPN column in the policy. I might "borrowed" directional match configuration from aws, but I can't find any document to confirm what should I put in VPN column for Azure.

  • Internal_clear > AWS VPN community
  • AWS VPN community > AWS VPN community
  • AWS VPN community > Internal_clear
0 Kudos
9 Replies

Ask CP TAC how to resolve that !

CCSE CCTE CCSM SMB Specialist
0 Kudos
abihsot__
Advisor

Thanks for your time!

 

What is the purpose of this forum then if all questions should be directed to TAC?

 

To discuss issues and versions as well as answering questions is the purpose of this forum - but you seem not to have an academical question but a big issue in production that should be resolved quickly, therefore i have suggested  to contact TAC instead of waiting for a miracle from CheckMates (as you give no details of the VTI config that would be important here...)...

CheckMates is not an alternative for TAC but a low-level discussion group also containing technical suggestions.

CCSE CCTE CCSM SMB Specialist
0 Kudos
(1)
abihsot__
Advisor

Not sure where you get the idea of "big issue in production"?

I started my post with "I am setting up ...", which would indicate a completely new configuration. I was not able to find complete instruction in Checkpoint documentation which led to interpretation of some settings and I ran out of options to test, hence this post. I could also go to TAC, but I thought this is also the right place to discuss.

What exactly you would like to know about VTI config? My understanding is that VPN tunnel is up, VTI config is fine too, because I can receive and send traffic based on the log, however one direction is not processed by correct firewall rule and therefore dropped.

0 Kudos
abihsot__
Advisor

As a side note, in my opinion Checkmates is in some sense an alternative to TAC. It is I believe funded by Checkpoint, there are representatives from the company too, and it is just another channel for Checkpoint to help out customers. If you think I am non-paying customer you are very wrong. If I can resolve a problem with the help of community this is saved money/time for TAC so everyone is happy.

_Val_
Admin
Admin

Just to clarify, CheckMates is owned and run by Check Point. We are quite happy to hear you want to ask the community before going to the official support channels. I agree it helps everyone if we all share the issue resolution here.

That said, @abihsot__  If you have to open a ticket with TAC for this, do not forget to share the actual resolution with us.

@G_W_Albrecht both academic questions and huge production issue questions are welcome in the community. We are all friends and colleagues here, please do not forget that. 


nickdegroot
Participant

I had this issue in AWS exactly the same.

In AWS the "encryption domain" was setup with a specific subnet ( lets say: 10.10.10.0/24 ) instead of 0.0.0.0/0 , so the BGP peers (169.254.1.1) traffic is not correctly encrypted from the AWS site.

 

This looks like the same issue on your config , because traffic to azure gets encrypted correctly

0 Kudos
the_rock
Champion
Champion

@abihsot__ ...do you see any drops on the CP firewall if filtering for BGP? For example -> fw ctl zdebug + drop | grep ":179"...if you run that command, it should give you something if its dropped.

Andy

0 Kudos
Colin_Campbell1
Contributor

Hi,

The Gaia Admin Guide contains a section on setting up VTIs for route based VPNs and states (paraphrased):

Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN
column in the rule. This is because without bi-directional matching, the rule only applies to
connections between a community and an encryption domain (Domain Based Routing).

The directional rule must contain these directional matching conditions:

  • Community > Community
  • Community > Internal_Clear
  • Internal_Clear > Community

Notes:

  • Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.
  • It is not necessary to define bidirectional matching rules if the VPN column contains the value Any.

So, to answer your question, the VPN column needs to have the three matching conditions specified above replacing "Community" with the name of your community.

Colin

0 Kudos