This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CEEJAY
Participant
‎2025-11-26 12:20 AM

Site to Site VPN Check Point to Azure

Hello, I want to clarify if i created a Site to site VPN Check Point to Azure and my Azure VPN is route based, can I configure the Check Point to use domain based vpn? Will it still work even without vti? 

Labels
0 Kudos
8 Replies
spottex
Collaborator
‎2025-11-26 06:26 PM

This may help. It explains when you need to use either.
https://support.checkpoint.com/results/sk/sk101275 

The subnet-to-subnet is what Azure calls "policy-based VPN" and gateway-to-gateway is what Azure calls "route-based VPN". This  should help customers identify what they have on Azure against what they need to configure on the Check Point device.

0 Kudos
CEEJAY
Participant
‎2025-11-26 06:34 PM
In response to spottex

Hello. I already check that SK, but there is no statement that VTI is needed when configuring route based vpn Check Point - Azure. Does it mean even Azure is in route-based mode, the configuration on Check Point side is the domain based/VPN Community with matching vpn settings and there is no need for VTI? 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-26 06:44 PM
In response to CEEJAY

Yes and no. Yes as in if its domain based on CP side, you dont need VTI, but no as in I highly doubg that would work, if Azure end is route based.

Best,
Andy
0 Kudos
CEEJAY
Participant
‎2025-11-26 07:17 PM
In response to the_rock

Hello @the_rock. I also check in Azure documentation the configuration if the peer device is Check Point, whether it is Policy Based or Route Based, it redirects me to the same https://support.checkpoint.com/results/sk/sk101275  and based on the SK there is no notes that VTI is needed, the only note is that if the VPN Azure is in route based, the Tunnel Management on CP side should be gateway to gateway. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-26 07:23 PM
In response to CEEJAY

I get thats what documentation says, but reality is somewhat different.

I built so many of these tunnels and my experience is that setting you mentioned is not overly relevant without VTI for route based tunnel.

Just my experience, but, you are welcome to do it the way you prefer.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-27 04:16 AM
In response to CEEJAY

See if this post I created last year helps.

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-27 09:18 AM
In response to CEEJAY

Also, wanted to share this with you, as I spent many hours until we found a solution. This was the first option we checked and though customer told me they tried per subnet setting in vpn community, apparently that was not the case for AWS tunnel issue, though it was domain based with no BGP. We verified everything on other side, even tried permanent tunnel option, 0.0.0.0/0 vpn domain, no luck. Once we reverted all and set per subnet, installed policy, all worked fine. Keep in mind and this can definitely be somewhat deceiving to lots of people, tunnel was always showing as up, both phase 1 and 2 were green, but no traffic flowing.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-28 06:37 PM

Hey mate,

Were you able to sort this out?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events