Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
InfraNinja
Participant

Site to Site VPN from Check Point R80.30 to Azure Virtual Network Gateway

Jump to solution

Hello everyone,

 

I have been trying to setup a VPN between a Checkpoint R80.30 Cluster and Azure Virtual Network Gateway following sk101275 .

I am trying with a very standard IKEv1 Policy Based IPsec tunnel.

Private subnets behind Azure (10.10.0.0/21 and 10.20.0.0/21)

Private subnets behind Azure (172.30.0.0/24, 172.30.102.0/24, 172.30.24.0/24 etc.) (around 30 subnets)

I have specified the exact remote subnets for each side.

Made sure Phase1 and Phase2 parameters match.

 

The VPN seems to get established immediately. The Azure side shows as Connected and Checkpoint sees the Tunnel state as up. On checkpoint I run "vpn tu" and can see Phase1 and Phase2 SAs established.

I have a security policy allowing the traffic between the subnets.

Problem is we can't pass traffic.

When I try sending ICMP from a IP behind the checkpoint 172.30.0.51 to 10.10.2.4 I get a Reject log with the following info:

Reject Category: IKE Failure

VPN Failure: IKE

Encryption failure: Error occurred

 

Also I believe after a few minutes the tunnel flaps and gets re-established. I noticed that twice in around 20min.

 

When I filter for the IP I am trying to ping.

https://imgur.com/ZEllznb

https://imgur.com/G3BBDrn

 

When I filter for remote peer public IP

https://imgur.com/ScejoTZ

https://imgur.com/SFjgwRD

 

I can provide more information if needed.

 

Thanks!

1 Solution

Accepted Solutions
InfraNinja
Participant

I was able to sort this out using Route Based IKEv2 VPN

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
InfraNinja
Participant

Thanks, I went through the document but not sure how this is relevant to the issue I am facing.


InfraNinja
Participant

Okay I manged to fix this using Route Based IKEv2 VPN.

My goal now is to route traffic from my Remote Access VPN to that new Azure VPN. Is that possible?
I have added the subnet that is behind Azure to the VPN community for Remote access, so now when I connect to Client VPN I get a route for the subnet that is behind Azure in my local route table.
Is that the only thing that needs to be done?

When I initiate traffic from my VPN user pool to network behind Azure I get a log for the traffic arriving from Remote Access VPN, but no log for the traffic afterwards being sent over the Azure VPN tunnel. Is there any way I can confirm if it actually is being sent correctly? 

Thanks!

 

PhoneBoy
Admin
Admin

The Azure side of the VPN will also need to know about the Office Mode subnet (i.e. it needs a route back).
I believe an fw monitor will show the traffic going towards the Azure VPN endpoint and back.

0 Kudos
InfraNinja
Participant

Thanks

I ran an Ping from my laptop connected to remote VPN (laptop IP: 172.30.102.25) towards host in Azure (10.10.2.4) while running fw monitor.

Attached is the output. I don't expect ICMP to go through, just doing it to test the routing.

I'm still not sure if the traffic is passing through the VPN or not.


0 Kudos
InfraNinja
Participant

I was able to sort this out using Route Based IKEv2 VPN

View solution in original post

0 Kudos