This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
InfraNinja
Participant
‎2021-02-18 04:12 PM
Jump to solution

Site to Site VPN from Check Point R80.30 to Azure Virtual Network Gateway

Hello everyone,

 

I have been trying to setup a VPN between a Checkpoint R80.30 Cluster and Azure Virtual Network Gateway following sk101275 .

I am trying with a very standard IKEv1 Policy Based IPsec tunnel.

Private subnets behind Azure (10.10.0.0/21 and 10.20.0.0/21)

Private subnets behind Azure (172.30.0.0/24, 172.30.102.0/24, 172.30.24.0/24 etc.) (around 30 subnets)

I have specified the exact remote subnets for each side.

Made sure Phase1 and Phase2 parameters match.

 

The VPN seems to get established immediately. The Azure side shows as Connected and Checkpoint sees the Tunnel state as up. On checkpoint I run "vpn tu" and can see Phase1 and Phase2 SAs established.

I have a security policy allowing the traffic between the subnets.

Problem is we can't pass traffic.

When I try sending ICMP from a IP behind the checkpoint 172.30.0.51 to 10.10.2.4 I get a Reject log with the following info:

Reject Category: IKE Failure

VPN Failure: IKE

Encryption failure: Error occurred

 

Also I believe after a few minutes the tunnel flaps and gets re-established. I noticed that twice in around 20min.

 

When I filter for the IP I am trying to ping.

https://imgur.com/ZEllznb

https://imgur.com/G3BBDrn

 

When I filter for remote peer public IP

https://imgur.com/ScejoTZ

https://imgur.com/SFjgwRD

 

I can provide more information if needed.

 

Thanks!

1 Solution

Accepted Solutions
InfraNinja
Participant
‎2021-02-23 05:44 AM
In response to InfraNinja
Jump to solution

I was able to sort this out using Route Based IKEv2 VPN

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-02-18 11:46 PM
Jump to solution

You’ll need to do some deeper debugs.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

InfraNinja
Participant
‎2021-02-21 06:29 AM
In response to PhoneBoy
Jump to solution

Thanks, I went through the document but not sure how this is relevant to the issue I am facing.


InfraNinja
Participant
‎2021-02-21 10:31 AM
In response to InfraNinja
Jump to solution

Okay I manged to fix this using Route Based IKEv2 VPN.

My goal now is to route traffic from my Remote Access VPN to that new Azure VPN. Is that possible?
I have added the subnet that is behind Azure to the VPN community for Remote access, so now when I connect to Client VPN I get a route for the subnet that is behind Azure in my local route table.
Is that the only thing that needs to be done?

When I initiate traffic from my VPN user pool to network behind Azure I get a log for the traffic arriving from Remote Access VPN, but no log for the traffic afterwards being sent over the Azure VPN tunnel. Is there any way I can confirm if it actually is being sent correctly? 

Thanks!

 

Preview file
223 KB
PhoneBoy
Admin
Admin
‎2021-02-21 10:47 AM
In response to InfraNinja
Jump to solution

The Azure side of the VPN will also need to know about the Office Mode subnet (i.e. it needs a route back).
I believe an fw monitor will show the traffic going towards the Azure VPN endpoint and back.

0 Kudos
InfraNinja
Participant
‎2021-02-21 02:38 PM
In response to PhoneBoy
Jump to solution

Thanks

I ran an Ping from my laptop connected to remote VPN (laptop IP: 172.30.102.25) towards host in Azure (10.10.2.4) while running fw monitor.

Attached is the output. I don't expect ICMP to go through, just doing it to test the routing.

I'm still not sure if the traffic is passing through the VPN or not.


Preview file
536 KB
0 Kudos
InfraNinja
Participant
‎2021-02-23 05:44 AM
In response to InfraNinja
Jump to solution

I was able to sort this out using Route Based IKEv2 VPN

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events