This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khodgson_bts
Contributor
‎2024-12-05 07:52 AM
Jump to solution

VPN between on-premise cluster and Azure using VTI

Evening all. I'm hopeful that someone can help me with this.

In the past I have successfully managed to set up a route-based VPN between a physical Check Point cluster and an AWS VPC by following the steps in sk100726, no problems there at all. Now I'm looking to configure something similar to an Azure Virtual Gateway using VTIs, but I'm struggling to find any reference documentation or process like the AWS one.

I've been playing around with it all day and I can't see a way to make it work, and I'm starting to wonder if it even is possible at all. I've looked at sk101275 but I don't think it really applies to what I'm trying to achieve.

Has anyone successfully done this, and if so, how? What other options are there for creating an IPSEC VPN to Azure with a primary/backup configuration? BGP is not really an option in this scenario.

 

Thanks.

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 08:36 AM
Jump to solution

See if below posts I made and responded to help. If not, message me, I have done this few times.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

 

Best,
Andy

View solution in original post

0 Kudos
10 Replies
Alex-
MVP Silver
MVP Silver
‎2024-12-05 08:07 AM
Jump to solution

The Azure VWAN guide is very good, we used it for route-based VPN to Azure VPN gateways and it worked straight away.

0 Kudos
khodgson_bts
Contributor
‎2024-12-05 08:10 AM
In response to Alex-
Jump to solution

That seems to require BGP to work though. Have you done it without BGP? What IP's do you assign to the VTI's?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 08:36 AM
Jump to solution

See if below posts I made and responded to help. If not, message me, I have done this few times.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

 

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-12-05 08:44 AM
In response to the_rock
Jump to solution

That looks very promising, thank you. I'll give it go.

the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 08:45 AM
In response to khodgson_bts
Jump to solution

Sounds good!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 09:42 AM
In response to khodgson_bts
Jump to solution

By the way, since you mentioned BGP, I always found the ONLY way to make BGP work through the route based tunnel is to use UNNUMBERED VTIs, meaning it will "piggyback off" the main interface and when you configure it, it will have exact same IP in topology, but nothing to be alarmed about, its 100% normal.

Andy

Best,
Andy
0 Kudos
khodgson_bts
Contributor
‎2024-12-06 01:13 AM
In response to the_rock
Jump to solution

That's good to know. In this case I'm specifically looking to not use BGP. I'll let you know how I get on.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 10:05 AM
In response to khodgson_bts
Jump to solution

I attached doc file with 3 screenshots I took, hope that also helps. Anyway, message me directly if you are not clear and we can do remote.

Andy

 

Best,
Andy
Preview file
56 KB
0 Kudos
khodgson_bts
Contributor
‎2024-12-06 03:09 AM
In response to the_rock
Jump to solution

This was very useful; I've managed to get it working. It's really not that different from the AWS process.

Thank you!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-12-06 04:33 AM
In response to khodgson_bts
Jump to solution

Of course, glad we can help. Yes, for regular route based, you can use either numbered or unnumbered, but I find using unnumbered is better, as you simply use vti to route the traffic when you create new routes and no need to be setting up new IPs. But again, works either way 🙂

Glad you got it going.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events