Hi
Currently we have a VSX which has a VPN into Azure.
We upgraded our SMS from a 3050 to 6000L and migrated to R81. Our VSX is still on 80.40.
After this our policy based VPN tunnel into Azure has become unstable, raising it with Checkpoint TAC they came back with ...
==== FROM TAC ====
By checking debugs i can see some errors Checkpoint is sending "deletes" because of SAs mismatch,
We see errors in VPND.elg
"Could not match traffic selector" and
"ikeChildSAExchange_i::updateSA: entering. rekying ipsec sa.
updateEspSA: Invalid chosen proposal ((nil)) or order (0xaf8a2c8)."
Please select "One VPN Tunnel per Gateway Pair" and on remote side mention "gateway-to-gateway" and push policy again and reset the tunnel again.
Make sure all the settings match with sk101275 on both sides.
==== === ===
I am a little confused ... when I mentioned to the Azure engineer Changing Azure peer to "gateway-to-gateway" .. their interpretation was convert the tunnel to route based VPN... which utilises VTI, which VSX doesn't support. Which I really don't think is necessary.
I am thinking there is a mis-interpretation between Checkpoint and Azure definition of "gateway-to-gateway". Looking at the Checkpoint setting .. my understanding of "One VPN Tunnel per Gateway Pair" is to simply to have one IPSEC SA between the gateways, and I am assuming Azure has a similar setting? Or am I reading this incorrectly.
So if I turn on "One VPN Tunnel per Gateway Pair" do I need to convert the tunnel to a route based VPN?
Reading sk101275 brings more confusion - as it mentions ..(below)... which seems to confirm...
"The subnet-to-subnet is what Azure calls "policy-based VPN" and gateway-to-gateway is what Azure calls "route-based VPN". This should help customers identify what they have on Azure against what they need to configure on the Check Point device."
So does this then mean that if I have "One VPN tunnel per subnet pair" - On the Azure side I utilise policy based VPN.
And .. if I use "One VPN Tunnel per Gateway Pair" - On the Azure side I then have to go with Route Based VPN?
Thanks in advance.