Create a Post
Showing results for 
Search instead for 
Did you mean: 

VSX R80.40 - Policy based VPN to Azure


Currently we have a VSX which has a VPN into Azure.

We upgraded our SMS from a 3050 to 6000L and migrated to R81. Our VSX is still on 80.40.

After this our policy based VPN tunnel into Azure has become unstable, raising it with Checkpoint TAC they came back with ...

==== FROM TAC ====

By checking debugs i can see some errors Checkpoint is sending "deletes" because of SAs mismatch,
We see errors in VPND.elg

"Could not match traffic selector" and 

"ikeChildSAExchange_i::updateSA: entering. rekying ipsec sa.
updateEspSA: Invalid chosen proposal ((nil)) or order (0xaf8a2c8)."

Please select "One VPN Tunnel per Gateway Pair" and on remote side mention "gateway-to-gateway" and push policy again and reset the tunnel again.
Make sure all the settings match with sk101275 on both sides.

==== === ===

I am a little confused ... when I mentioned to the Azure engineer Changing Azure peer to "gateway-to-gateway" .. their interpretation was convert the tunnel to route based VPN... which utilises VTI, which VSX doesn't support. Which I really don't think is necessary.

I am thinking there is a mis-interpretation between Checkpoint and Azure definition of "gateway-to-gateway". Looking at the Checkpoint setting .. my understanding of "One VPN Tunnel per Gateway Pair" is to simply to have one IPSEC SA between the gateways, and I am assuming Azure has a similar setting? Or am I reading this incorrectly.

So if I turn on "One VPN Tunnel per Gateway Pair" do I need to convert the tunnel to a route based VPN?

Reading sk101275 brings more confusion - as it mentions ..(below)... which seems to confirm...

"The subnet-to-subnet is what Azure calls "policy-based VPN" and gateway-to-gateway is what Azure calls "route-based VPN". This  should help customers identify what they have on Azure against what they need to configure on the Check Point device."

So does this then mean that if I have "One VPN tunnel per subnet pair" - On the Azure side I utilise policy based VPN.

And .. if I use "One VPN Tunnel per Gateway Pair" - On the Azure side I then have to go with Route Based VPN?


Thanks in advance.


4 Replies

One VPN Tunnel per Gateway Pair has nothing to do with whether it is a route-based VPN or not, it has to do with how the IPSec SAs are negotiated.
In the SK you mention, it says explicitly: "While establishing a VPN with Microsoft Azure VPN Gateway, Check Point recommends configuring the VPN using Domain Based VPN."

My guess is that Microsoft's usage of the term "Route-Based VPN" is different from ours. 


I see what you are saying, I also believe there is confusion with terminology here. I know when you set up brand new VNG on Azure side, I am pretty positive it does give an option if you wish to set it up as domain or route based.

0 Kudos
Employee Employee

Do all the settings from crypt.def align (versus the old Mgmt) and is the file in the correct location as I believe it's changed? (sk98241) From a management server perspective this is the primary thing that I would check if your symptoms align to the upgrade and its just not coincidental that the VPN was working before when one side was more often the initiator.

Note: VSX (R81) and above supports VTI based VPNs if required.


Location of the File on R81 Management (by target GW version)







Thanks for your help.

"One VPN Tunnel per Gateway Pair" was in the end the solution.. and yes... same terminology but different meanings between Microsoft and CP. Changing to "One VPN Tunnel per Gateway Pair" Tunnel came up and was once again stable.


0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events