This article deals with setting up a VPN tunnel between Microsoft Azure and an on-premises Check Point Security Gateway. If you are interested in setting up a VPN tunnel between a Check Point Security Gateway in Azure and an on-premises Check Point Security Gateway, refer to sk109360 - Check Point Reference Architecture for Azure.

For a detailed walk through on setting up a Site-to-Site VPN, refer to sk53980 - How to set up a Site-to-Site VPN with a 3rd-party remote gateway.

When setting up the tunnel with Microsoft Azure, you will need to use the following settings. These settings are required by Microsoft Azure. For more information, refer to About VPN Devices for Virtual Network.

Notes:

• While establishing a VPN with Microsoft Azure VPN Gateway, Check Point recommends configuring the VPN using Domain Based VPN
• Refer to https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices
• For information about TCP MSS clamping, also refer to  https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices
• You can do VPN with Azure using some SMB appliances (R77.20.87 jumbo hotfix and newer 1500 Branch Office Appliances).
• For a discussion of this topic on Checkmates, click here. 

 

IKE Phase 1 setup

Property	Static routing (PolicyBased) VPN gateway	Dynamic routing (RouteBased) VPN gateway
IKE Version	IKEv1	IKEv2
Diffie-Hellman Group	Group 2 (1024 bit)	Group 2 (1024 bit)
Authentication Method	Pre-Shared Key	Pre-Shared Key
Encryption Algorithms	AES256 AES128 3DES	AES256 3DES
Data Integrity Algorithm (Important: Please note that in the current GUI HMAC-SHA1 is labeled SHA1.)	HMAC-SHA1	HMAC-SHA1
Phase 1 Security Association (SA) Lifetime (Time)	28,800 seconds (480 minutes)	28,800 seconds (480 minutes) Refer to About VPN devices for Site-to-Site VPN Gateway connections

 

IKE Phase 2 setup

Property	Static routing (PolicyBased) VPN gateway	Dynamic routing (RouteBased) VPN gateway
IKE Version	IKEv1	IKEv2
Data Integrity Algorithm (Important: Please note that in the current GUI HMAC-SHA1 is labeled SHA1.)	HMAC-SHA1	HMAC-SHA1
Phase 2 Security Association (SA) Lifetime (Time)	3,600 seconds (60 minutes)	27,000 seconds (450 minutes)
IPsec SA Encryption & Authentication Offers (in the order of preference)	ESP-AES256 ESP-AES128 ESP-3DES N/A	Refer to Dynamic Routing Gateway IPsec Security Association (SA) Offers
Perfect Forward Secrecy (PFS)	No	No
Dead Peer Detection	Not supported	Supported

Notes:

• To configure Phase II properties for IKEv1 and IKEv2 in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Encryption page - in the section Encryption Suite, select Custom - click on Custom Encryption... button - configure the relevant properties - click on OK to apply the settings - install the policy.
  
  

• When setting up a Site-to-Site VPN with Azure, you will need to see if Azure is offering subnet-to-subnet or gateway-to-gateway VPN:

  • If Azure is using subnet-to-subnet, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Tunnel Management page - in the section VPN Tunnel Sharing, select One VPN tunnel per subnet pair - click on OK to apply the settings - install the policy.
    
    
  • If Azure is using gateway-to-gateway, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section VPN Tunnel Sharing, select One VPN tunnel per Gateway pair - click on OK to apply the settings - install the policy.
    
    
  • The subnet-to-subnet is what Azure calls "policy-based VPN" and gateway-to-gateway is what Azure calls "route-based VPN". This  should help customers identify what they have on Azure against what they need to configure on the Check Point device.
    
    
  • Also, when using subnet-to-subnet, users can define one or more address prefixes to use in their virtual network, and then carve out multiple subnets within each prefix. Azure VPN in policy-based configuration will use the prefix pairs for the Traffic Selectors for the SA negotiation, not subnet ranges.
  
  
  
• Make sure the Networks in the respective encryption domains correspond to the settings configured at the Azure side (you may use the setting subnet_for_range_and_peer to make sure the subnets are negotiated as required - for details, refer to "Scenario 1" in sk108600 - VPN Site-to-Site with 3rd party).