Support Center > Search Results > SecureKnowledge Details
How to setup Site-to-Site VPN between Microsoft Azure and an on premise Check Point Security Gateway
Solution

Note: This article deals with setting up a VPN tunnel between Microsoft Azure and an on-premises Check Point Security Gateway. If you are interested in setting up a VPN tunnel between a Check Point Security Gateway in Azure and an on-premises Check Point Security Gateway, then refer to sk109360 - Check Point Reference Architecture for Azure.

For a detailed walk through on setting up a Site-to-Site VPN, refer to sk53980 - How to set up a Site-to-Site VPN with a 3rd-party remote gateway.

When setting up the tunnel with Microsoft Azure, you will need to use the following settings. These settings are required by Microsoft Azure. For more information, refer to About VPN Devices for Virtual Network.

Notes:

  • The requirement for route based VPN in IKEv2 is only relevant for the Microsoft Azure part of the configuration, since it is the single possible configuration.
  • For the Check Point VPN peer, Domain Based configuration can be used for encryption domain configuration.

 

IKE Phase 1 setup

Property Static routing VPN gateway Dynamic routing VPN gateway
IKE Version IKEv1 IKEv2
Diffie-Hellman Group Group 2 (1024 bit) Group 2 (1024 bit)
Authentication Method Pre-Shared Key Pre-Shared Key
Encryption Algorithms

AES256
AES128
3DES

AES256
3DES

Data Integrity Algorithm

(Important: Please note that in the current GUI HMAC-SHA1 is labeled SHA1.)

HMAC-SHA1 HMAC-SHA1
Phase 1 Security Association (SA) Lifetime (Time)

28,800 seconds

(480 minutes)

10,800 seconds

(180 minutes)

Refer to About VPN devices for Site-to-Site VPN Gateway connections

 

IKE Phase 2 setup

Property Static routing VPN gateway Dynamic routing VPN gateway
IKE Version IKEv1 IKEv2

Data Integrity Algorithm

(Important: Please note that in the current GUI HMAC-SHA1 is labeled SHA1.)

HMAC-SHA1
HMAC-SHA1
Phase 2 Security Association (SA) Lifetime (Time)

3,600 seconds

(60 minutes)

3,600 seconds

(60 minutes)

IPsec SA Encryption &
Authentication Offers (in the order of preference)
ESP-AES256
ESP-AES128
ESP-3DES
N/A

Refer to
Dynamic Routing Gateway
IPsec Security Association
(SA) Offers

(ESP-AES256 is the first choice for Azure according to that link)

Perfect Forward Secrecy (PFS) No No
Dead Peer Detection Not supported Supported

Notes:

  • To configure Phase II properties for IKEv1 and IKEv2 in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Encryption page - in the section Encryption Suite, select Custom - click on Custom Encryption... button - configure the relevant properties - click on OK to apply the settings - install the policy.

  • When setting up a Site-to-Site VPN with Azure, you will need to see if Azure is offering subnet-to-subnet or gateway-to-gateway VPN:

    • If Azure is using subnet-to-subnet, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Tunnel Management page - in the section VPN Tunnel Sharing, select One VPN tunnel per subnet pair - click on OK to apply the settings - install the policy.

    • If Azure is using gateway-to-gateway, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section VPN Tunnel Sharing, select One VPN tunnel per Gateway pair - click on OK to apply the settings - install the policy.

    • The subnet-to-subnet is what Azure calls "policy-based VPN" and gateway-to-gateway is what Azure calls "route-based VPN". This  should help customers identify what they have on Azure against what they need to configure on the Check Point device.

    • Also, when using subnet-to-subnet, users can define one or more address prefixes to use in their virtual network, and then carve out multiple subnets within each prefix. Azure VPN in policy-based configuration will use the prefix pairs for the Traffic Selectors for the SA negotiation, not subnet ranges.


  • Make sure the Networks in the respective encryption domains correspond to the settings configured at the Azure side (you may use the setting subnet_for_range_and_peer to make sure the subnets are negotiated as required - for details, refer to "Scenario 1" in sk108600 - VPN Site-to-Site with 3rd party).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment