Support Center > Search Results > SecureKnowledge Details
Support Center
The information you are about to copy is INTERNAL! DO NOT share it with anyone outside Check Point.
 Print    Email
How to setup Site to Site VPN between Check Point and Microsoft Azure

Solution ID: sk101275
Product: Virtual Appliance, IPSec VPN
Version: R77, R77.10, R77.20
Platform / Model: Azure
Date Created: 14-Jun-2014
Last Modified: 16-Mar-2015
Rate this document
[1=Worst,5=Best]
Solution

For a detailed walk through on setting up a Site-to-Site VPN, refer to sk53980 (How to set up a Site-to-Site VPN with a 3rd-party remote gateway).

When setting up the tunnel with Microsoft Azure, you will need to use the following settings. These settings are required by Microsoft Azure. For more information, refer to About VPN Devices for Virtual Network.

Notes: 

  • The requirement for route based VPN in IKEv2 is only relevant for the Microsoft Azure part of the configuration, since it is the single possible configuration.
  • For the Check Point VPN peer, Domain Based configuration can be used for encryption domain configuration.

 

IKE Phase 1 setup

Property Static routing VPN gateway Dynamic routing VPN gateway
IKE Version IKEv1 IKEv2
Diffie-Hellman Group Group 2 (1024 bit) Group 2 (1024 bit)
Authentication Method Pre-Shared Key Pre-Shared Key
Encryption Algorithms

AES256
AES128
3DES

AES256
3DES

Hashing Algorithm SHA1 SHA1
Phase 1 Security Association (SA) Lifetime (Time) 28,800 seconds 28,800 seconds

 

IKE Phase 2 setup

Property Static routing VPN gateway Dynamic routing VPN gateway
IKE Version IKEv1 IKEv2
Hashing Algorithm SHA1 SHA1
Phase 2 Security Association (SA) Lifetime (Time) 3,600 seconds ---
IPsec SA Encryption & Authentication Offers (in the order of preference) ESP-AES256
ESP-AES128
ESP-3DES
N/A
Refer to Dynamic Routing Gateway IPsec Security Association (SA) Offers
Perfect Forward Secrecy (PFS) No No
Dead Peer Detection Not supported Supported

 

Notes:

  • To configure Phase II properties for IKEv1 and IKEv2 in Check Point SmartDashboard: go to 'IPSec VPN' tab - double-click on the relevant VPN Community - go to the 'Encryption' page - in the section 'Encryption Suite', select 'Custom' - click on 'Custom Encryption...' button - configure the relevant properties - click on 'OK' to apply the settings - install the policy.

  • When setting up a Site-to-Site VPN with Azure, you will need to see if Azure is offering subnet-to-subnet or gateway-to-gateway VPN:

    • If Azure is using subnet-to-subnet, them Check Point side must be configured in the following way in Check Point SmartDashboard: go to 'IPSec VPN' tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section 'VPN Tunnel Sharing', select 'One VPN tunnel per subnet pair' - click on 'OK' to apply the settings - install the policy.

    • If Azure is using gateway-to-gateway, them Check Point side must be configured in the following way in Check Point SmartDashboard: go to 'IPSec VPN' tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section 'VPN Tunnel Sharing', select 'One VPN tunnel per Gateway pair' - click on 'OK' to apply the settings - install the policy.


  • Make sure the Networks in the respective encryption domains correspond to the settings configured at the Azure side (you may use the setting 'subnet_for_range_and_peer' to make sure the subnets are negotiated as required - for details, refer to sk62590 (Configuring the Subnet Per Range for Quick Mode to enhance interoperability with 3rd-party VPN devices)).

Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000