Monday 12 December 2016

Configuring Azure Site to Site VPN with Checkpoint 600 SMB Firewall

This post is going to cover setting up the Checkpoint 600 appliance for a dedicated Site to Site VPN to Azure. I will not cover the setup of setting up Azure vNets etc as this information is already here (although based on the Service Manager portal it’s still valid);

Azure Gateways can be provisioned as PolicyBased (static) or RouteBased (dynamic) routing but your firewall on the other end must be able to support either dynamic or static. Cisco ASA’s for example do not support Dynamic Routing, although the Checkpoint 600 does. Why does it matter? Well, if you want to establish a multi-site VPN you must use Dynamic Routing on the Azure Gateway. Therefore, the Checkpoint 600 is a great SMB firewall which offers better support for Azure VPN’s than Cisco ASA’s.

A full list of supported devices for VPN connectivity to Azure;

I should mention that although you are limited to what the Azure Gateway supports, you could provision a 3rd party virtual device instead of the native one provided by Azure. Checkpoint, Palo Alto etc offer virtual appliances in the Azure Marketplace.

Logon to the Checkpoint via the admin web interface and click the VPN tab.

Under Site to Site click on VPN Sites.

Click the New button to begin creating a new VPN connection. 

From the Remote Site tab give the site a label, and then enter the public address the Azure Gateway was provisioned with. 

The Azure Gateway uses pre-shared key authentication, this must be the same on both sides and please ensure you use a strong password. 

The pre-shared key is set under the Connection object in Azure. 

There are complex password generating tools which can be used to create a strong password.

Move down to the Remote Site Encryption Domain section, this is where you define the network and subnet mask your Azure network is using. Without this the Checkpoint would not be able to route traffic to Azure. 

You create a new network object for the Azure subnet. You do not have to put in the gateway subnet that is created when you provision an Azure Gateway.

Click the Encryption tab, and select Custom and set the following configuration according to the Checkpoint documentation.

IKE (Phase 1)
  • ·        Encryption = 3DES, AES-256
  • ·        Authentication = SHA1
  • ·        Diffie Hellman Group = Group 2 (1024 bit)
  • ·        Time out = 10800 seconds

IPsec (Phase 2)
  • ·        Encryption = AES-256, AES-128
  • ·        Authentication = SHA1
  • ·        [x] disable = Enable perfect forward secrecy
  • ·        Renegiotate = 3600 seconds

Click on the Advanced tab and ensure the Remote Gateway is a Check Point Security Gateway is disabled, and that Disable NAT for this site is enabled.

Expand Encryption Method I set this to Prefer IKEv2, support IKEv1 despite the Checkpoint documentation stating it should be set to normal IKEv2. The tunnel would be establish when it was set to IKEv2 in my environment. 

Browse to Access Policy and Policy, the VPN wizard should have automatically created the ACL rules to allow this VPN to work. This will be under the Incoming Rules section. 

Although the Checkpoint/Azure documentation states that the Checkpoint OS supports both Dynamic and Static routing types I could not get the VPN to establish when the Azure Gateway was set to static routing.

Another strange thing to keep in mind, when you first establish the VPN the status of the Azure Gateway might randomly change from Succeeded and Connected. I never worked out why this is, however after a couple of hours it seemed to stabilize. I read somewhere that a dynamic gateway only “connects” when nodes on either end are trying to send or receive.