This post is going to cover
setting up the Checkpoint 600 appliance for a dedicated Site to Site VPN to
Azure. I will not cover the setup of setting up Azure vNets etc as this
information is already here (although based on the Service Manager portal it’s
still valid);
Azure Gateways can be provisioned
as PolicyBased (static) or RouteBased (dynamic) routing but your firewall on
the other end must be able to support either dynamic or static. Cisco ASA’s for
example do not support Dynamic Routing, although the Checkpoint 600 does. Why
does it matter? Well, if you want to establish a multi-site VPN you must use
Dynamic Routing on the Azure Gateway. Therefore, the Checkpoint 600 is a great
SMB firewall which offers better support for Azure VPN’s than Cisco ASA’s.
A full list of supported devices
for VPN connectivity to Azure;
I should mention that although
you are limited to what the Azure Gateway supports, you could provision a 3rd
party virtual device instead of the native one provided by Azure. Checkpoint,
Palo Alto etc offer virtual appliances in the Azure Marketplace.
Logon to the Checkpoint via the
admin web interface and click the VPN
tab.
Under
Site to Site click on VPN Sites.
Click
the New button to begin creating a
new VPN connection.
From
the Remote Site tab give the site a
label, and then enter the public address the Azure Gateway was provisioned
with.
The Azure Gateway uses pre-shared
key authentication, this must be the same on both sides and please ensure you
use a strong password.
The
pre-shared key is set under the Connection object in Azure.
There
are complex password generating tools which can be used to create a strong
password.
Move
down to the Remote Site Encryption Domain section, this is where you define the
network and subnet mask your Azure network is using. Without this the
Checkpoint would not be able to route traffic to Azure.
You create a new network object
for the Azure subnet. You do not have to put in the gateway subnet that is
created when you provision an Azure Gateway.
Click the Encryption tab, and select Custom
and set the following configuration according to the Checkpoint documentation.
IKE (Phase 1)
- · Encryption = 3DES, AES-256
- · Authentication = SHA1
- · Diffie Hellman Group = Group 2 (1024 bit)
- · Time out = 10800 seconds
IPsec
(Phase 2)
- · Encryption = AES-256, AES-128
- · Authentication = SHA1
- · [x] disable = Enable perfect forward secrecy
- · Renegiotate = 3600 seconds
Click
on the Advanced tab and ensure the Remote Gateway is a Check Point Security
Gateway is disabled, and that
Disable NAT for this site is enabled.
Expand
Encryption Method I set this to Prefer
IKEv2, support IKEv1 despite the Checkpoint documentation stating it should
be set to normal IKEv2. The tunnel would be establish when it was set to IKEv2
in my environment.
Browse to Access Policy and
Policy, the VPN wizard should have automatically created the ACL rules to allow
this VPN to work. This will be under the Incoming
Rules section.
Although the Checkpoint/Azure documentation
states that the Checkpoint OS supports both Dynamic and Static routing types I
could not get the VPN to establish when the Azure Gateway was set to static
routing.
Another strange thing to keep in
mind, when you first establish the VPN the status of the Azure Gateway might
randomly change from Succeeded and Connected. I never worked out why this
is, however after a couple of hours it seemed to stabilize. I read somewhere
that a dynamic gateway only “connects” when nodes on either end are trying to
send or receive.
