Allied Telesis AT-AR700 VPN gateway & GreenBow IPSec VPN Client Software Configuration
Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address...
Transcript of Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address...
![Page 1: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/1.jpg)
BGP over VPN between Azure/Check Point Gateway
Assumptions:
A valid Azure Subscription has been established A Resource Group has been created within said Subscription
Pre-requisites:
Azure VPN Gateway SKU must be Standard or High Performance for BGP to worko VpnGw = Basic (BGP Not Supported)o VpnGw = Standardo VpnGw = High Performance
BGP on the gateway can only be enabled through the resource manager if not done during the initial creation of the VPN gateway
Windows Powershell as you can do some Azure BGP configuration settings through Powershell
Note: The following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8075, 8076, 12076 Private ASNs: 65515, 65517, 65518, 65519, 65520
In Admin PowerShell window:
1. Install-Module AzureRM2. Set-ExecutionPolicy RemoteSigned
In non-Admin Powershell window:
1. Import-Module AzureRM
Networking Layout:
Address Space = 10.0.0.0/16GatewaySubnet = 10.1.0.0/29BackEnd Subnet = 10.2.0.0/24
![Page 2: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/2.jpg)
RESOURCES WE WILL NEED TO CREATE
AzureVnet = Internal Azure virtual networkBackEnd = GatewaySubnet = Subnet where default gateway for virtual network (vnet)AzureVPNGW(1) = Azure VPN Gateway InstanceAzureVPNGW(2) = Public IP Address that will be used for Azure VPN GatewayCP-2-Azure-BGP = VPN Connection settings to include BGP settingsCP-Remote-GW = Representation of Physical Check Point Gateway
![Page 3: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/3.jpg)
Create VNET
In Azure portal in the left pane go to “Virtual Networks”
![Page 4: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/4.jpg)
Click on (+) sign to add vnet
![Page 5: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/5.jpg)
ADD DEFAULT GATEWAY SUBNET
NOTE: This will be the default gateway for all subnets created under this address space
CREATE AZURE VPN GATEWAY
![Page 6: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/6.jpg)
IMAGE 2 – Creating Public IP Address
![Page 7: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/7.jpg)
When completed Click on Create:
NOTE: If you’ve not enabled bgp on the gateway, or had it set to basic, when gateway was first created you can follow instructions in Appendix A to enable BGP on the gateway.
![Page 8: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/8.jpg)
Get the Azure VPN gateway public IP Address from the Azure Portal
In Azure Portal select “All Resources”
CREATE CHECK POINT GATEWAY IN AZURE
![Page 9: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/9.jpg)
Create VPN Connection
![Page 10: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/10.jpg)
In Azure portal go to “All Resources”
![Page 11: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/11.jpg)
![Page 12: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/12.jpg)
Once created you must go back into the configuration of the newly created connection and enable bgp:
![Page 13: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/13.jpg)
CHECK POINT CONFGURATION
SmartConsole Configuration
Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:
![Page 14: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/14.jpg)
Next create Azure VPN Gateway object:
![Page 15: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/15.jpg)
![Page 16: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/16.jpg)
Create VPN Community
![Page 17: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/17.jpg)
![Page 18: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/18.jpg)
![Page 19: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/19.jpg)
![Page 20: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/20.jpg)
![Page 21: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/21.jpg)
GAIA WebUI Configuration on Check Point
Create VPN Tunnel Interface (VTI)
![Page 22: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/22.jpg)
NOTE: THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK
![Page 23: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/23.jpg)
Add Static Route for Azure VPN Peer BGP IP:
![Page 24: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/24.jpg)
Setup BGP in GAIA WebUI
WARNING: Without “ALL” of these configurations completed BGP will not be successful
![Page 25: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/25.jpg)
Add Azure Gateway BGP Information:
![Page 26: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/26.jpg)
Fill in information based on Azure Gateway BGP Settings:
![Page 27: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/27.jpg)
NOTE: Without Multihop enabled the BGP session will not be established
![Page 28: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/28.jpg)
Set BGP Inbound route filters
Note: For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment
![Page 29: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/29.jpg)
Set inbound route filter settings
![Page 30: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/30.jpg)
APPENDIX A
To enable BGP on the Azure Gateway after it’s been created go to resources.azure.com and login:
1. subscriptions <your_subscription> resource groups <your_resource_group> providers Microsoft Networks virtualNetworkGateway
2. Change Mode up top to “Read/Write”
3. Click on “Edit” up top
4. Set "enableBgp": true,
5. Click on “Put”
6. Change back to “Read Only”
7. Give it a few minutes for change to propogate.
8. Go into Azure Vpn Gateway and under “Configuration” verify BGP is now enabled (should see AS and Local BGP IP)
Once enabled you will need to get the BGP settings for the Azure VPN Gateway. This can be done from within Azure portal:
Or through Powershell:
# Set your subscription ID if you have more than 1$SubscriptionId = “Your_Subscription_ID”
$SubscriptionId = “83ad3470-60c3-4fc7-905e-6d9315588b65”
#Identify Resource Group you will be working with$ResourceGroup=”Your_Azure_Resource_Group_Name”
$ResourceGroup=”Chkp-RSC-GRP”
#Log into AzureLogin-AzureRmAccount
![Page 31: Check Point CheckMates · Web viewAzure VPN Gateway Instance. AzureVPNGW(2) = Public IP Address that will be used for Azure VPN Gateway. CP-2-Azure-BGP = VPN Connection settings to](https://reader034.fdocuments.in/reader034/viewer/2022051805/5ff264dad20564487b6b6e06/html5/thumbnails/31.jpg)
# Set Context to your subscription – only relevant if you have more than 1Set-AzureRmContext -SubscriptionID $SubscriptionId
# Set Gateway you will be working with$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "Gateway_Name"
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "AzureVPNGW"
# Get Azure Gateway BGP Settings$Gateway.BgpSettingsText
# To modify the default BGP ASN of 65515 run following commandSet-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -Asn <number>You will need, at minimum, the following resources to be defined in Azure space: