Share via

route based vpn with custom traffic selector

56789 5 Reputation points
2024-02-13T17:55:44.3066667+00:00

Hello Team,

VPN SKU: VpnGw2

VPN type: Route based

(checkpoint) Client vpn public ip: 1.1.1.1

Client internal subnet1: 10.1.0.0/16, Client internal subnet2: 10.2.0.0/16

azure vpn public ip: 2.2.2.2

Azure vnet ip: 192.168.1.0/24

Vpn config:

phase 1: aes256, sha256, ecp256

phase 2: aes256, sha256, ecp256

phase 1 lifetime: 28800

phase 2 lifetime: 27000

Custom traffic selectors

Local: 192.168.1.0/24 , Remote: 10.1.0.0/16

Local: 192.168.1.0/24, Remote: 10.2.0.0/16

Issue:

Tunnel is not coming up. vpn config matches on both sides. Azure initiates the tunnel but in TS azure sends 0.0.0.0/0. We want to use specific traffic selectors to match with client. Client is using 10.1.0.0/16 and 10.2.0.0/16.

Question:

1)

if i keep policy based as disabled and only enable custom traffic selector, then azure initiates and sends TS:0.0.0.0/0 but tunnel comes up.How is this possible? Shouldnt azure send custom TS?

SESSION_ID :{xxx} Remote : Local : Received Traffic Selector payload reply (Final Negotiated) - [Tsid 0x202 ]Number of TSIs 1: StartAddress 1.1.1.1 EndAddress 1.1.1.1 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 10.1.0.0 EndAddress 10.1.255.255 PortStart 0 PortEnd 65535 Protocol 0

SESSION_ID :{xxx} Remote : Local : Proposed(send) Traffic Selector payload will be- [Tsid 0x202 ]Number of TSIs 1: StartAddress 0.0.0.0 EndAddress 255.255.255.255 PortStart 0 PortEnd 65535 Protocol 0 Number of TSRs 1:StartAddress 0.0.0.0 EndAddress 255.255.255.255 PortStart 0 PortEnd 65535 Protocol 0 2)If i enable policy based option and also enable customer traffic selector, then i see azure intiates connection and sends custom TS. Can someone explain if "Use policy based traffic selector" option should be enabled or disabled if i want to use option "Use custom traffic selectors"
vpn_route_based

Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,450 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 3,571 Reputation points Microsoft Employee
    2024-02-13T20:37:31.4666667+00:00

    Hi @56789 , I understand that you want to create VPN connection between Azure VPN Gateway and your Checkpoint Firewall.

    Answering your questions:

    1. When PolicyBasedTrafficSelectors = off/false, custom traffic selector is not looked at. Thus, Azure VPN Gateway will initiate the tunnel with Traffic Selector = 0.0.0.0/0.
    2. When PolicyBasedTrafficSelectors = on/true, the custom configured traffic selectors will be proposed only when an Azure VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). Is it possible to configure CheckPoint Firewall to initiate the connection, so you can set Azure VPN Gateway as Responder? Note that the on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway. See other considerations.

    Stepping back a bit, why do you need to configure custom traffic selector, which means policy-based VPN connection? I think it would be simpler to use route-based VPN connection, if your Checkpoint Firewall doesn't support BGP, you can use static routing.

    More info: About policy-based and route-based VPN