小編的客戶要使用CheckPoint與Azure建立Site to Site VPN , 注意事項如下 :
For a detailed walk through on setting up a Site-to-Site VPN, refer to sk53980 (How to set up a Site-to-Site VPN with a 3rd-party remote gateway).
When setting up the tunnel with Microsoft Azure, you will need to use the following settings. These settings are required by Microsoft Azure. For more information, refer to About VPN Devices for Virtual Network.
Notes:
IKE Phase 1 setup
IKE Phase 2 setup
Notes:
When setting up the tunnel with Microsoft Azure, you will need to use the following settings. These settings are required by Microsoft Azure. For more information, refer to About VPN Devices for Virtual Network.
Notes:
- The requirement for route based VPN in IKEv2 is only relevant for the Microsoft Azure part of the configuration, since it is the single possible configuration.
- For the Check Point VPN peer, Domain Based configuration can be used for encryption domain configuration.
IKE Phase 1 setup
| Property | Static routing VPN gateway | Dynamic routing VPN gateway |
| IKE Version | IKEv1 | IKEv2 |
| Diffie-Hellman Group | Group 2 (1024 bit) | Group 2 (1024 bit) |
| Authentication Method | Pre-Shared Key | Pre-Shared Key |
| Encryption Algorithms | AES256 AES128 3DES | AES256 3DES |
| Hashing Algorithm | SHA1 | SHA1 |
| Phase 1 Security Association (SA) Lifetime (Time) | 28,800 seconds | 28,800 seconds |
IKE Phase 2 setup
| Property | Static routing VPN gateway | Dynamic routing VPN gateway |
| IKE Version | IKEv1 | IKEv2 |
| Hashing Algorithm | SHA1 | SHA1 |
| Phase 2 Security Association (SA) Lifetime (Time) | 3,600 seconds | --- |
| IPsec SA Encryption & Authentication Offers (in the order of preference) | ESP-AES256 ESP-AES128 ESP-3DES N/A | Refer to Dynamic Routing Gateway IPsec Security Association (SA) Offers |
| Perfect Forward Secrecy (PFS) | No | No |
| Dead Peer Detection | Not supported | Supported |
Notes:
- To configure Phase II properties for IKEv1 and IKEv2 in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Encryption page - in the section Encryption Suite, select Custom - click on Custom Encryption... button - configure the relevant properties - click on OK to apply the settings - install the policy.
- When setting up a Site-to-Site VPN with Azure, you will need to see if Azure is offering subnet-to-subnet or gateway-to-gateway VPN:
- If Azure is using subnet-to-subnet, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the Tunnel Management page - in the section VPN Tunnel Sharing, select One VPN tunnel per subnet pair - click on OK to apply the settings - install the policy.
- If Azure is using gateway-to-gateway, then Check Point side must be configured in the following way in Check Point SmartDashboard: go to IPSec VPN tab - double-click on the relevant VPN Community - go to the 'Tunnel Management' page - in the section VPN Tunnel Sharing, select One VPN tunnel per Gateway pair - click on OK to apply the settings - install the policy.
- Make sure the Networks in the respective encryption domains correspond to the settings configured at the Azure side (you may use the setting subnet_for_range_and_peer to make sure the subnets are negotiated as required - for details, refer to "Scenario 1" in sk108600 - VPN Site-to-Site with 3rd party).
沒有留言:
張貼留言