Deploying Secure Azure VPN with Check Point for Australian Businesses

Azure Site-to-Site VPN with Check Point Quantum Spark – A Real-World Deployment Story

Estimated reading time: 6 minutes

• Understand the critical role of VPN link selection in Check Point configurations.
• Recognize the importance of Azure Network Security Group rules in facilitating traffic.
• Learn effective troubleshooting techniques for site-to-site VPN setups.
• Utilize Terraform for automated Azure infrastructure deployment.

Table of Contents

• Understanding the Deployment Scenario
• The Architecture Diagram
• Initial Setup
• The Critical Fix: VPN Link Selection
• Lessons Learned – Key Takeaways
• Conclusion
• FAQ

Understanding the Deployment Scenario

Establishing a secure site-to-site VPN connection between a branch office and cloud services hosted in Azure is a crucial task for many Australian businesses. This article documents our journey deploying such a connection using Check Point Quantum Spark firewalls managed by Smart-1 Cloud. We will share our experiences, the challenges we faced, and the practical solutions we discovered along the way.

Branch Office Setup

• Two Check Point Quantum Spark firewalls (model 1570), managed through Smart-1 Cloud.
• FW-PRIMARY: The primary firewall serving internal user networks, without a public IP (behind NAT).
• FW-SECONDARY: The secondary firewall with an ISP-provided public IP.
• An inter-site link configured between FW-PRIMARY and FW-SECONDARY (IP: 192.168.254.0/30).
• User workstations on a private network (10.10.10.0/24) connected via FW-PRIMARY.

Azure Setup

• VPN Gateway: Using the VpnGw2AZ SKU for robust connectivity.
• Services Subnet: Dedicated for application usage (subnet 10.20.20.0/24, with the application server located at 10.20.20.10).
• Network Security Group (NSG): Protecting the services subnet from unwanted access.

The Challenge

The primary challenge lay in enabling users on the 10.10.10.0/24 network to access Azure services through the VPN tunnel terminating on FW-SECONDARY.

The Architecture Diagram

                  ┌─────────────────────┐
                  │   Azure VNet        │
                  │   10.20.20.0/24     │
                  │                     │
                  │  ┌──────────────┐   │
                  │  │ VPN Gateway  │   │
                  │  │ 203.0.113.50 │   │
                  │  └──────────────┘   │
                  │         │           │
                  │  ┌──────────────┐   │
                  │  │ App Server   │   │
                  │  │ 10.20.20.10  │   │
                  │  └──────────────┘   │
                  └─────────────────────┘
                           ║
                  ═══ VPN Tunnel (IKEv2) ═══
                           ║
                  ┌────────┴────────┐
                  │  FW-SECONDARY   │
                  │ 198.51.100.25   │ ← VPN terminates here (has public IP)
                  │   (ISP WAN)     │
                  └────────┬────────┘
                           │ 192.168.254.2
                 Inter-Site Link
                           │ 192.168.254.1
                  ┌────────┴────────┐
                  │  FW-PRIMARY     │
                  │ (No public IP)  │ ← Users connect here
                  └────────┬────────┘
                           │ 10.10.10.254
                  ┌────────┴────────┐
                  │ User Workstation│
                  │ 10.10.10.100    │
                  └─────────────────┘

Initial Setup

Azure Side (Using Terraform)

To establish the Azure infrastructure, we utilised Terraform, allowing us to automate the deployment effectively:

# Local Network Gateway representing the branch office
resource "azurerm_local_network_gateway" "branch" {
  name                = "lng-branch-office"
  location            = "eastus"
  resource_group_name = azurerm_resource_group.networking.name
  gateway_address     = "198.51.100.25"  # FW-SECONDARY public IP

  address_space = [
    "10.10.10.0/24",   # User network
    "10.10.20.0/24",   # Additional networks
  ]
}

# VPN Connection
resource "azurerm_virtual_network_gateway_connection" "branch" {
  name                = "vpn-branch-connection"
  location            = "eastus"
  resource_group_name = azurerm_resource_group.networking.name
  
  type                       = "IPsec"
  virtual_network_gateway_id = azurerm_virtual_network_gateway.hub.id
  local_network_gateway_id   = azurerm_local_network_gateway.branch.id
  
  shared_key       = var.vpn_psk
  connection_mode  = "Default"
  use_policy_based_traffic_selectors = true

  ipsec_policy {
    dh_group         = "DHGroup14"
    ike_encryption   = "AES256"
    ike_integrity    = "SHA256"
    ipsec_encryption = "AES256"
    ipsec_integrity  = "SHA256"
    pfs_group        = "PFS2048"
    sa_lifetime      = 27000
  }

  # Traffic selector for policy-based VPN
  traffic_selector_policy {
    local_address_cidrs  = ["10.20.20.0/24"]
    remote_address_cidrs = ["10.10.10.0/24"]
  }
}

Check Point Side (Using Smart-1 Cloud)

Configuring the settings in Smart Console included crucial steps:

1. Creating network objects for branch user and Azure services.
2. Establishing an Azure interoperable device with the proper IP.
3. Forming a VPN meshed community for secure and reliable communication.
4. Adding appropriate static routes to facilitate data flow.

First Test: The Mysterious “Connected but Not Working” Problem

After initial setup, we ran our first connectivity test from a user workstation, only to receive timeouts when attempting to ping the application server (10.20.20.10). Yet, the Azure VPN status indicated “Connected”.

Diagnostic Journey

Our troubleshooting journey began on FW-SECONDARY, where we confirmed:

• The VPN tunnel was active.
• Packets were reaching FW-SECONDARY.
• Encryption was successfully occurring.

However, a crucial issue materialised: the ESP packets were sourced from 100.64.50.150 (management tunnel IP) instead of 198.51.100.25 (the actual public IP). This misconfiguration led to Azure silently dropping the packets due to its local network gateway setup.

The Critical Fix: VPN Link Selection

Understanding the Issue

Check Point Quantum Spark firewalls, when managed by Smart-1 Cloud, exhibit a default behaviour where they utilise the management tunnel for outbound traffic, leading to invisible failures unless corrected.

The Solution

To fix this:

1. Edit the FW-SECONDARY gateway object in Smart Console.
2. Navigate to VPN → Link Selection.
3. Opt for Statically NAT’d IP and input the public IP (198.51.100.25).
4. Publish and install the policy.

Following this change, flow verification revealed successful bidirectional data transfer.

Other Issues Encountered

• Duplicate Static Routes: After adjustments, we identified that the VPN created conflicting static routes, which required removal to ensure proper connectivity.
• Azure NSG Rules: Initially restrictive, updating these rules allowed the correct traffic flow from the new branch office network.
• Inter-Site Routing Complexity: Required static routes and firewall rules on both firewalls to manage user-to-Azure communication efficiently.

Lessons Learned – Key Takeaways

• Configure VPN Link Selection: Always set the link selection to avoid using management tunnel IPs for VPN traffic.
• Use tcpdump for Verification: It’s essential to confirm not just the connection status but also that packets are flowing correctly.
• Review Azure NSG Rules: Update security group rules for each new site-to-site VPN connection.
• Complex Inter-Site Requirements: Be aware of routing and NAT needs on both firewalls when linking different networks.
• Utilise Policy-Based Traffic Selectors: These are necessary for ensuring proper tunnel operation in Check Point configurations.

Conclusion

The deployment of a site-to-site VPN between Azure and a Check Point-managed branch office presented both challenges and learning opportunities. The importance of configuring the VPN link selection and understanding packet flow cannot be overstated. For Australian businesses venturing into similar architecture, it’s vital to consider these key takeaways to streamline implementation and avoid potential pitfalls.

If your organisation is looking to strengthen its cybersecurity posture with effective and efficient solutions, Summit Cyber Group offers a range of managed security services that can assist. From vulnerability management to end-to-end security automation, we are committed to helping businesses navigate the complexities of cybersecurity.

Contact us today at Summit Cyber Group to discuss how we can enhance your organisation’s cybersecurity maturity and help you deploy robust solutions like our documented Azure site-to-site VPN setup. Visit our website at Summit Cyber Group for more insights.

FAQ

What is a site-to-site VPN?

A site-to-site VPN connects two or more networks securely over the internet, allowing for communication between devices on different networks as if they were on the same local network.

How does Check Point Quantum Spark enhance VPN security?

Check Point Quantum Spark uses advanced encryption and security protocols to safeguard data transfer over the VPN, ensuring that communications are secure from unauthorized access.

What role does a Network Security Group play in Azure?

A Network Security Group (NSG) acts as a virtual firewall to control inbound and outbound traffic to Azure resources, shaping security policies that help protect applications and data.