Checkpoint with Azure VPN (new version)

These are my notes on the newer Checkpoint VPN stuff.. but still working on actually testing them.. – I put a 2016 date on it to remove it from the main page..

Seems the MSS clamping on Azure VPN’s needs to be 1350, my PPPOE adapter needed to be 1492 for du Connections.

Note: MTU should be set to “maximum ping packet length” + “ICMP header”. For example:  For PPPoE networks, this would be 1484 ping data length (“-l”) + the 8 byte ICMP header = 1492 MTU.

  1. To determine the right MTU setting, run a fragmented ping test from a command prompt on the client machine:

    ping <Public IP of the Checkpoint VPN-1 UTM Edge X appliance> -f -l 1500

    You will probably receive the message: “Packet needs to be fragmented but DF set.” The DF refers to the “Don’t Fragment” bit.
  2. Keep lowering the byte size from “1500”, until you do not receive the error. The point at which you do not receive the error is the point of fragmentation. The MTU size should be just below this point.

To lower MSS clamping, type in the FW console: fw ctl set int fw_clamp_vpn_mss 1

And then on GUIDBEdit, find:

Network Objects – <your FW> – Interfaces – Element x – (find your external NIC) and search for mss_value

set mss_value to 1350

Find

Network Objects – <your FW> – fw_clamp_tcp_mss_control and set it to true

Set protocols of VPN to:

Change MTU of interface: 1350 (1500 default)
Encryption Method: IKEv2 only
Custom Encryption suite:
IKE Security Association (Phase 1)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1
-Diffie-Hellman group : Group 2 (1024bit)

IKE Security Association (Phase 2)
-Encryption Algorithm: AES-256
-Data Integrity: SHA1


VPN Tunnel Sharing
-Select One VPN Tunnel per Gateway Pair

IKE(phase1)
-Renegotiate IKE security associations every (min): 480
IPsec(phase2)
-Renegotiate IPsec security associations every(sec):27000


Tagged , , ,