https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/89999#M10221 Unless you’re using SecuRemote, each client is assigned an Office Mode IP that is unique.<BR />Not sure what it looks like at the IPSec level but I’ve also never seen/heard of any issues related many users being behind the same NAT using our Remote Access VPN either. Sun, 28 Jun 2020 21:51:25 GMT PhoneBoy 2020-06-28T21:51:25Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/89983#M10220 <P>We are looking to possibly replace a Microsoft AlwaysOn deployment which supports roughly 750 users/devices with the CheckPoint EndPoint suite.</P><P>It appears that the CheckPoint EndPoint IPSEC VPN is what would be required to replicate the "always on VPN" capability.&nbsp; Specifically, we want the user's corporate issued laptops to automatically instantiate the tunnel back to corporate any time they are powered on and network connected, without user intervention or involvement.&nbsp; This enables smooth login with AD credentials and allows the laptop to be centrally managed by our corporate infrastructure.</P><P>Does anyone know what the CheckPoint central firewall will use as identifiers for the IPSEC tunnels back from the EndPoint clients?&nbsp; Normal IPSEC VPN metadata is identified and indexed by the IP address from which the connection originates.&nbsp; Thus one cannot, for instance, have multiple SMB appliances sharing the same routable NAT address.&nbsp; Are the EndPoint IPSEC VPNs also identified in the same way?&nbsp; I would hope not, because sharing NAT addresses has to be fairly common for remote devices, which is why we see the workarounds for it built into SSL VPN clients.</P><P>We've had lots of issues with AlwaysOn, which is also an IPSEC VPN, mostly with the client being unable to form a tunnel back to the VPN concentrator.&nbsp; I'm worried as we test the CheckPoint replacement, that we may see the same issues; perhaps the issues with AlwaysOn exist because we live in a small city with only a few ISPs, and thus a lot of our user base may be sharing routable NAT IPs under the carrier grade NAT scheme.</P><P>So, does anyone know: Will we see any issues with EndPoint IPSEC clients sharing routable IP addresses?</P> Sun, 28 Jun 2020 10:21:11 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/89983#M10220 Dale_Lobb 2020-06-28T10:21:11Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/89999#M10221 Unless you’re using SecuRemote, each client is assigned an Office Mode IP that is unique.<BR />Not sure what it looks like at the IPSec level but I’ve also never seen/heard of any issues related many users being behind the same NAT using our Remote Access VPN either. Sun, 28 Jun 2020 21:51:25 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/89999#M10221 PhoneBoy 2020-06-28T21:51:25Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/90054#M10222 <P>Having multiple VPN clients behind a single Hide NAT shouldn't be a problem.&nbsp; Individual IKE negotiations are identified by cookies, and individual IPSec tunnels are identified by unique SPI (Security Parameter Index) values.&nbsp; Because intervening NAT is present, NAT Traversal will be in use on UDP/4500.</P> <P>Of course should the VPN client use SSL/TLS for the VPN transport instead, port numbers will be in use and modified/tracked by the NAT device.</P> Mon, 29 Jun 2020 13:31:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/EndPoint-VPN-NAT-limitations/m-p/90054#M10222 Timothy_Hall 2020-06-29T13:31:37Z