topic Re: Remote Access Communities in SASE and Remote Access

Remote Access Communities

cezar_varlan1 — Wed, 19 Dec 2018 10:09:16 GMT

Hello,

I am trying to configure a more complicated VPN setup for Remote Access but it doesn't look like it works the way i was expecting. There is only one Remote Access Community. In the manual we have the line:

"You can also create a new Remote Access VPN Community with a different name." but there is no instruction on how to do so. If i add new community i have only Star or Mesh options and they look like they are a bit different than the built in Remote Access.

1. First of all can i have more than one Remote Access Community per Gateway? I can edit VPN Domain per Remote Access but i can't really get how you can create a second Remote Access Community.

2. I know that there is one Office Mode Pool by default per gateway. If i need to allocate two different ip subnets to users connecting to the gateway based on Group/Username can i do it in any other way than stated in sk33422 (Office Mode IP and ipassignment.conf file)? This one

3. For non-global split-tunnel we have this sk114882 where you can control tunneling mode based on group membership.

Does anyone have a similar setup where let's say?:

Internal VPN Users can access Full-Tunnel and all internal subnets

External VPN Users can access Split-Tunnel and some pre-defined internet destinations with VPN GW NAT

All of this on only one Security Gateway

Thank you,

Cezar

Re: Remote Access Communities

Jerry — Wed, 19 Dec 2018 10:15:09 GMT

what exactly you're trying to achieve here Cezar? Please explain so we'd have better understanding of your requirements.

Re: Remote Access Communities

cezar_varlan1 — Wed, 19 Dec 2018 10:56:34 GMT

I will quote myself:

Internal VPN Users can access Full-Tunnel and all internal subnets and some pre-defined internet destinations with VPN GW NAT.

External VPN Users can access Split-Tunnel and just some pre-defined internet destinations with VPN GW NAT (the specific locations do source filtering and only allow the Customer Companies Subnet to access hence GW has to NAT)

All of this on only one Security Gateway

Internal VPN are employees, External VPN are contractors but everyone will obviously be accessing from the internet.

Re: Remote Access Communities

PhoneBoy — Fri, 21 Jun 2019 09:07:34 GMT

I'm not sure you need multiple remote access communities if you set the policy up correctly.

That said, I seem to recall someone actually managed to create a second Remote Access community (though I'm not sure how):

https://community.checkpoint.com/thread/10089-multiple-remote-access-communities-gw-version

As far as I know, if you need different pools for different users, you need to edit ipassignment.conf.

Likewise, the other change you mentioned if you want different "split tunnel" settings.

Re: Remote Access Communities

Gabriele_Di_Gia — Wed, 05 Jun 2019 09:20:38 GMT

HI Nickel.

i'm using an R80.10 vsx GW, and an external MGMT, I try so create a new vpn RemoteAccess community, by clicking on the defoult RemoteAccess and then chosing "new".

So I create a new RemoteAccess.. but it don't works....

i can connect to my second vpn gw installed on a second phisical geographic site, only if I add my second vpn gw on the default RemoteAccess community, otherwise i cannot connect.

Re: Remote Access Communities

G_W_Albrecht — Wed, 05 Jun 2019 10:06:29 GMT

What about using Remote Access Roles in your Remote Access Control Policy ? You can use different rules to control access of User Groups, see Remote Access VPN Administration Guide R80.20 p. 28f for details !

Re: Remote Access Communities

PointOfChecking — Thu, 20 Apr 2023 09:42:03 GMT

"i can connect to my second vpn gw installed on a second phisical geographic site, only if I add my second vpn gw on the default RemoteAccess community, otherwise i cannot connect."

Hi, I know this was a while ago, but if I add the 2nd gateway to the default RemoteAccess community, then the users can connect, but cannot access any network facilities. How did you get around this issue?

Thanks.

Re: Remote Access Communities

Ruan_Kotze — Thu, 20 Apr 2023 13:40:27 GMT

I'd like to see your trac.log - It might be that you have overlapping encryption domains between the two gateways. Have a look at sk78180.

Re: Remote Access Communities

PointOfChecking — Tue, 25 Apr 2023 08:12:41 GMT

Where can I find the trac.log? find / -name trac.log returns nothing.

SK78180 directs me to disable MEP. Is that correct?