https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28161#M13522 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>Just want to know if anyone had a problem with outgoing traffic reply for VPN Remote Access, i just found out that when you try to establish the VPN tunnel with Remote Access on checkpoint it tries to reply using the default route of the Gateway, even if you have two external interfaces it does not use the setting on IPSec link selection (Reply from the same interface) and because of this the VPN tunnel cannot be establish.</P><P></P><P>I tried to use PBR for this but it also didnt worked, and i tried to found out something related to this on support center but didnt found anything, i think this is by design.</P><P></P><P>Anyone have a clue how to solve this? I had changed the default route to the other ISP interface (The one used by VPN Remote) and it worked, but i cant let this configured becase the users use the other link for internet access.</P></BODY></HTML> Mon, 04 Jun 2018 14:53:52 GMT Hugo_Frauches 2018-06-04T14:53:52Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28161#M13522 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>Just want to know if anyone had a problem with outgoing traffic reply for VPN Remote Access, i just found out that when you try to establish the VPN tunnel with Remote Access on checkpoint it tries to reply using the default route of the Gateway, even if you have two external interfaces it does not use the setting on IPSec link selection (Reply from the same interface) and because of this the VPN tunnel cannot be establish.</P><P></P><P>I tried to use PBR for this but it also didnt worked, and i tried to found out something related to this on support center but didnt found anything, i think this is by design.</P><P></P><P>Anyone have a clue how to solve this? I had changed the default route to the other ISP interface (The one used by VPN Remote) and it worked, but i cant let this configured becase the users use the other link for internet access.</P></BODY></HTML> Mon, 04 Jun 2018 14:53:52 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28161#M13522 Hugo_Frauches 2018-06-04T14:53:52Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28162#M13523 <HTML><HEAD></HEAD><BODY><P>This is by design according to this SK:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk76281" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk76281">Outgoing VPN Link Selection on a gateway with multiple external interfaces</A>&nbsp;</P><P>Maybe you can use VSX to work around this limitation?</P></BODY></HTML> Tue, 05 Jun 2018 04:51:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28162#M13523 PhoneBoy 2018-06-05T04:51:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28163#M13524 <HTML><HEAD></HEAD><BODY><P>Hello Dameon,</P><P></P><P>Thank you for the reply, unfortunately we do not have an VSX. The way i manage to overcome this by design setting was doing a NAT to the other external interface, now the outgoing traffic works and goes to the same interface!</P></BODY></HTML> Thu, 07 Jun 2018 13:37:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28163#M13524 Hugo_Frauches 2018-06-07T13:37:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28164#M13525 <HTML><HEAD></HEAD><BODY><P>Hello Hugo</P><P></P><P>Can you please provide to us more details concerning NAT configuration?</P><P><BR />BR,</P><P>Kostas</P></BODY></HTML> Mon, 09 Jul 2018 10:09:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28164#M13525 Konstantinos_In 2018-07-09T10:09:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28165#M13526 <HTML><HEAD></HEAD><BODY><P>Sure,</P><P></P><P>Since this limitation its by design in the Checkpoint Gateway, i had to create an external NAT on my ISP router from the other external interface mapping to the VIP interface on the cluster, doing that i could create the remote access VPN connection, since this time the Inbound/Outbound traffic was using the same external interface.<BR /><BR />This its not an workaround on the Checkpoint configuration, its only a workaround on our topology to bypass this limitation.</P></BODY></HTML> Mon, 09 Jul 2018 16:29:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28165#M13526 Hugo_Frauches 2018-07-09T16:29:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28166#M13527 <HTML><HEAD></HEAD><BODY><P>Hello Hugo </P><P></P><P>Now it is clear.</P><P></P><P>Thank you</P><P>Kostas</P></BODY></HTML> Wed, 11 Jul 2018 08:02:49 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-Reply-Interface/m-p/28166#M13527 Konstantinos_In 2018-07-11T08:02:49Z