topic Route VPN client remote access to LAN in SASE and Remote Access

Route VPN client remote access to LAN

Administrateur_ — Mon, 16 Oct 2017 07:52:13 GMT

Hi,

We have some troubles with remote access client VPN.
With office mode, client behind ISP is on the same subnet that LAN. VPN connexion is OK but the problem is when there are device behind ISP who has the same IP address than another device behind the firewall on the LAN. can someone help us please. Thank you

Config:

Appliance 4800

R77.10

LAN >> 192.168.1.0/24

Office mode subnet >> 10.8.10.0/24

Remote client subnet behind ISP >> Same that LAN 192.168.1.0/24

Re: Route VPN client remote access to LAN

Danny — Mon, 16 Oct 2017 09:23:09 GMT

OfficeMode should solve your issue having the same IP/network on both sides.

First, please check your firewall log for any spoofing entries. If these are logged, try to exclude your OfficeMode network from the address spoofing configuration of your external interface.

Please check that the OfficeMode IP is correctly applied to your remote client. You can check this within the VPN client's connection settings while the VPN tunnel is establied and also on the client's cmd via ipconfig.

Check if a Desktop Policy is in place that might prevent specific traffic.

Re: Route VPN client remote access to LAN

Administrateur_ — Mon, 16 Oct 2017 09:57:39 GMT

Thank you Danny Jung,

I try to exclude OfficeMode network from the address spoofing configuration of our external interface. still have the problem.

We dont have Desktop Policy.
This is VPN client connection settings:

Re: Route VPN client remote access to LAN

Administrateur_ — Mon, 16 Oct 2017 22:17:58 GMT

We connect with VPN capsule on Windows 10 and still cannot ping device in the LAN behind the firewall because there is same IP address behind ISP. We try to connect with endpoint and it works. Why this does not work witch capsule ??. can someone help us please?

Re: Route VPN client remote access to LAN

PhoneBoy — Tue, 17 Oct 2017 01:09:35 GMT

You are always going to have a bad time if your local client is using an IP address that is also used by the remote VPN.

I had a similar problem years ago when the VPN was preventing me from using my local LAN.

I ended up writing a batch file to solve the problem, which, with some modifications, may be useful.

Note that this also starts up SecuRemote in CLI mode, which may not work or be relevant anymore.

From https://phoneboy.com/1405/fun-with-check-point-secureclient-and-windows-batch-files:

@REM kill Echo @echo off setlocal EnableDelayedExpansion
set SCC="C:Program Files\\CheckPoint\\SecuRemote\\bin\\scc"
%SCC% setmode cli
rem %SCC% disconnect
%SCC% up username %1%
%SCC% connect "VPN Profile"
%SCC% status
%SCC% ep
@REM Trying to pull out VPN route and mess with routing table
@REM
@REM Did we find the netmask line?
set hitnetmask=0
@REM Let's pull out a route I know will be there:

@for /f "tokens=3" %%i in ('route print 192.168.0.0') do (

@REM After we found the netmask, the next thing we get is the route we want
@REM and make sure we get out of dodge
if !hitnetmask! EQU 1 (
call :set_nexthop %%i
GOTO :found_route
)
@REM The next line after the "netmask" line is the one we want.
if "%%i" == "Netmask" (call :set_hitnetmask)

@REM end for
)

:set_hitnetmask
set hitnetmask=1
GOTO :EOF

:set_nexthop
set nexthop=%1
GOTO :EOF

:found_route
echo Nexthop is %nexthop%, deleting/setting the routes appropriately
echo on
route delete 192.168.0.0 mask 255.255.255.0 %nexthop%
route delete 192.168.0.2 %nexthop%
route delete 192.168.2.253 %nexthop%
route add 192.168.2.253 192.168.0.254
@endlocal