https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261154#M1535 <P>Yes, you will need to add the relevant subnets to the RemoteAccess Encryption Domain.<BR />Whether the client has access to these subnets is a function of the defined Access Policy, but all clients will receive the routes.</P> Tue, 28 Oct 2025 14:20:51 GMT PhoneBoy 2025-10-28T14:20:51Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261143#M1534 <P><SPAN>Hi everyone,</SPAN></P><P><SPAN>We have task to propagate different routes for Remote VPN clients. Is it possible?</SPAN></P><P>Environment:</P><P><SPAN>Checkpoint FW - R81.10 Jumbo Hotfix Take 181</SPAN></P><P><SPAN>Remote access VPN clients Checkpoint Mobile VPN E88.10 with LDAP Authentication.</SPAN></P><P><SPAN>Remote clients receive from Checkpoint GW&nbsp; Office mode manually defined ip addresses.</SPAN></P><P><SPAN>Scenario:</SPAN></P><P><SPAN>Only specific Remote VPN client should be able to reach not only local subnets but also some specific subnets which located behind s-2-s VPN tunnel in different location.</SPAN></P><P><SPAN>Traffic flow diagram for specific Remote VPN clients.</SPAN></P><P><SPAN>Remote Client &lt;-&gt; Checkpoint GW (local int) &lt;-&gt; (local int) VPN GW &lt;-&gt; VPN GW &lt;-&gt; dst subnets.</SPAN></P><P>&nbsp;</P> Tue, 28 Oct 2025 12:35:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261143#M1534 Glenmark_Impex 2025-10-28T12:35:16Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261154#M1535 <P>Yes, you will need to add the relevant subnets to the RemoteAccess Encryption Domain.<BR />Whether the client has access to these subnets is a function of the defined Access Policy, but all clients will receive the routes.</P> Tue, 28 Oct 2025 14:20:51 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261154#M1535 PhoneBoy 2025-10-28T14:20:51Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261162#M1536 <P>Dear PhoneBoy.</P><P>Thank you for reply but we need add subnets ONLY for specific Remote VPN clients (AD accounts).&nbsp;</P><P>May be it will be possible via some "routing tables" config file on client side or something similar with TRAC file on FW side?</P> Tue, 28 Oct 2025 15:06:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261162#M1536 Glenmark_Impex 2025-10-28T15:06:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261279#M1537 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17366">@Glenmark_Impex</a>&nbsp;</P> <P>I'm not 100% sure this will be a solution, but I would like to share with you.&nbsp;</P> <P>As I see you are using a VPN pool for the RA cliens IP-s.</P> <P>First, consider to use ipassingment.conf (<SPAN>&nbsp;</SPAN><CODE>$FWDIR/conf/ipassignment.conf)</CODE>, define a smaller network from the VPN pool for a specific AD group.</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Office-Mode.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Office-Mode.htm</A></P> <P>This allows you to handle the client separetly in the rulebase. "A" group reaches the internet, and the "B" not.</P> <P>I hope it helps,</P> <P>Akos</P> Wed, 29 Oct 2025 11:45:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261279#M1537 AkosBakos 2025-10-29T11:45:50Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261297#M1538 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17366">@Glenmark_Impex</a>&nbsp;is explicitly asking about the routes received on the client.<BR />Unfortunately, this is not customizable on a per-user/group basis.</P> Wed, 29 Oct 2025 14:42:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261297#M1538 PhoneBoy 2025-10-29T14:42:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261365#M1539 <P>Hi AkosBakos</P><P>Sorry but no, only specific clients "should know" about destination subnets.... Also we are considering the possibility&nbsp;to use MEP or just run another one Checkpoint with Remote VPN blade&nbsp;&nbsp;</P> Thu, 30 Oct 2025 07:44:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Different-Routes-for-Remote-VPN-clients/m-p/261365#M1539 Glenmark_Impex 2025-10-30T07:44:32Z