topic Re: Remote access users access resources behind site to site tunnel in SASE and Remote Access

Remote access users access resources behind site to site tunnel

nooni — Thu, 26 Oct 2023 18:22:15 GMT

Hi,

I am trying to solve an issue where i need remote access users to be able to connect to resources behind a site to site tunnel.

Remote users connect to on premises Check Point cluster (R81.20 Take26) using Check Point Mobile client and can access resources in on premises datacenter.

But they also need to access resources that is located on the other end of an site to site tunnel.

I saw the Remote Access community, but i cannot add this interopable device there. I suspect it must be an Check Point host for that.

What can be done to enable routing between these two vpn domains ?

Re: Remote access users access resources behind site to site tunnel

PhoneBoy — Thu, 26 Oct 2023 20:55:23 GMT

You don't add the Interoperable Device, but you add the networks behind that device to the Remote Access Community.

Re: Remote access users access resources behind site to site tunnel

nooni — Fri, 27 Oct 2023 07:00:23 GMT

Hi,

The RemoteAccess community only has two options:

Add participating gateway and Participating User Groups

So i do not know where i should add these networks ?

Re: Remote access users access resources behind site to site tunnel

PhoneBoy — Fri, 27 Oct 2023 16:44:18 GMT

These are gateways that directly terminate Remote Access connections.
What you need to modify is the Remote Access Encryption Domain, which is modified in the Gateway object:

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

Re: Remote access users access resources behind site to site tunnel

nooni — Mon, 30 Oct 2023 08:14:31 GMT

Thank you Phoneboy 🙏 appreciate your help 🙂

Re: Remote access users access resources behind site to site tunnel

patones1 — Sat, 11 May 2024 17:55:30 GMT

Hello,

I tested in my lab by creating a group with the the local and remote subnets of the VPN tunnel; and adding the group to the VPN domain of the "RemoteAccess "community. It was OK but it wasn't enough.

In order to make it work, I had to add the Office Mode subnet (CP_default_Office ...) to the local VPN domain because I was getting the following log :

'Encryption Failure: according to the policy the packet should not have been decrypted'

So I created a group with the local subnet and the Office Mode subnet :

Then, I had to authorize the Office Mode subnet, on the remote gateway because the packets finished in the cleanup rule of the remote gateway.

This way from the remote client (on remote access), I was able to access to a PC on the remote site through the VPN tunnel

I hope this will help

Re: Remote access users access resources behind site to site tunnel

SenpaiNoticed_U — Mon, 13 May 2024 13:05:19 GMT

SK 36510

Remote-Access to S2S Vpn

Define both the Checkpoint side domain and the Peer Gateway Domains with Group objects

2.On the Checkpoint side gateway, Put the Office mode IP range into the Gateway's Encryption domain. (NOTE: If the office mode IP range is going to be sent over the tunnel, make sure the Peer expects to see this network range(policy rule, etc). If using a Hide nat, add both Office mode and NAT IPs to the Checkpoint side gateway's domain)

Create a New Group Object with BOTH the checkpoint and the Peer's Encryption Domain into the New Group.
Manually define the Remote Access with the New Group
Global Properties >> Remote Access Main page >>> check the box for "Enable Back connections (from Gateway to client)"

6.Install policy

===============

Double check,
>the S2S VPN community page: Un-check box for Disable NAT inside the community (Only if NAT is needed)
>May need to add a NO-NAT rule for the two way traffic, Office Mode IP to Peer's network and Peer's network to Office Mode.
**unless OM is hide NATing**