topic VPN client from inside network in SASE and Remote Access

VPN client from inside network

Nikolaos_Liakop — Wed, 20 Apr 2022 12:50:15 GMT

Hello,

My client's demand is to attempt to connect via endpoint vpn client from a WiFi network that is behind CP.

I have exempted Office Mode addresses from the external interface, however I am still not able to establish the connection..the vpn client gets stuck at 47%

What I get from the logs is the following:

16:57:49.995884 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.258470 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.522939 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.831110 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:51.050687 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]

Any guidance regarding this one ?

Let me specify that the external interface of Checkpoint is in the RFC1918 range and that the IPSEC Link selection mechanism is statically NATted where the red one is what is depicted as X.X.X.X in tcpdump.

Regards

Re: VPN client from inside network

G_W_Albrecht — Wed, 20 Apr 2022 13:29:28 GMT

The shown GW cluster properties for IP selection is used with S2S VPN, not RA VPN. As the client already is located behind the RA VPN GW, why is there any need to connect to the internal network using VPN ? If needed very hard, you could enable the internal IF for RA VPN.

Re: VPN client from inside network

Nikolaos_Liakop — Wed, 20 Apr 2022 13:38:03 GMT

Because WiFi is giving only internet access and there is a need for some clients to get access to the internal network and this can be accomplished only through the vpn client.

How can I enable internal interface access ?

Also the IP Link selection mechanism depicted in the screenshot is used with endpoint vpn clients as well. I have attempted to change the link selection mechanism to that of the external interface of CP which is the LAN link of the load balancer and is a RFC1918 interface and checked that the vpn client took as an ip address the private one.

Re: VPN client from inside network

Nikolaos_Liakop — Tue, 26 Apr 2022 14:00:37 GMT

Any update on this ?

Re: VPN client from inside network

CheckPointerXL — Fri, 28 Jul 2023 14:52:39 GMT

hello dear,

did you solve the issue? are you able to connect to internal interface?

Re: VPN client from inside network

JasonUllyot — Mon, 31 Jul 2023 14:43:40 GMT

Couldn't you setup a separate CORP SSID that is on a separate VLAN that has routes to internal resources?

Re: VPN client from inside network

Mike_Schepers — Mon, 21 Aug 2023 19:01:44 GMT

We have exactly the same issue; guest wifi (internet only) users behind the same firewall that occasionally need to connect to corporate resources using a VPN to this same firewall. Wish I could tell you that we solve this problem. I would be interested if you find a solution.

Re: VPN client from inside network

Jere — Fri, 15 Mar 2024 06:25:55 GMT

Did someone solve this? I have a same kind of situation.