https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108507#M9261 <P>Hi Checkmates,</P><P>&nbsp;</P><P>We plane to configured Two Remote Access VPN&nbsp; community.</P><P>Like we already have a LAN Segment (LAN_A) with IPS 1 Public IP address with remote access VPN configuration and which is currently working.</P><P>Now we added one more Segment (LAN_B) which we want to configured Remote Access VPN with New introduce ISP 2 Public IP address.</P><P>So Like Both community should work&nbsp; such as LAN_A &gt;&gt; ISP1 &amp; LAN_B &gt;&gt; ISP2</P><P><STRONG>Is this Possible ?</STRONG></P><P><STRONG>Any alternative way to do that ?</STRONG></P><P>Currently we mention as Statically NATed IP:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpn.PNG" style="width: 766px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/10293iF72828E650B4929E/image-size/large?v=v2&amp;px=999" role="button" title="vpn.PNG" alt="vpn.PNG" /></span></P><P>&nbsp;</P><P>Regards</P><P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;&nbsp;</P> Fri, 22 Jan 2021 10:56:48 GMT Chinmaya_Naik 2021-01-22T10:56:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108507#M9261 <P>Hi Checkmates,</P><P>&nbsp;</P><P>We plane to configured Two Remote Access VPN&nbsp; community.</P><P>Like we already have a LAN Segment (LAN_A) with IPS 1 Public IP address with remote access VPN configuration and which is currently working.</P><P>Now we added one more Segment (LAN_B) which we want to configured Remote Access VPN with New introduce ISP 2 Public IP address.</P><P>So Like Both community should work&nbsp; such as LAN_A &gt;&gt; ISP1 &amp; LAN_B &gt;&gt; ISP2</P><P><STRONG>Is this Possible ?</STRONG></P><P><STRONG>Any alternative way to do that ?</STRONG></P><P>Currently we mention as Statically NATed IP:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpn.PNG" style="width: 766px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/10293iF72828E650B4929E/image-size/large?v=v2&amp;px=999" role="button" title="vpn.PNG" alt="vpn.PNG" /></span></P><P>&nbsp;</P><P>Regards</P><P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;&nbsp;</P> Fri, 22 Jan 2021 10:56:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108507#M9261 Chinmaya_Naik 2021-01-22T10:56:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108517#M9262 <P>There is not a native way to do that as far as i know, but maybe someone else may know a feature i do not. To do that i would use one of these options:</P><OL><LI>If you have a load balancer in front of the CheckPoint firewall &gt;&gt;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk131612&amp;partition=Advanced&amp;product=IPSec" target="_self"><SPAN>Remote access VPN link selection with DNS resolving</SPAN></A></LI><LI><SPAN>If there is not a load balancer, i would force users from LAN_A to resolve always ISP1 ip address using a FQDN1 vpn1.domain.com and LAN_B to resolve ISP2 ip address with FQDN vpn2.domain.com &gt;&gt;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103440&amp;partition=Advanced&amp;product=Endpoint" target="_self">How to force Remote Access VPN Client to resolve DNS name of VPN Site at every connection</A></SPAN></LI></OL><P><SPAN>Consider that no matter which ISP the users connect to, the reply packets will always go trough the default route. A workwaround for this was provided by Thiago_Mourao here:&nbsp;<A href="https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-configure-VPN-Remote-Access-on-non-default-Internet-Link/m-p/81991" target="_self">How to configure VPN Remote Access on non-default Internet Link</A></SPAN></P><P>It is not very clear if LAN_A and LAN_B are office mode segments or lan networks behind the gateway, but if you need to use 2 differen IP segments for remote users, you will have to configure the first one on smatconsole and second one at ipassignment.conf file:&nbsp;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk33422&amp;partition=Advanced&amp;product=SecureClient," target="_self"><SPAN>Office Mode IP and ipassignment.conf file</SPAN></A></P><P><SPAN>The configuration made on the screenshot you posted is applied also to site-to-site tunnels, so i would use link selection for remote access only, all available options are described here:&nbsp;&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92383&amp;partition=Advanced&amp;product=IPSec" target="_self">Remote Access clients can connect to VPN Gateway only once</A></SPAN></P><P><SPAN>Also it is not supported to have a secon vpn community, or at least it was not the last time i asked.</SPAN></P> Fri, 22 Jan 2021 13:38:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108517#M9262 RS_Daniel 2021-01-22T13:38:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108581#M9263 <P>You can only have one Remote Access community per gateway.<BR />This might possibly be a good use case for VSX.</P> Sat, 23 Jan 2021 01:31:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/108581#M9263 PhoneBoy 2021-01-23T01:31:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/110254#M9264 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1920">@RS_Daniel</a>&nbsp;</P><P>Thank you very much for the details.</P><P>have you tested on your LAB environment ?</P><P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</P> Tue, 09 Feb 2021 06:21:14 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Remote-Access-VPN-with-Two-Public-IP-Address-for-Two-Different/m-p/110254#M9264 Chinmaya_Naik 2021-02-09T06:21:14Z