topic Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel in SASE and Remote Access

Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

Sparks — Thu, 08 Oct 2020 03:47:11 GMT

I'm using Checkpoint 5100

Firewall (IP 192.168.1.254) is connected to Azure via Route based with IP 10.x.x.x/16 with settings below;

I have 2 Sites using def. Lan IP 192.168.1.0/24 and 192.168.2.0. Both sites are inter-connected via IPVPN/MPLS connection.

I create a network group called "MyLocalNetwork" which includes the following network (192.168.1.0/24, 192.168.2.0/24)

2 Sites can now access the Azure app via gateway of 1.0 and 2.0 going to Firewall (IP 192.168.1.254). All users of 2 Sites can access the apps via 10.x.x.x/16 just like local connection.

I configure the RemoteAccess Community by adding Gateway device to Participating gateway.

I created users and groups that i will add to Participant Users Groups at the VPN RemoteAccess Community.

I'm using Office Mode and use the Manual IP Pool which is the CP_default_Office_Mode_Address_Pool (172.16.10.0/24).

I add the CP_default_Office_Mode_Address_Pool (172.16.10.0/24) to VPN Domain as part of the network.

I created a policy for the remote access.

set-up Check Point Endpoint security VPN Client to other laptop. add the site, and use username and password. connection successful

I can now access the company network while i' m outside. i can ping the 192.168.1.0/24 and 2.0/24 network.

The main issue, i can't access the application on the azure while im using vpn outside the office.

I tried to add the CP_default_Office_Mode_Address_Pool (172.16.10.0/24) and the AzureVPN IP(10.x.x.x/16) as part of MyLocalNetwork but the problems i encountered was the 2 sites are not able to access the Azure network 10.x.x.x/16 . The connection is disconnected.

i check the logs, Drop

172.16.10.1 was block to access 10.x.x.1 | encryption failure : Security warning: received a cleartext packet within an encrypted connection

VPN Feature: IKE

can anyone here will help me to resolved the issue.

appreciate your help.

Thank you.

Re: Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

PhoneBoy — Thu, 08 Oct 2020 04:28:12 GMT

Does your Remote Access encryption domain include the Azure subnet?
This is required to route the traffic through the S2S VPN.
Further, the Azure side must know about the Office Mode subnet.

Re: Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

Sparks — Thu, 08 Oct 2020 04:44:54 GMT

Yes. the 172.16.10.0/24 is already added to domain as well as to azure side. but still no traffic coming from 172.16.10.0/24 going to Azure 10.x.x.x/16.

Re: Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

Sparks — Thu, 08 Oct 2020 09:55:58 GMT

Once the subnet of Azure is added to the encryption domain, the connection between internal/local connection from 2 sites will be disconnected.

The VPN Client still no connection and there's no traffic seen coming from 172.16.10.0/24 going to Azure 10.x.x.x/24

Re: Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

Juan_Brion_Garc — Thu, 24 Jun 2021 17:01:09 GMT

Hi Sparks,

Have you find solution for that issue?

Regards

Re: Remote access VPN cannot access Azure Tunnel. But the local area can connect to Azure Tunnel

hnyandoro — Thu, 20 Feb 2025 08:37:56 GMT

Having the same challenge, have you been assisted on this one?