Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

End users can't access local network when VPN connected to us.

Jump to solution

We have overlapping IP ranges between a supplier and us. Once they connect to us they can no longer access their printers etc.

Client is running Endpoint security E80.81. Firewalls running R77.30

Connection Details

User Name RXXXX
IP 69.159.XXX.XX
VPN Gateway hfpXna_gateway_cluster
Client Type Other
Connect Time 1:50:59 PM 9/11/2018
SCV State Unknown
Version
Operating System
Build Number
Last SCV Fail Reason
Internal IP 192.168.245.160
Authentication Method XAUTH
Encryption Algorithm ESP3DES
Visitor Mode False
Route traffic False
UDP Encapsulation NATT
Office Mode True

Any ideas on how to work around this. Way back in the past we fixed this by making a batch file that the user could run to change their routes to point the conflicting 10 network to their local gateway.

Anybody know of a better way to handle this?

0 Kudos
2 Solutions

Accepted Solutions
Highlighted
Admin
Admin

Short of changing your own encryption domain to exclude the relevant IP addresses, you're pretty much limited to the batch script.

Years ago, I wrote my own script for this, documented in this thread: https://community.checkpoint.com/thread/5919-route-vpn-client-remote-access-to-lan 

View solution in original post

Highlighted
Contributor

I had this same problem, and I solved it with sk121766.
I hope it helps you.

View solution in original post

0 Kudos
8 Replies
Highlighted
Collaborator

Can you try to exclude the IP addresses of their printers from your Remote access VPN Domain object?  If you have a network subnet defined on your gateway properties, then you might want to switch to a group containing network subnets/ip address ranges instead

0 Kudos
Highlighted
Admin
Admin

Short of changing your own encryption domain to exclude the relevant IP addresses, you're pretty much limited to the batch script.

Years ago, I wrote my own script for this, documented in this thread: https://community.checkpoint.com/thread/5919-route-vpn-client-remote-access-to-lan 

View solution in original post

Highlighted
Participant

Hi  @PhoneBoy  we have a very similar scenario like this with our VPN client these days.

For few ips on some users systems there are multiple entries in their route tables, We don't want that traffic to go over vpn so that ip is not in tunnel encryption domain and still those ip's are showing up in route table.

This is causing the issues with the websites getting error as took too long to load. Now i can manually delete those entries and the site loads up fine. 

But the query is what might be causing the issue here? The batch file script which you shared it can work if we've few know ip's but this issue with multiple sites and is there any reason it might happen?

I've attached a snip of working and not working scenario where left section is of working system and right one is not working scenario. Any help would be really helpful.

 
 
0 Kudos
Highlighted
Admin
Admin
The routes that get propagated to a Remote Access client are a function of the IPs in a RemoteAccess Encryption Domain.
If they're not in the RemoteAccess Encryption Domain (either directly or indirectly), they won't get routes to those IPs.
I believe you can use "groups with exclusions" to exclude specific IPs.

The script I provided is for an end user to potentially work around this issue without changing the encryption domain for everyone.
The proper "fix" for this is to change the encryption domain accordingly.

In any case, if you feel you have configured this correctly and it's not working, please engage with the TAC.
0 Kudos
Highlighted
Participant

Thanks for getting back on this query, i've checked a few time remoteaccess encryption domain and couldn't find those ip's in there. I've a TAC case already opened up so hopefully they should be able to find the cause of this.

Was just curious on this "groups with exclusion" do we create them in encryption domain itself?

0 Kudos
Highlighted
Admin
Admin
The IP could be covered as part of a network in your encryption domain.
A group with exclusions could be used as the Remote Access encryption domain to exclude those IPs.
0 Kudos
Highlighted

Preferably redesign your network in such a way that you only need public IP's for VPN purposes.

That is the only way to avoid overlaps.

Doing some creative NATting might be a workaround.

0 Kudos
Highlighted
Contributor

I had this same problem, and I solved it with sk121766.
I hope it helps you.

View solution in original post

0 Kudos