Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor
Jump to solution

Checkpoint Remote Access to IPSec VPN

Hi Team,

We have a situation where the Checkpoint Endpoint(Remote Access) VPN users to connect to peer behind the IPSec site to site VPN tunnel.

So Traffic is from Remote Access VPN User > Firewall > IPSec Tunnel > Peer Device.

But the problem here is Remote Access VPN users will get their route table updated only when we add the subnet in the Enc domain our end Under Network Management > VPN Domain. Only when we add the subnet or IP the RA VPN users will get their route table updated.

As the Peer is already behind an IPSec tunnel it is part of Peer end enc domain which we cant add in our enc domain. So i planned as below but it did not work. 

Used a dummy IP which is not in the routing Table.

Remote Access VPN Subnet > 10.10.10.0/24

Dummy IP: 172.18.1.1

Peer End Enc Domain: 192.168.1.0/24

Peer End IP that need to be access from RA VPN: 192.168.1.32

Added Dummy IP 172.18.1.1 in our Encryption Domain.

So User route table is updated with 172.18.1.1 and it is reaching our Firewall as well.

I can see the traffic hitting the right NAT rule as below.

Src: RA VPN: 10.10.10.0./24

Dst: 172.18.1.1

Svc: Any

Translated:

Src: Original

Dst: 192.168.1.32

Svc: Original

But the traffic doesn't seem to be working. As per the peer they are not seeing any logs from our end reaching there.

Please suggest any better way to achieve this or please let me know if i am doing anything wrong here.

Regards,

Sanjay S

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Modify the RemoteAccess Encryption Domain in the Gateway object:

PhoneBoy_0-1701100923503.png

 

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend

Are the Office Mode Pool addresses added to the Encryption domain ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sanjay_S
Advisor

Yup we are using pool IP addresses in the ENC domain.

0 Kudos
PhoneBoy
Admin
Admin

Modify the RemoteAccess Encryption Domain in the Gateway object:

PhoneBoy_0-1701100923503.png

 

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events