This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sanjay_S
Advisor
‎2023-11-27 04:26 AM
Jump to solution

Checkpoint Remote Access to IPSec VPN

Hi Team,

We have a situation where the Checkpoint Endpoint(Remote Access) VPN users to connect to peer behind the IPSec site to site VPN tunnel.

So Traffic is from Remote Access VPN User > Firewall > IPSec Tunnel > Peer Device.

But the problem here is Remote Access VPN users will get their route table updated only when we add the subnet in the Enc domain our end Under Network Management > VPN Domain. Only when we add the subnet or IP the RA VPN users will get their route table updated.

As the Peer is already behind an IPSec tunnel it is part of Peer end enc domain which we cant add in our enc domain. So i planned as below but it did not work. 

Used a dummy IP which is not in the routing Table.

Remote Access VPN Subnet > 10.10.10.0/24

Dummy IP: 172.18.1.1

Peer End Enc Domain: 192.168.1.0/24

Peer End IP that need to be access from RA VPN: 192.168.1.32

Added Dummy IP 172.18.1.1 in our Encryption Domain.

So User route table is updated with 172.18.1.1 and it is reaching our Firewall as well.

I can see the traffic hitting the right NAT rule as below.

Src: RA VPN: 10.10.10.0./24

Dst: 172.18.1.1

Svc: Any

Translated:

Src: Original

Dst: 192.168.1.32

Svc: Original

But the traffic doesn't seem to be working. As per the peer they are not seeing any logs from our end reaching there.

Please suggest any better way to achieve this or please let me know if i am doing anything wrong here.

Regards,

Sanjay S

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-11-27 08:02 AM
Jump to solution

Modify the RemoteAccess Encryption Domain in the Gateway object:

PhoneBoy_0-1701100923503.png

 

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-11-27 05:30 AM
Jump to solution

Are the Office Mode Pool addresses added to the Encryption domain ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sanjay_S
Advisor
‎2023-11-29 06:02 AM
In response to G_W_Albrecht
Jump to solution

Yup we are using pool IP addresses in the ENC domain.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-27 08:02 AM
Jump to solution

Modify the RemoteAccess Encryption Domain in the Gateway object:

PhoneBoy_0-1701100923503.png

 

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top