Solved: Re: Client VPN license in Checkpoint

LostBoY · ‎2023-07-25

I have CPSB-VPN blade license on my AWS Checkpoint Gatways. I am looking to enable Remote access VPN for a few clients.

My query is do i require additional license for this ? i read about Securemote which requires only CPSB-VPN blade but the kb states that it has limited functionality.. what are its limitations ?

LostBoY · ‎2023-07-27

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

View solution in original post

Chris_Atkinson · ‎2023-07-25

In terms of primary limitations Securemote doesn't support office mode.

Depending on the license many gateway SKUs allow 5 mobile access connections by default.

CCSM R77/R80/ELITE

LostBoY · ‎2023-07-25

Office mode affects only DNS and WINS ? does still assigns an IP address from a defined pool ? my requirement is only to give RDP access to a jump box.

Also is there a remote vpn configuration limitation for Checkpoint Cloudguard ?

Chris_Atkinson · ‎2023-07-25

Yes it impacts VPN IP assignment flexibility

Some templates don't support VPN, specifically with VMSS for Azure the SecuRemote flavor is not supported.

Source: https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cp_vmss_for_azure/content/topics-azure-v...

CCSM R77/R80/ELITE

LostBoY · ‎2023-07-25

i am using AWS Cloudguard and i read somewhere that VPN wasnt supported on R80.40 cloudguard but was introduced from R81 onwards...unfortunately i cudnt find that link.

I was trying to test Securemote but when i try to enable ipsec vpn blade policy installation fails

G_W_Albrecht · ‎2023-07-25

SecuRemote will not use the OM IP pool for IP assignement but needs the firewall to be configured to let the original client IP connect and access. So this is only an alternative if the RA client has a static IP.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chris_Atkinson · ‎2023-07-25

For AWS Remote Access isn't supported for auto-scale deployments, what scenario have you deployed?

https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cloudguard_network_for_aws_autoscaling_d...

CCSM R77/R80/ELITE

LostBoY · ‎2023-07-25

it is a cross availability zone cluster on R81.20

Chris_Atkinson · ‎2023-07-25

In such cases Site-to-Site and Remote Access VPN are supported only with the Primary Elastic IP (VIP). You cannot use additional Elastic IP's for VPN.

CCSM R77/R80/ELITE

LostBoY · ‎2023-07-25

i suppose that will be fine in my case...

However after enabling ipsec vpn blade on GW policy installation is failing 😞

PhoneBoy · ‎2023-07-25

Screenshot of the precise error?
Blur sensitive details.

LostBoY · ‎2023-07-26

It just says operation ended with errors , no error message detail available

PhoneBoy · ‎2023-07-26

Did you click on the specific lines where it said failed?
It should show details why it failed.
If not, you should involve the TAC: https://help.checkpoint.com

the_rock · ‎2023-07-26

If you expand the reason why it failed, as the guys indicated, would tell us the reason. Please blur out any sensitive info mate.

Andy

Best,
Andy

LostBoY · ‎2023-07-27

unfortunately there is no reason defined and no expansion available there

the_rock · ‎2023-07-27

I find that odd, sorry...there has to be some kind of wording as to why its failing. If you expand the down arrow where it fails, can you send a screenshot please?

Andy

Best,
Andy

LostBoY · ‎2023-07-27

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

the_rock · ‎2023-07-27

Great job mate, tx for sharing!

Best,
Andy

Are you a member of CheckMates?

Client VPN license in Checkpoint