Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor
Jump to solution

Client VPN license in Checkpoint

I have CPSB-VPN blade license on my AWS Checkpoint Gatways. I am looking to enable Remote access VPN for a few clients.

My query is do i require additional license for this ? i read about Securemote which requires only CPSB-VPN blade but the kb states that it has limited functionality.. what are its limitations ?

0 Kudos
1 Solution

Accepted Solutions
LostBoY
Advisor

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

 

View solution in original post

17 Replies
Chris_Atkinson
Employee Employee
Employee

In terms of primary limitations Securemote doesn't support office mode.

Depending on the license many gateway SKUs allow 5 mobile access connections by default.

CCSM R77/R80/ELITE
LostBoY
Advisor

Office mode affects only DNS and WINS ? does still assigns an IP address from a defined pool ? my requirement is only to give RDP access to a jump box.

Also is there a remote vpn configuration limitation for Checkpoint Cloudguard ? 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes it impacts VPN IP assignment flexibility 

Some templates don't support VPN, specifically with VMSS for Azure the SecuRemote flavor is not supported.

Source: https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cp_vmss_for_azure/content/topics-azure-v...

CCSM R77/R80/ELITE
LostBoY
Advisor

i am using AWS Cloudguard and i read somewhere that VPN wasnt supported on R80.40 cloudguard but was introduced from R81 onwards...unfortunately i cudnt find that link.

I was trying to test Securemote but when i try to enable ipsec vpn blade policy installation fails

0 Kudos
G_W_Albrecht
Legend
Legend

SecuRemote will not use the OM IP pool for IP assignement but needs the firewall to be configured to let the original client IP connect and access. So this is only an alternative if the RA client has a static IP.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

For AWS Remote Access isn't supported for auto-scale deployments, what scenario have you deployed?

https://sc1.checkpoint.com/documents/iaas/webadminguides/en/cloudguard_network_for_aws_autoscaling_d...

CCSM R77/R80/ELITE
0 Kudos
LostBoY
Advisor

it is a cross availability zone cluster on R81.20

0 Kudos
Chris_Atkinson
Employee Employee
Employee

In such cases Site-to-Site and Remote Access VPN are supported only with the Primary Elastic IP (VIP). You cannot use additional Elastic IP's for VPN.

CCSM R77/R80/ELITE
LostBoY
Advisor

i suppose that will be fine in my case...

However after enabling ipsec vpn blade on GW policy installation is failing 😞

0 Kudos
PhoneBoy
Admin
Admin

Screenshot of the precise error?
Blur sensitive details.

0 Kudos
LostBoY
Advisor

It just says operation ended with errors , no error message detail available

0 Kudos
PhoneBoy
Admin
Admin

Did you click on the specific lines where it said failed?
It should show details why it failed.
If not, you should involve the TAC: https://help.checkpoint.com 

0 Kudos
the_rock
Legend
Legend

If you expand the reason why it failed, as the guys indicated, would tell us the reason. Please blur out any sensitive info mate.

Andy

0 Kudos
LostBoY
Advisor

unfortunately there is no reason defined and no expansion available there

0 Kudos
the_rock
Legend
Legend

I find that odd, sorry...there has to be some kind of wording as to why its failing. If you expand the down arrow where it fails, can you send a screenshot please?

Andy

0 Kudos
LostBoY
Advisor

OK so i resolved the issue.. the thing was this was a geocluster with 0.0.0.0 as its cluster IP. However, the VPN blade requires a legit Cluster IP to function as soon as i replaced it policy installation was successfull.

 

the_rock
Legend
Legend

Great job mate, tx for sharing!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events