Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

Connecting to Check Point VPN using different Interfaces

Dear Mates

 

We have currently migrated our vpn to Check Point, and everything seems fine. For that, in the IPsec VPN in Global Properties, the link selection is set to "Statically NATed IP". 

Since we have some internal resources that requires vpn access, we do not wish to let users connect to the public IP in order to access internal resources. So, we wish to let internal users connect with the internal IP of the Check Point firewall.

 

Can this be accomplished? or we can only connect to the vpn using the statically NATed address?

When I try to connect to the vpn using an IP of the internal interface of the firewall, it connects, but after few minutes, if you check the VPN Properties on the endpoint, it goes back to the public IP.

 

Thanks in advance

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: Connecting to Check Point VPN using different Interfaces

Link Selection determines what IP you can connect to.
If a specific IP is configured, that’s what you have to connect to.
0 Kudos
Highlighted
Silver

Re: Connecting to Check Point VPN using different Interfaces

Hi PhoneBoy

After reading around, i found a documentation that states "Configuration settings for remote access clients can be configured together or separately from the Site-to-Site configuration. For more information, see Link Selection for Remote Access Clients."
(https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13924.htm)

So does that mean I can have one public IP used for site-to-site VPN, and use an internal IP for Remote Access VPN? (sk32229)

Thanks in advance
0 Kudos
Highlighted
Admin
Admin

Re: Connecting to Check Point VPN using different Interfaces

You are correct.
sk32229 has the steps for configuring these separately. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Highlighted

Re: Connecting to Check Point VPN using different Interfaces

I have been fighting with a similar issue, already event open case in TAC

 

Customer had on 77.30 cluster 2 entry points configured for remote VPN

 

The External Interface (ip configured on Main IP) where users connect to normally and a secondary Internal interface connected to a Dedicated LAN (with other router as next hop)

 

On the secondary interface side the customer uses a 3rd party client that connects normally and all works fine on 77.30.

 

After upgrade to R80.20 the 3rd party client stopped working, as this is not supported we are trying out Checkpoint VPN client.

 

The Checkpoint VPN client does not work on either version, on R77.30 it connects 1 time and then defaults back to the Main IP.

 

Exactly the behavior described on this SK discussed here.

I followed the Admin Guide and configured under IP_RESOLUTION_MECHANISM  = topologyCalc - Calculate the IP address used for the VPN tunnel by network topology based on the location of the remote peer

 

This does not work same effect.

Did i understand correctly the admin guide ? this should enable the client to connect to the correct interface.


Is there a way to define a static connection ip for the SITE on the Client Trac.defaults?  


There has to be a way to connect over more then 1 interface. (Secure remote connects and all works until the customer disconnects, the client changes the SIte ip also and client needs to change it manually)

 

0 Kudos