This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-07-29 10:56 AM

Connecting to Check Point VPN using different Interfaces

Dear Mates

 

We have currently migrated our vpn to Check Point, and everything seems fine. For that, in the IPsec VPN in Global Properties, the link selection is set to "Statically NATed IP". 

Since we have some internal resources that requires vpn access, we do not wish to let users connect to the public IP in order to access internal resources. So, we wish to let internal users connect with the internal IP of the Check Point firewall.

 

Can this be accomplished? or we can only connect to the vpn using the statically NATed address?

When I try to connect to the vpn using an IP of the internal interface of the firewall, it connects, but after few minutes, if you check the VPN Properties on the endpoint, it goes back to the public IP.

 

Thanks in advance

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-07-29 06:53 PM

Link Selection determines what IP you can connect to.
If a specific IP is configured, that’s what you have to connect to.
0 Kudos
Di_Junior
Advisor
Advisor
‎2019-07-30 02:33 AM
In response to PhoneBoy

Hi PhoneBoy

After reading around, i found a documentation that states "Configuration settings for remote access clients can be configured together or separately from the Site-to-Site configuration. For more information, see Link Selection for Remote Access Clients."
(https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13924.htm)

So does that mean I can have one public IP used for site-to-site VPN, and use an internal IP for Remote Access VPN? (sk32229)

Thanks in advance
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-30 08:43 AM
In response to Di_Junior

You are correct.
sk32229 has the steps for configuring these separately. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Ricardo_Gros
Collaborator
‎2019-09-12 06:48 AM
In response to PhoneBoy

I have been fighting with a similar issue, already event open case in TAC

 

Customer had on 77.30 cluster 2 entry points configured for remote VPN

 

The External Interface (ip configured on Main IP) where users connect to normally and a secondary Internal interface connected to a Dedicated LAN (with other router as next hop)

 

On the secondary interface side the customer uses a 3rd party client that connects normally and all works fine on 77.30.

 

After upgrade to R80.20 the 3rd party client stopped working, as this is not supported we are trying out Checkpoint VPN client.

 

The Checkpoint VPN client does not work on either version, on R77.30 it connects 1 time and then defaults back to the Main IP.

 

Exactly the behavior described on this SK discussed here.

I followed the Admin Guide and configured under IP_RESOLUTION_MECHANISM  = topologyCalc - Calculate the IP address used for the VPN tunnel by network topology based on the location of the remote peer

 

This does not work same effect.

Did i understand correctly the admin guide ? this should enable the client to connect to the correct interface.


Is there a way to define a static connection ip for the SITE on the Client Trac.defaults?  


There has to be a way to connect over more then 1 interface. (Secure remote connects and all works until the customer disconnects, the client changes the SIte ip also and client needs to change it manually)

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events