This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kumar
Participant
‎2018-04-12 05:15 AM

How does Normal mode work in RA VPN?

Hi All,

If Office mode is enabled Security gateway will assign a IP from the pool to Client.

If we are not enabling Office mode, how the traffic will flow in our network?

0 Kudos
7 Replies
Vladimir
Champion
Champion
‎2018-04-12 06:00 AM

I suspect that in the absence of the Office Mode supplied IPs, you'll simply end-up with conventional tunnel containing one encryption domains on each side. So the client will be aware of the networks behind the gateway and the gateway, about client's network.

0 Kudos
Kumar
Participant
‎2018-04-12 06:08 AM
In response to Vladimir

If that might be the case, The IP address provided for the client (by ISP) may overlap with our organisation network.

0 Kudos
Vladimir
Champion
Champion
‎2018-04-12 06:58 AM
In response to Kumar

That’s the reason for Office Mode Smiley Happy

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-04-12 06:56 AM

Îf Office Mode is not used, the RA VPN client connects to the GW using its local IP. This IP has to be known by the GW and access has to be granted. SecuRemote, the licenseless CP RA VPN client always uses this kind of connection.

But this will not work if RA VPN clients get their IPs dynamically or their IP is changed from time to time / all 24 hours.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion
‎2018-04-12 07:52 AM
In response to G_W_Albrecht

"This IP has to be known by the GW and access has to be granted." I am not sure that this is an accurate statement.

The SecuRemote connects to the gateway identifying itself by the public IP of the router/gateway it is coming from.

I do not think that the GW should be in any way aware of either the public IP or the private IPs assigned to the SecuRemote clients.

I do believe that major limitation of SecuRemote is the lack of support for multiple clients (or concurrent connections) originating from behind the same public IP.

 

If I am wrong, please do correct my assumptions.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-04-12 11:57 PM
In response to Vladimir

"I do not think that the GW should be in any way aware of either the public IP or the private IPs assigned to the SecuRemote clients." - afaik VPN does not work if the peer is not known.

Major limitation of SecuRemote is that Office Mode is not supported.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vladimir
Champion
Champion
‎2018-04-13 05:07 AM
In response to G_W_Albrecht

"VPN does not work if the peer is not known" if this were true, no mobile IPSec remote access solution would work Smiley Happy

Yes, the Office Mode is not supported by SecuRemote, but this simply means that you loose the ability to control the IP addressing schema for remote clients and the possibility of conflicting encryption domains will be present.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events