Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fatalXerror
Contributor

Remote-Access VPN Behavior

Hi Guys,

I am doing some lab for testing my remote-access VPN before doing it in live environment. I just noticed that I am doing local host lookup to map a URL to an IP address then when I configure the site using the URL that I created, it always showing the VIP address of my CheckPoint and not the IP address that I configured in my local host lookup file.

Is that the normal behavior of CP when it comes to ClusterXL, it seems to be smart enough to determine the VIP address by the Endpoint Connect client?

Thanks for your help guys.

Cheers.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Expected behavior.

Upon initial connection (which will be based on DNS name or IP), the topology of the site is downloaded.

This will contain the endpoint(s) of the VPN, which will be the Cluster IP in your case.

0 Kudos
fatalXerror
Contributor

Hi Dameon Welch-Abernathy‌,

Thanks for the feedback and noted on it.

Another thing is that, I noticed that all interfaces of the gateway listens to VPN (IPSec RAVPN). I have 2 interfaces (external & internal), my link selection is set to the external then I tried to connect to the internal using VPN client and it works. Is that also normal? If it is, what is the use of Link Selection if all interfaces listens to VPN connection?

Thanks 

0 Kudos
PhoneBoy
Admin
Admin

Link Selection is to tell the gateway what IP to originate traffic VPN traffic from, which can sometimes be an IP not on any interface (e.g. when gateway is behind NAT).

It does not impact what interface the VPN is available from.

0 Kudos
fatalXerror
Contributor

Hi Dameon Welch-Abernathy‌, 

So for example in my external interface I have 1.2.3.4 and in my DMZ interface I have 5.6.7.8, if i set the link selection to 1.2.3.4 then I tried to connect to VPN to 5.6.7.8, even though I successfully connected, I cannot access any internal resources? is that correct?

0 Kudos
PhoneBoy
Admin
Admin

With Remote Access VPN, the client knows about all IPs on the gateway as they are part of the topology the client downloads.

Theoretically, it would still work but I haven't tried it.

Link Selection is really more for Site-to-Site VPN.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events