Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Administrateur_
Explorer

Route VPN client remote access to LAN

Hi,

We have some troubles with remote access client VPN.
With office mode, client behind ISP is on the same subnet that LAN. VPN connexion is OK but the problem is when there are device behind ISP who has the same IP address than another device behind the firewall on the LAN. can someone help us please. Thank you

Config:

Appliance 4800

R77.10

LAN >> 192.168.1.0/24

Office mode subnet >> 10.8.10.0/24

Remote client subnet behind ISP >> Same that LAN 192.168.1.0/24

0 Kudos
4 Replies
Danny
Champion Champion
Champion

OfficeMode should solve your issue having the same IP/network on both sides.

First, please check your firewall log for any spoofing entries. If these are logged, try to exclude your OfficeMode network from the address spoofing configuration of your external interface.

Please check that the OfficeMode IP is correctly applied to your remote client. You can check this within the VPN client's connection settings while the VPN tunnel is establied and also on the client's cmd via ipconfig.

Check if a Desktop Policy is in place that might prevent specific traffic.

0 Kudos
Administrateur_
Explorer

Thank you Danny Jung,

I try to exclude OfficeMode network from the address spoofing configuration of our external interface. still have the problem.

We dont have Desktop Policy.
This is VPN client connection settings:


0 Kudos
Administrateur_
Explorer

We connect with VPN capsule on Windows 10 and still cannot ping device in the LAN behind the firewall because there is same IP address behind ISP. We try to connect with endpoint and it works. Why this does not work witch capsule ??. can someone help us please?

0 Kudos
PhoneBoy
Admin
Admin

You are always going to have a bad time if your local client is using an IP address that is also used by the remote VPN.

I had a similar problem years ago when the VPN was preventing me from using my local LAN. 

I ended up writing a batch file to solve the problem, which, with some modifications, may be useful.

Note that this also starts up SecuRemote in CLI mode, which may not work or be relevant anymore.

From https://phoneboy.com/1405/fun-with-check-point-secureclient-and-windows-batch-files:

@REM kill Echo @echo off setlocal EnableDelayedExpansion
set SCC="C:Program Files\\CheckPoint\\SecuRemote\\bin\\scc"
%SCC% setmode cli
rem %SCC% disconnect
%SCC% up username %1%
%SCC% connect "VPN Profile"
%SCC% status
%SCC% ep
@REM Trying to pull out VPN route and mess with routing table
@REM
@REM Did we find the netmask line?
set hitnetmask=0
@REM Let's pull out a route I know will be there:

@for /f "tokens=3" %%i in ('route print 192.168.0.0') do (

@REM After we found the netmask, the next thing we get is the route we want
@REM and make sure we get out of dodge
if !hitnetmask! EQU 1 (
call :set_nexthop %%i
GOTO :found_route
)
@REM The next line after the "netmask" line is the one we want.
if "%%i" == "Netmask" (call :set_hitnetmask)

@REM end for
)

:set_hitnetmask
set hitnetmask=1
GOTO :EOF

:set_nexthop
set nexthop=%1
GOTO :EOF

:found_route
echo Nexthop is %nexthop%, deleting/setting the routes appropriately
echo on
route delete 192.168.0.0 mask 255.255.255.0 %nexthop%
route delete 192.168.0.2 %nexthop%
route delete 192.168.2.253 %nexthop%
route add 192.168.2.253 192.168.0.254
@endlocal

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events