Re: Configuration for Remote access VPN

oliver_gao36 · ‎2021-01-08

Hi all checkmates,

i am looking for a good example configuration guide on how to configure remote access VPN, though i found this guide can help me "https://community.checkpoint.com/t5/Remote-Access-VPN/Quick-Primer-on-How-to-Configure-your-Gateway-...

but i have some other questions or conditions which may need to take consider, here is the scenario:

persume that i have 5 public ip addresses from ISP, from 111.222.333.101 to 111.222.333.105, ISP gateway is 111.222.333.100, and i have only one cable which is connecting with the ISP provided device, i want use 111.222.333.101 for the office internet IP while using 111.222.333.105 as the remote access VPN used IP, and i want to use 10.255.100.0/24 for VPN IP pool, internal networks are 10.255.101.0/24, 10.255.102.0/24, my site also have some other offices which can be routed with MPLS, but their network ip addresses are also within Class A. one demand is when external users dialed in with RA vpn, they need to visit not only the local resources, but also other sites' resources through my local MPLS, my question is: besides the link which can guide you to setup something, are there any other important things or setup steps which i have to consider??? appologize that i am a new CP guy, i may miss something or consideration is not so perfect, but your suggestions are very appreciated.

thank you all in advance!

PhoneBoy · ‎2021-01-08

Why do you want to terminate the VPN on a different IP?
Also do you really want to use SecuRemote, which has several significant limitations compared to Check Point Mobile or Endpoint Security VPN?

In any case your RemoteAccess encryption domain will need to include the IP addresses reachable via MPLS.

oliver_gao36 · ‎2021-01-08

Hi phoneboy,

due to some security reasons, we just don't want to use the Internet Ip for VPN access at the same time. actually i tested to merge internet ip and VPN ip into the same, the result was good, but if we move VPN ip to another, then we met an issue, that's why i opened another case in CheckMate. btw is there any solution which can let VPN ip perform as a dummy ip but VPN will actually go throuth the real internet IP

PhoneBoy · ‎2021-01-08

Did you change the link selection IP?

oliver_gao36 · ‎2021-01-11

yes, i did. i changed it to use NATed IP for ipsec vpn.

PhoneBoy · ‎2021-01-11

That's how you make the VPN use a different IP...using Link Selection with the specific IP address.

the_rock · ‎2021-01-08

Good point, dont use secure remote, its very limited compared to endpoint or sandblast. Phoneboy is correct, remote access domain would need to have those IPs. Also, would you happen to have simple diagram or drawing of what you are trying to reach, I think it would help.

Andy

oliver_gao36 · ‎2021-01-08

Hi ottawacanada150

here is a draft of the topology

oliver_gao36 · ‎2021-01-08

we can also consider to use endpoint security vpn, do u have any best practise?

we only need the VPN scope external PCs can access local resources and/or traverse MPLS to visit other sites' resources.

the_rock · ‎2021-01-08

Ok...so in that case, yoy need remote access domain to include those IPs for access and then rule so they can traverse to a different network. Though, in reality, just make sure the rule for client to site vpn has remote access community in the rule.

Are you a member of CheckMates?

Configuration for Remote access VPN