This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Nick_Burris
Participant
‎2017-11-27 02:54 PM

Creating subnet for VPN client traffic in Cluster deployment?

Trying to setup a subnet for Endpoint Client VPN connections.  My question is, where do I define the gateway interface for the network I'm creating? I'm assuming that the endpoint client vpn network would live entirely on the Check Point gateways.  Where would I create the virtual interface for this subnet?  See diagram attached.  I am using Office Mode Method Manual (using IP Pool).

Network:   192.168.7.0/24

Gateway:  192.168.7.1

VPN Client IP Pool

IP:            192.168.7.50-100

Mask:       255.255.255.0

Gateway: 192.168.7.1

Thanks for the look!

Preview file
132 KB
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2017-11-27 10:54 PM

You don't really create it on the network anywhere, it's a "virtual" subnet.

That said, the rest of your network will need to know to route traffic for that segment to the gateway.

This can either be via the default route or a specific route for that subnet. 

0 Kudos
Nick_Burris
Participant
‎2017-11-28 11:09 AM

I guess I'm still confused.  Since the subnet is virtual, where do I create the virtual interface for that subnet...192.168.7.1?  If I try to add an interface on the gateway, it is looking for a physical connection.  

0 Kudos
Timothy_Hall
Champion
Champion
‎2017-11-28 04:05 PM
In response to Nick_Burris

Hi Nick,

You must be thinking of how Palo Alto and some other vendors set up a VPN, by creating a "tunnel" interface and putting an IP address on it to represent the firewall.  Check Point is capable of this same route-based VPN setup using VPN Tunnel Interfaces (VTIs) for site-to-site VPNs. 

For remote access VPN on Check Point there is no tunnel interface or virtual adapter.  When you set the subnet for assignment to VPN clients via Office Mode in the SmartConsole/SmartDashboard, the firewall will automatically take the lowest numbered address (usually .1) and propagate that as the gateway to the VPN client.  Just make sure that the subnet handed out by Office Mode to the clients does not exist anywhere in your inside network, and will be routed back to the firewall/Internet and you should be good.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Nick_Burris
Participant
‎2017-11-30 12:21 PM
In response to Timothy_Hall

Hi Tim,

Thank you for the clarification.  You are correct!  As a new customer, I'm unfamiliar with the way Check Point goes about configuring remote access VPN.  It has been tricky trying to find documentation on this, so I appreciate the input.  The Office mode subnet exists entirely on the Check Point side.  That subnet is not defined on my internal network.  Thanks again.

0 Kudos
Heath_Mote
Collaborator
‎2017-12-03 08:58 PM
In response to Nick_Burris

We were in the same boat. Moving from a life with Cisco to Check Point was really hard and we are still struggling with the remote VPN. We had a very complex remote access that was very granular for access and the move has taken time to work through.

I'd like to see a document that shows migrations from other vendor setups to Check Point as far as remote access VPN goes. I think these details could be used in the technical side as well as the sales side.

0 Kudos
Norbert_Bohusch
Advisor
‎2017-12-05 01:21 AM

The so called "office mode network" has to be defined in all gateways which are part of the cluster.

If you have an active/standby cluster, it is best practice to use same subnet for both.

All addresses of this subnet are assigned to the users connecting. None is really used as gateway address, but on the clients it will take one near the actual address as gateway.

So a client getting 192.168.7.1 in your environment will have gateway set to .2. But client getting 192.168.7.2 will have gateway set to .1, but don't mind this! It works anyway 😉

0 Kudos
Labels