- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Trying to setup a subnet for Endpoint Client VPN connections. My question is, where do I define the gateway interface for the network I'm creating? I'm assuming that the endpoint client vpn network would live entirely on the Check Point gateways. Where would I create the virtual interface for this subnet? See diagram attached. I am using Office Mode Method Manual (using IP Pool).
Network: 192.168.7.0/24
Gateway: 192.168.7.1
VPN Client IP Pool
IP: 192.168.7.50-100
Mask: 255.255.255.0
Gateway: 192.168.7.1
Thanks for the look!
You don't really create it on the network anywhere, it's a "virtual" subnet.
That said, the rest of your network will need to know to route traffic for that segment to the gateway.
This can either be via the default route or a specific route for that subnet.
I guess I'm still confused. Since the subnet is virtual, where do I create the virtual interface for that subnet...192.168.7.1? If I try to add an interface on the gateway, it is looking for a physical connection.
Hi Nick,
You must be thinking of how Palo Alto and some other vendors set up a VPN, by creating a "tunnel" interface and putting an IP address on it to represent the firewall. Check Point is capable of this same route-based VPN setup using VPN Tunnel Interfaces (VTIs) for site-to-site VPNs.
For remote access VPN on Check Point there is no tunnel interface or virtual adapter. When you set the subnet for assignment to VPN clients via Office Mode in the SmartConsole/SmartDashboard, the firewall will automatically take the lowest numbered address (usually .1) and propagate that as the gateway to the VPN client. Just make sure that the subnet handed out by Office Mode to the clients does not exist anywhere in your inside network, and will be routed back to the firewall/Internet and you should be good.
Hi Tim,
Thank you for the clarification. You are correct! As a new customer, I'm unfamiliar with the way Check Point goes about configuring remote access VPN. It has been tricky trying to find documentation on this, so I appreciate the input. The Office mode subnet exists entirely on the Check Point side. That subnet is not defined on my internal network. Thanks again.
We were in the same boat. Moving from a life with Cisco to Check Point was really hard and we are still struggling with the remote VPN. We had a very complex remote access that was very granular for access and the move has taken time to work through.
I'd like to see a document that shows migrations from other vendor setups to Check Point as far as remote access VPN goes. I think these details could be used in the technical side as well as the sales side.
The so called "office mode network" has to be defined in all gateways which are part of the cluster.
If you have an active/standby cluster, it is best practice to use same subnet for both.
All addresses of this subnet are assigned to the users connecting. None is really used as gateway address, but on the clients it will take one near the actual address as gateway.
So a client getting 192.168.7.1 in your environment will have gateway set to .2. But client getting 192.168.7.2 will have gateway set to .1, but don't mind this! It works anyway 😉
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY