This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Linus
Contributor
‎2022-01-12 02:34 AM

Host Routes for specific user

Jump to solution

Hello!

 

We try to get rid of our OpenVPN installation and use IPSec VPN with checkpoint.

We have a 3600 with IPSec blade and setup authentication via Active Directory.

 

With our OpenVPN setup (split-tunneling) it is possible to setup specific routes for users which are placed into their routing table once they connect.

 

For example:

 

User A wants to connect to their workstation in the office via RDP. I setup a host route to 192.168.0.50/32 when he connects via the remote client.

User B connects to 192.168.0.60/32 and so on.

 

I added 192.168.0.0/24 to VPN Domain but thats not what we wanted to archieve. Now the whole subnet is routed into the tunnel for all VPN users. Is there a way to do this on a per user base ?

 

How to get this setup to work with our new checkpoint appliance ?

 

Thank you !

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2022-01-12 03:59 AM
In response to Linus

Jump to solution

I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2022-01-12 03:07 AM

Jump to solution

Why would you need a host route for RDP connections in the first place? Allow them to connect to the office networks, and if you need granularity, you can also setup user specific VPN rules.

0 Kudos
Linus
Contributor
‎2022-01-12 03:14 AM
In response to _Val_

Jump to solution

Hello @_Val_ 

 

"Why would you need a host route for RDP connections in the first place?"

- We want to prevent overlapping issues with local ressources on the client side and save bandwidth on the vpn gateway

 

"You can also setup user specific VPN rules"

- Do you mean Access Control Policies ?

0 Kudos
_Val_
Admin
Admin
‎2022-01-12 03:15 AM
In response to Linus

Jump to solution

Assign Office Mode IPs to the clients, no problems with overlapping networks anymore. Yes, I mean access policy rules

0 Kudos
Linus
Contributor
‎2022-01-12 03:20 AM
In response to _Val_

Jump to solution

We configured Office mode IPs. As far as I understand that does not prevent the overlapping issue, for example when subnet in the home-office is the same as the subnet in the office.

 

/edit

0 Kudos
_Val_
Admin
Admin
‎2022-01-12 03:59 AM
In response to Linus

Jump to solution

I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.

0 Kudos