- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello!
We try to get rid of our OpenVPN installation and use IPSec VPN with checkpoint.
We have a 3600 with IPSec blade and setup authentication via Active Directory.
With our OpenVPN setup (split-tunneling) it is possible to setup specific routes for users which are placed into their routing table once they connect.
For example:
User A wants to connect to their workstation in the office via RDP. I setup a host route to 192.168.0.50/32 when he connects via the remote client.
User B connects to 192.168.0.60/32 and so on.
I added 192.168.0.0/24 to VPN Domain but thats not what we wanted to archieve. Now the whole subnet is routed into the tunnel for all VPN users. Is there a way to do this on a per user base ?
How to get this setup to work with our new checkpoint appliance ?
Thank you !
I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.
Why would you need a host route for RDP connections in the first place? Allow them to connect to the office networks, and if you need granularity, you can also setup user specific VPN rules.
Hello @_Val_
"Why would you need a host route for RDP connections in the first place?"
- We want to prevent overlapping issues with local ressources on the client side and save bandwidth on the vpn gateway
"You can also setup user specific VPN rules"
- Do you mean Access Control Policies ?
Assign Office Mode IPs to the clients, no problems with overlapping networks anymore. Yes, I mean access policy rules
We configured Office mode IPs. As far as I understand that does not prevent the overlapping issue, for example when subnet in the home-office is the same as the subnet in the office.
/edit
I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY