Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Linus
Contributor

Host Routes for specific user

Jump to solution

Hello!

 

We try to get rid of our OpenVPN installation and use IPSec VPN with checkpoint.

We have a 3600 with IPSec blade and setup authentication via Active Directory.

 

With our OpenVPN setup (split-tunneling) it is possible to setup specific routes for users which are placed into their routing table once they connect.

 

For example:

 

User A wants to connect to their workstation in the office via RDP. I setup a host route to 192.168.0.50/32 when he connects via the remote client.

User B connects to 192.168.0.60/32 and so on.

 

I added 192.168.0.0/24 to VPN Domain but thats not what we wanted to archieve. Now the whole subnet is routed into the tunnel for all VPN users. Is there a way to do this on a per user base ?

 

How to get this setup to work with our new checkpoint appliance ?

 

Thank you !

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.

View solution in original post

0 Kudos
5 Replies
_Val_
Admin
Admin

Why would you need a host route for RDP connections in the first place? Allow them to connect to the office networks, and if you need granularity, you can also setup user specific VPN rules.

0 Kudos
Linus
Contributor

Hello @_Val_ 

 

"Why would you need a host route for RDP connections in the first place?"

- We want to prevent overlapping issues with local ressources on the client side and save bandwidth on the vpn gateway

 

"You can also setup user specific VPN rules"

- Do you mean Access Control Policies ?

0 Kudos
_Val_
Admin
Admin

Assign Office Mode IPs to the clients, no problems with overlapping networks anymore. Yes, I mean access policy rules

0 Kudos
Linus
Contributor

We configured Office mode IPs. As far as I understand that does not prevent the overlapping issue, for example when subnet in the home-office is the same as the subnet in the office.

 

/edit

0 Kudos
_Val_
Admin
Admin

I sure understand what you mean. My point here is, IPsec is different from SSL application level encryption used by OpenVPN. VPN routing will take precedence, you do not need to inject routes, VPN client will know where VPN domains IPs are and will route accordingly.

0 Kudos