Create a Post
Showing results for 
Search instead for 
Did you mean: 
Employee Alumnus
Employee Alumnus

How to configure VPN Remote Access on non-default Internet Link

Security Engineering Brazil

April, 2020

Version 02



Thiago Mourao, SE and Cyber Security Evangelist



Henrique Moises, SE



How to configure VPN Remote Access on non-default Internet Link


Know Limitation and Requirements



Step by Step



Configure Remote Access to respond for non-default Internet Link.

As default configuration, when the first packet arrives from the non-default internet link, gateway will check its routing table and will reply those packets using the default route and after that the packets will be sent to the interface where the default route is configured. In many cases, those packets will be blocked by the next hop due to Out of State (SYN-ACK without SYN) or due to ingress routing filter that will check that the source do not belong to that route/network.

PS: In a specific scenario this configuration might work with no further actions needed. In this scenario, the primary ISP link do not check Stateful Inspection or dot have Ingress Routing Filter to block spoofing/DDoS attacks, so in that case the security level is going to be lower, hence not recommended.


Know Limitation and Requirements

  • I have used static-route on this example instead of PBR that would be a more granular way to be done
  • I have used a wrapper for cprid_util created by @HeikoAnkenbrand  (HeikoAnkenbrand) on his article on Check Mates called “GAIA - Easy execute CLI commands from management on gateways” ( to execute command on gateway from the SMS
  • For this PoC we assume that you already have configured a gateway with 2 (two) internet links where the first one is the default route and the second one is a backup link
  • For this PoC we assume that you already configured Remote Access VPN (IPsec or Mobile Access) to respond with the IP of the secondary internet link



In this lab we are using R80.40 on both Security Gateway and Manager, and they were virtualized on VMware Workstation 12.

Virtual Environment:

  • 1 x Check Point Gateway R80.40
  • 1 x Check Point Manager R80.40
  • 1 x Microsoft Windows Server 2012 R2
  • 1 x Windows 7 Ultimate
  • 4 x Virtual Routers (VyOS)

Host Environment:

  • 1 x Notebook (Windows Professional) with VMWare Workstation 12


  • In this topology, Router RT_301 is doing source NAT FROM: TO:




This script will prepare the environment to be run for the first time.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/
#Script Directory
#User that will Execute the Scripts and Cron Job

echo "First time setup"
echo "Creating all files and Gaia configuration"

echo "Creating Directories"
mkdir $EXECDIR
mkdir $EXECDIR/log
mkdir $EXECDIR/tmp

echo "Creating Files"
touch $EXECDIR/
touch $EXECDIR/
touch $EXECDIR/
touch $EXECDIR/log/
touch /var/log/VPNSecondaryLink_alert.log

echo "Creating Symbolic Links"
ln -s /var/log/VPNSecondaryLink_alert.log $EXECDIR/log/VPNSecondaryLink_alert.log
ln -s $EXECDIR/ $FWDIR/bin/VPNSecondaryLink_alert

echo "Copying Scripts to $EXECDIR"
cp ./ $EXECDIR/
cp ./ $EXECDIR/

echo "Changing Owner and Group"
chown $EXECUSER:bin $FWDIR/bin/

echo " Changing Permission"
chmod 760 $EXECDIR/
chmod 760 $EXECDIR/
chmod 760 $FWDIR/bin/

echo "Lock Database Override"
clish -c "lock database override"
echo "Adding Daily Based Recurrence for CronJob_VPNSecondaryLinkCleanUp at Cron Job to 2:00am"
clish -c 'add cron job VPNSecondaryLinkCleanUp command "/home/admin/VPNSecondaryLink/ >> /home/admin/VPNSecondaryLink/log/ 2>&1" recurrence daily time 2:00'
echo "Saving clish configuration"
clish -c "save config"

This Script will be called by the Track field of the  rule created in the SmartConsole, then the output is being parsed, creating the static route based on the source IP of the packet that hit the rule

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/
#Script Directory
#User that will Execute the Scripts and Cron Job

#Jump to Script Directory
cd $FWDIR/bin

#Global Variable
error_msg1="Error: Object Name pattern founded on multiple Host Objects"
error_msg2="Error: Static Route alreded configure"
error_msg3="Error: Rule Name do not match"
error_msg4="Error: Object not found on management Database"
error_msg5="Error: Route Already Inserted on CleanUp Script"

echo "#### Executing VPNSecondaryLink_alert at $(date -u) ####"
[ $raw_pbr_error -gt 0 ] || {

echo "Reading input from rule"
read input
#echo "Troubleshooting enabled"
#echo $input > $DIR/tmp/VPNSecondaryLink_alert_tr.log
echo "Parsing Source Object Name"
echo "Checking if Source is using Object Name"
raw_src_name=$(echo $input | sed -n 's/.* src: \(.*\); dst: .*/\1/p')
#echo "variavel raw_src_name=$raw_src_name"
echo "Checking if Source is using IP"
raw_src_ip=$(echo "$input" | grep -o -P '.{0,5}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' | grep src | sed -n 's/^src: \(.*\)/\1/p' )
#echo "variavel raw_src_ip=$raw_src_ip"
firstocteto=$(echo "$raw_src_ip" | sed -n 's/\(^[[:digit:]]*\)\..*\..*\..*/\1/p')
#echo "variavel firstocteto=$firstocteto"
if [ -z $firstocteto ] || [ $firstocteto -gt 223 ]; then
echo "Cannot match with IP parsing... Trying to find IP on Management Object Database"
raw_src_ip=$(mgmt_cli -r true show objects limit 2 offset 0 order.1.ASC "name" in.1 "name" in.2 "$raw_src_name" order.2.DESC "objId" type "host" --format json | jq '.objects[]."ipv4-address"')
if [ -z $raw_src_ip ] ; then
echo $error_msg4;
exit 1;
elif [ $(echo "$raw_src_ip" | wc -l) -gt 1 ] ; then
echo $error_msg1;
exit 1;
echo "IP Founded"
raw_src_ip=$(echo "$raw_src_ip"| tr -d \");
echo "Source IP: $raw_src_ip"
echo "IP has no object in Database, using IP from Log"
echo "Source IP: $raw_src_ip"
echo "Parsing Destination Object Name"
echo "Destination IP: $raw_dst_ip"
echo "Check if Route already exist"
if [ $(/usr/local/bin/g_cli show configuration static-route | grep "$raw_src_ip" | wc -l) -gt 0 ] ; then
echo $error_msg2;
exit 0;
touch $DIR/
chmod +x $DIR/
echo "Creating Routing for $raw_src_ip/32"
/usr/local/bin/g_cli $gateway_ip "set static-route $raw_src_ip/32 nexthop gateway address $secondary_gw on"
echo "Checking file"
if [ $(cat /tmp/ | grep $raw_src_ip | wc -l ) -gt 0 ] ; then
echo $error_msg5;
exit 1;
echo "Adding new route to"
echo "/usr/local/bin/g_cli $gateway_ip set static-route $raw_src_ip/32 off" >> $DIR/
echo "#### End of Execution of VPNSecondaryLink_alert at $(date -u) ####"
echo -e '\n\n'
exit 1;

This script will be executed by the Job called VPNSecondaryLinkCleanUp on Crontab to backup current to save for historical purpose and run the current to Clean Up the routing table every day.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/
#Script Directory
#User that will Execute the Scripts and Cron Job

#Jump to Script Directory
cd $DIR
touch $DIR/
if [ $(cat $DIR/ | wc -l ) -gt 0 ] ; then
echo "Coping old VPNSecondaryLinkCleanUp to TMP Diretory for historical purpose"
cp $DIR/ $DIR/tmp/VPNSecondaryLinkCleanUp-$(date +%s).txt
echo "Executing to CleanUp Routes"
echo "Erasing Old"
> $DIR/
echo "Current is already empty. No routes to be cleaned"


Step by Step

  • Copy the 3 (three) scripts to the Manager Server (SMS)


  • Change permission of “”


[Expert@Management:0]# chmod 760
[Expert@Management:0]# ls –l

  • Execute the “”


[Expert@Management:0]# ./

  • Check if CRON JOB was created


[Expert@Management:0]# more /var/spool/cron/admin

  • Create an Access Control Rule with the following pattern:

From: ANY

To: IP_of_the_Backup_Interface (My Example:

Services: HTTP and HTTPS

Action: Permit

Track: Log / Alert:User Alert 1


Thiago_Mourao_6-1586956223952.png  Thiago_Mourao_7-1586956223953.png  Thiago_Mourao_8-1586956223953.png  Thiago_Mourao_9-1586956223954.png  Thiago_Mourao_10-1586956223955.png



  • Check the Alert Commands Parameters on Global PropertiesLog and AlertAlerts:
    • “Send user Defined alert no. 1 to SmartView Monitor”
    • “Run UserDefined script”
      • VPNSecondaryLink_alert >> /var/log/VPNSecondaryLink_alert.log 2>&1 


  • Creating a VPN on Remote Client using IP from the non-default interface (Ex.: Eth1 –

Thiago_Mourao_14-1586956223970.png  Thiago_Mourao_15-1586956223977.png

Thiago_Mourao_16-1586956223982.png  Thiago_Mourao_17-1586956223987.png

Thiago_Mourao_18-1586956223992.png  Thiago_Mourao_19-1586956224001.png

  • Connecting to the VPN

Thiago_Mourao_20-1586956224011.png  Thiago_Mourao_21-1586956224018.png

  • Checking if Remote Client connected successfully and got Office Mode IP from the Pool


  • Checking access to internal resource (Ex.: Ubuntu Server 01)


PS: This page was created to check de IP address from Client

PPS: This is the server called Ubuntu Server 01 and its private IP is

  • Checking on the VPNSecondaryLink_alert.log file to see if the scripts are running


[Expert@Management:0]# tail –f log/VPNSecondaryLink_Alert.log

PS: There is a symbolic link on $EXECDIR/log/ VPNSecondaryLink_alert.log. The original file was created on /var/log/VPNSecondaryLink_alert.log

  • Checking the Behavior

You can see on fw monitor output that VPN Client started to send packets to that arrived on interface Eth1 and the gateway Gw-01 responded those packets through interface Eth0. Due to Stateful Inspection on route RT_101, packets were drop and never reach the VPN Client.


When the script run a static route is inserted and then packets from gateway Gw-01 to the IP started to be routed through interface Eth1.


After responding to TCP 80 (HTTP), visitor mode could be reached creating the site on the VPN Client.


  • Checking the new routing table on gateway


Gw-01> show configuration static-route

  • Running the Clean Up Script (


[Expert@Management:0]# ./


5 Replies

Great stuff, @Thiago_Mourao ! Well done!

0 Kudos
Employee Alumnus
Employee Alumnus

Thanks Loukine!
0 Kudos

Could Policy-Based Routing be used to accomplish the same goal?

0 Kudos

There is limitation between PBR and Remote Access VPN/S2S VPN...

0 Kudos

Thank you for this nice set of scripts + documentation!

I found some flaws:
a) all provided scripts are not FW version independent:  use /opt/CPshared/5.0/tmp/ to  source the environment variables
b) : in this script you create a symbolic link to $FWDIR/bin/VPNSecondaryLink_alert
    but later on you  refer  to $FWDIR/bin/ ( see lines with "chown" and "chmod")

c) /usr/local/bin/g_cli (from Wolfgang) does not find all gateway IPs (line range too narrow with grep, Fix: use "grep -A 25"  )

d) there is no hint about ISP redundancy feature - typically customers are using this feature, too - when having two ISP links.

An additional objective for this subject is ,that users have only 1 VPN RA site created, but if the primary IP/link goes down, it should use the second link ( failover to the secondary link automatically) - like MEP is working, (when having more than 1 GW )

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events