This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hugothebas
Contributor
Contributor
‎2025-05-21 09:23 AM
Jump to solution

Own gateway interfaces' address excluded from Remote Access VPN

Hello, I need to understand why the gateway is excluding all of it's interfaces from the remote access vpn.

For example:

 

Screenshot_1.png

the above interface is one of them, but the issue happens with all interfaces.

The remote acces encryption domain includes that subnet:

Screenshot_2.png

After connecting to VPN client, on the endpoint side I see that the /24 subnet is divided into smaller subnets and the gateway's interface IP is excluded from the routes:

Screenshot_3.png

I've already checked if is there any overlap os other VPNs and there is none

Does anyone know what could be causing this issue?

Thanks!


Best Regards,
Hugo Thebas
0 Kudos
1 Solution

Accepted Solutions
ilkerd
Participant
Participant
‎2025-05-29 08:27 AM
Jump to solution

Hi,

Use this SK: https://support.checkpoint.com/results/sk/sk92676, and you'll thank me later. 🙂

Unfortunately, there’s no other solution. R&D doesn’t care about this issue.

View solution in original post

41 Replies
Lesley
Authority Authority
Authority
‎2025-05-21 09:44 AM
Jump to solution

This is for tunnel_test. You can also disable this and exclude firewall IP from encryption domain.

https://support.checkpoint.com/results/sk/sk180716

Lesley_0-1747845874392.png

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-21 09:57 AM
In response to Lesley
Jump to solution

Thank you, but that doesn't solve my issue. I have already tried doing it, the result is the same.


Best Regards,
Hugo Thebas
0 Kudos
Lesley
Authority Authority
Authority
‎2025-05-21 01:14 PM
In response to hugothebas
Jump to solution

ah VPN clients. I see now normal enc domain can you double check remote access enc domain?

Lesley_0-1747858459633.png

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-21 03:34 PM
In response to Lesley
Jump to solution

Sorry about that, I should have sente the vpn domain of remote access community before.

There it is:

Screenshot_4.pngScreenshot_5.png

Thanks.


Best Regards,
Hugo Thebas
0 Kudos
Lesley
Authority Authority
Authority
‎2025-05-22 01:26 AM
In response to hugothebas
Jump to solution

Check, are the VPN clients up to date? What version?

Second tip: 

Maybe work something out with crypt.def (exclude firewall ip from tunnel)

https://community.checkpoint.com/t5/General-Topics/VPN-traffic-exclusion-with-crypt-def/m-p/167592

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-22 10:37 AM
In response to Lesley
Jump to solution

Client is the latest version "Endpoint Security E88.70".

Exclude gateway from tunnel with crypt.def file would make it send the routes (encryption domain) to the client? I can try, but I don't think so.

Thanks


Best Regards,
Hugo Thebas
0 Kudos
CaseyB
Advisor
‎2025-05-22 11:40 AM
In response to hugothebas
Jump to solution

I see you are using a granular encryption domain. What version are you running?

It could be this: sk170857 

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-22 04:06 PM
In response to CaseyB
Jump to solution

Hello, @CaseyB.

 

I'm on R82 Take 12, but this has been happening since R81.10, I was avoiding dealing with it, but I can't postpone anymore, need to solve it.

Thanks.


Best Regards,
Hugo Thebas
0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-21 12:24 PM
Jump to solution

Is this causing an actual issue above and beyond the cosmetics of those routes existing in the routing table?
Pretty sure this is expected behavior as we want to make sure any access to the gateway IP addresses does NOT go through the VPN and those routes are explicitly for that purpose.

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-21 01:16 PM
In response to PhoneBoy
Jump to solution

Hello @PhoneBoy!

The main issue is that it is impossible to connect to the gateway vis SSH, HTTPS, etc.

As of now, to reach the gateway, I need to access another host (the SMS, for example) and then jump to the gateway.

About your comment: "Pretty sure this is expected behavior as we want to make sure any access to the gateway IP addresses does NOT go through the VPN and those routes are explicitly for that purpose." - This behavior is only on this gateway, I connect to other customers from VPN client and have no problem accessing the gateway's internal interfaces through VPN.

Thank you!


Best Regards,
Hugo Thebas
0 Kudos
the_rock
Legend
Legend
‎2025-05-21 05:34 PM
In response to hugothebas
Jump to solution

Make sure that subnet is not inadvertantly natted.

Andy

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-22 10:38 AM
In response to the_rock
Jump to solution

Hello, @the_rock!

I have certified there is no nat involved in this communication.

Thanks.


Best Regards,
Hugo Thebas
the_rock
Legend
Legend
‎2025-05-22 10:47 AM
In response to hugothebas
Jump to solution

Okay. Just to verify, is this the ONLY subnet with the issue once connected? If so, please check to see if topology on that interface is 100% right.

Andy

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-22 04:08 PM
In response to the_rock
Jump to solution

No, the gateway has 4 interfaces on different subnets, the behavior is the same for all of them.

Thanks!


Best Regards,
Hugo Thebas
0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-22 11:35 AM
In response to hugothebas
Jump to solution

Well, yes, that is an issue as this should be possible.
Wondering if there's a setting in one of the trac configuration files that might be impacting this?

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-22 04:10 PM
In response to PhoneBoy
Jump to solution

Well, I'm m gonna check trac config file, but I don't see how it could cause this issue.

I'll let you know.


Best Regards,
Hugo Thebas
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-05-22 02:33 PM
Jump to solution

I handled the same issue in the past. Dont remember what kind of setting was changed, but something says me it might be related to supernetting within GuiDBedit setting. Will check it further and let you know.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
‎2025-05-22 02:44 PM
In response to JozkoMrkvicka
Jump to solution

These are the ones I know of in guidbedit that should be set to false.

Andy

 

 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

hugothebas
Contributor
Contributor
‎2025-05-22 04:11 PM
In response to the_rock
Jump to solution

I'm gonna try it tomorrow and post here the result.

 

Thanks!


Best Regards,
Hugo Thebas
the_rock
Legend
Legend
‎2025-05-22 04:14 PM
In response to hugothebas
Jump to solution

Hope it helps.

0 Kudos
the_rock
Legend
Legend
‎2025-05-25 06:39 AM
In response to hugothebas
Jump to solution

Hey mate,

Any luck with this?

Andy

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-28 06:34 AM
In response to the_rock
Jump to solution

Hello!

Sorry for taking so much time to test, I had too much work to do the last days.

I have tried those GuiDBEdit parameters

ike_enable_supernet - (under global properties) was already "false", I did not change.

ike_p2_enable_supernet_from_R80.20 - (under Remote Access Community) was set to "by_global", I've changed to "false"

ike_use_largest_possible_subnets - (under global properties) was set to "true", I've changed to "false"

I also checked crypt.def and it is default with no changes.

Checked trac_client file and the only change there, is to set topology as first to respond (with 2 participant gateways).

Unfortunately, the issue wasn't solved.

Thanks anyway.


Best Regards,
Hugo Thebas
0 Kudos
the_rock
Legend
Legend
‎2025-05-28 06:39 AM
In response to hugothebas
Jump to solution

Did you ever end up opening TAC case?

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-28 08:31 AM
In response to the_rock
Jump to solution

Not yet, TAC cases usually takes a long time and need several remote sessions. I was trying to avoid it.

 

But I think I don't have other choices.

 

Thank you all for trying to help.


Best Regards,
Hugo Thebas
0 Kudos
the_rock
Legend
Legend
‎2025-05-28 08:45 AM
In response to hugothebas
Jump to solution

I would call and insist on doing remote if possible.

Andy

the_rock
Legend
Legend
‎2025-05-28 10:20 AM
In response to the_rock
Jump to solution

@hugothebas  Or if you can wait till Sunday afternoon EST, happy to do remote and see if we can fix it.

Andy

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-28 10:57 AM
In response to the_rock
Jump to solution

Well, I have opened a TAC case, if we can't reach a solution (or if we do) I'll update this post.

 

Thank you!


Best Regards,
Hugo Thebas
the_rock
Legend
Legend
‎2025-05-28 10:58 AM
In response to hugothebas
Jump to solution

Sounds good!

0 Kudos
hugothebas
Contributor
Contributor
‎2025-05-28 12:40 PM
In response to the_rock
Jump to solution

I needed to uninstall the vpn client and needed to connect using Capsule, I just realize that the issue doesn't happen with Capsule VPN, but only with Endpoint Security.


Best Regards,
Hugo Thebas
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events