Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stich86
Employee
Employee

Question about Secondary Connect

Hi guys,

i want to setup a Secondary Connect on another Gateway to split the backup of our laptops during Smart Working.

Currenly our users are connecting using CheckPoint Mobile with machine authentication on a Gateway where all the 10.0.0.0/8 (splitted in smaller subnet) is published over VPN. To reach the backup server, they pass on this gateway that is using a Site-2-Site VPN to reach another CheckPoint Gateway where the backup server is located. The major problem is the bandwidth.

With a secondary connect directly to the other CP Gateway i can bypass this problem, because on that location we have an uplink with more bandwith.

Now my concerts are:

- Currently as I've said, on the first CP Gateway i'm passing a subset of 10.x.x.x network plus 172.16.0.0/16 and 192.168.0.0/16, so the second CP Gateway has internal subnet like 10.10.0.0/16. I need to reach just a single host, can I override the domain into "Remote Access" community with a single host?

- Machine authentication: currently the user doesn't provide any credential to login, there is a machine certificate that is passed to the gateway and trusted use AD CA, for the secondary tunnel is the same as the first one? Obviously second CP Gateway has certification auth enabled and used the same AD CA

 

Thanks in advance

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

I believe the Remote Access community for the relevant gateway can be a single host.
Also, the other gateway should be able to validate the same credentials as the primary one. 

0 Kudos
stich86
Employee
Employee

I've setup a small lab in this way:

manager - 10.100.10.8

GW1 - WAN 10.100.10.6 / LAN 192.168.1.1/24 / Office Mode subnet 172.16.0.0/24

GW2 - WAN 10.100.10.7 / LAN 192.168.2.1/24 / Office Mode subnet 172.16.1.0/24

First test was to setup on "RemoteAccess" both GW that are partecipating, authentication is currently done using username\password and when EndPoint client connects I see both remote network published but using Office Mode IP of GW1.

Doing a ping to 192.168.2.1 (so the LAN on secondary gateway), seems to reach that LAN (also stated by fw monitor), but i don't understand how the GW2 can routing traffic back to 172.16.0.0/24 subnet that should be used managed by GW1.

Is it a normal behaviour? I was thinking that the secondary tunnel will bring up with a different class IP.

Now the major problem is with Overlap domain. If i'm pushing from GW1 subnet 192.168.0.0/16 and from GW2 just a single host like 192.168.2.1, the client get only the 192.168.0.0/16 splitted in smaller subnets, obviously the EndPoint client reject the route "192.168.2.1/32" because there is another one that overlap.

 

So is it possible to do a configuration like that, or I need to remove the GW2 subnet from the GW1 encryption domain?

 

Thanks in advance

0 Kudos
PhoneBoy
Admin
Admin

Each Remote Access client can only have one Office Mode IP assigned, and it makes sense it would come from the primary gateway.

For the other issue, if you want to use Secondary Connect, you will need to remove GW2 subnets from GW1's RemoteAccess encryption domain (which can be separate from the S2S domain).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events