Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fabz
Contributor
Jump to solution

Remote Access VPN Question

Hi Checkmates,

Right now im on implementing RA VPN in customer environment, but found difficulties in configuration.. i tried some config following Admin Guide and SK but the issue still persist :

  1. By default, is the VPN checkpoint configuration full tunnel or split tunnel? as i know is full tunnel, but after i check this SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... I become confused
  2. About Domain Site, initially only using IP for site access, but now it will change to domain. I've changed but still can't, do you have any ideas for solving it?
  3. There is a question from customer, if the domain for VPN between DC and DRC is made the same (redundant), is it possible? I was looking for this information but could not find it.

 

Thankyou Checkmates, looking forward the answer 🙂

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Split tunnel (allowing direct access to Internet versus routing all traffic through the VPN headend) is the default.
You change this in Global Properties > Remote Access > Endpoint Connect > Route All Traffic to Gateway
There is also a setting on the client when the above setting is set to "Configured on Endpoint Client." 

For access by DNS name, that generally involves:

Depending on the precise requirements for accessing the Disaster site, you may want to configure Multiple Entry Point.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

View solution in original post

0 Kudos
(1)
5 Replies
G_W_Albrecht
Legend Legend
Legend

I only can understand your question 1: Full tunnel is how it usually does work, i saw nothing in the sk that could confuse anyone!

You can find split tunneling in sk167000: How to configure Split Tunnel for Office 365 and other SaaS Applications and R81.20 Remote Access VPN Administration Guide - Dynamic Split Tunneling for SaaS Using Updatable Obj...

For Q2 you may talk about IP and Site name resolved by DNS, but i never heard of a VPN between DC and DRC (???)...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Fabz
Contributor

Hi!

So by default the configuration is Full Tunnel right? 

Thankyou,  i will check it for the second link is it only applicable for 81.20 only? my customer still on 81.10

 

Im sorry for not clear enough about my question, for Q2 i mean like below

aaa.png

When i used IP Public Address for "site", users can connect normally. but when i was trying to change "site" access using domain like vpn.company.co.uk user cant connect. Thanks!

G_W_Albrecht
Legend Legend
Legend

What does the used client DNS resolve vpn.company.co.uk to ? The IP must be known to the DNS.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Split tunnel (allowing direct access to Internet versus routing all traffic through the VPN headend) is the default.
You change this in Global Properties > Remote Access > Endpoint Connect > Route All Traffic to Gateway
There is also a setting on the client when the above setting is set to "Configured on Endpoint Client." 

For access by DNS name, that generally involves:

Depending on the precise requirements for accessing the Disaster site, you may want to configure Multiple Entry Point.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

0 Kudos
(1)
dt7
Contributor

When using Office Mode (i.e with enterprise clients Endpoint Security VPN or Mobile VPN), how do you manage split DNS? If you provide your internal DNS via Office Mode (ex: DHCP), everything will be resolved via the internal DNS servers configured. How to force that public domains should be resolved via the LAN adapter (public ISP DNS servers) instead? From what I have observed and tested so far, the Checkpoint VPN adapter interface metric is lower (=0) compared to the LAN/WiFi interfaces on the computer, so has higher priority and takes precedence over the others, meaning everything will be resolved by the DNS specified via Office Mode.

I still have not found a way to manage split DNS properly (forcing public domains resolution not on the internal DNS servers) when using enterprise clients and Office mode... Any advice is welcome.

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events