This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_Frauches
Contributor
‎2018-06-04 07:53 AM

Remote Access VPN Reply Interface

Hello guys,

Just want to know if anyone had a problem with outgoing traffic reply for VPN Remote Access, i just found out that when you try to establish the VPN tunnel with Remote Access on checkpoint it tries to reply using the default route of the Gateway, even if you have two external interfaces it does not use the setting on IPSec link selection (Reply from the same interface) and because of this the VPN tunnel cannot be establish.

I tried to use PBR for this but it also didnt worked, and i tried to found out something related to this on support center but didnt found anything, i think this is by design.

Anyone have a clue how to solve this? I had changed the default route to the other ISP interface (The one used by VPN Remote) and it worked, but i cant let this configured becase the users use the other link for internet access.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2018-06-04 09:51 PM

This is by design according to this SK: Outgoing VPN Link Selection on a gateway with multiple external interfaces 

Maybe you can use VSX to work around this limitation?

Hugo_Frauches
Contributor
‎2018-06-07 06:37 AM
In response to PhoneBoy

Hello Dameon,

Thank you for the reply, unfortunately we do not have an VSX. The way i manage to overcome this by design setting was doing a NAT to the other external interface, now the outgoing traffic works and goes to the same interface!

Konstantinos_In
Contributor
‎2018-07-09 03:09 AM
In response to Hugo_Frauches

Hello Hugo

Can you please provide to us more details concerning NAT configuration?


BR,

Kostas

0 Kudos
Hugo_Frauches
Contributor
‎2018-07-09 09:29 AM
In response to Konstantinos_In

Sure,

Since this limitation its by design in the Checkpoint Gateway, i had to create an external NAT on my ISP router from the other external interface mapping to the VIP interface on the cluster, doing that i could create the remote access VPN connection, since this time the Inbound/Outbound traffic was using the same external interface.

This its not an workaround on the Checkpoint configuration, its only a workaround on our topology to bypass this limitation.

0 Kudos
Konstantinos_In
Contributor
‎2018-07-11 01:02 AM
In response to Hugo_Frauches

Hello Hugo

Now it is clear.

Thank you

Kostas

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top