Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

Remote Access VPN with Two Public IP Address for Two Different Segment

Hi Checkmates,

 

We plane to configured Two Remote Access VPN  community.

Like we already have a LAN Segment (LAN_A) with IPS 1 Public IP address with remote access VPN configuration and which is currently working.

Now we added one more Segment (LAN_B) which we want to configured Remote Access VPN with New introduce ISP 2 Public IP address.

So Like Both community should work  such as LAN_A >> ISP1 & LAN_B >> ISP2

Is this Possible ?

Any alternative way to do that ?

Currently we mention as Statically NATed IP:

vpn.PNG

 

Regards

@Chinmaya_Naik  

0 Kudos
3 Replies
RS_Daniel
Contributor

There is not a native way to do that as far as i know, but maybe someone else may know a feature i do not. To do that i would use one of these options:

  1. If you have a load balancer in front of the CheckPoint firewall >> Remote access VPN link selection with DNS resolving
  2. If there is not a load balancer, i would force users from LAN_A to resolve always ISP1 ip address using a FQDN1 vpn1.domain.com and LAN_B to resolve ISP2 ip address with FQDN vpn2.domain.com >> How to force Remote Access VPN Client to resolve DNS name of VPN Site at every connection

Consider that no matter which ISP the users connect to, the reply packets will always go trough the default route. A workwaround for this was provided by Thiago_Mourao here: How to configure VPN Remote Access on non-default Internet Link

It is not very clear if LAN_A and LAN_B are office mode segments or lan networks behind the gateway, but if you need to use 2 differen IP segments for remote users, you will have to configure the first one on smatconsole and second one at ipassignment.conf file:  Office Mode IP and ipassignment.conf file

The configuration made on the screenshot you posted is applied also to site-to-site tunnels, so i would use link selection for remote access only, all available options are described here:  Remote Access clients can connect to VPN Gateway only once

Also it is not supported to have a secon vpn community, or at least it was not the last time i asked.

Chinmaya_Naik
Advisor

Hi @RS_Daniel 

Thank you very much for the details.

have you tested on your LAB environment ?

@Chinmaya_Naik 

0 Kudos
PhoneBoy
Admin
Admin

You can only have one Remote Access community per gateway.
This might possibly be a good use case for VSX.

0 Kudos