This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
svori
Collaborator
Collaborator
‎2023-10-26 11:22 AM
Jump to solution

Remote access users access resources behind site to site tunnel

Hi,

 

I am trying to solve an issue where i need remote access users to be able to connect to resources behind a site to site tunnel.

Remote users connect to on premises Check Point cluster (R81.20 Take26) using Check Point Mobile client and can access resources in on premises datacenter.

But they also need to access resources that is located on the other end of an site to site tunnel.

I saw the Remote Access community, but i cannot add this interopable device there. I suspect it must be an Check Point host for that.

What can be done to enable routing between these two vpn domains ?

Preview file
25 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-10-27 09:44 AM
In response to svori
Jump to solution

These are gateways that directly terminate Remote Access connections.
What you need to modify is the Remote Access Encryption Domain, which is modified in the Gateway object:

image.png

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2023-10-26 01:55 PM
Jump to solution

You don't add the Interoperable Device, but you add the networks behind that device to the Remote Access Community.

0 Kudos
svori
Collaborator
Collaborator
‎2023-10-26 11:24 PM
In response to PhoneBoy
Jump to solution

Hi,

The RemoteAccess community only has two options:

Add participating gateway and Participating User Groups

So i do not know where i should add these networks ?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-27 09:44 AM
In response to svori
Jump to solution

These are gateways that directly terminate Remote Access connections.
What you need to modify is the Remote Access Encryption Domain, which is modified in the Gateway object:

image.png

The object referred to here should be a group object that includes both your local IP addresses (i.e. your local encryption domain) and the remote IP addresses you wish to be accessible (i.e. the remote encryption domain).

svori
Collaborator
Collaborator
‎2023-10-30 01:14 AM
In response to PhoneBoy
Jump to solution

Thank you Phoneboy 🙏 appreciate your help 🙂

0 Kudos
patones1
Contributor
‎2024-05-11 10:55 AM
In response to svori
Jump to solution

Hello,

I tested in my lab by creating a group with the the local and remote subnets of the VPN tunnel; and adding the group to the VPN domain of the "RemoteAccess "community. It was OK but it wasn't enough.

In order to make it work, I had to add the Office Mode subnet (CP_default_Office ...) to the local VPN domain because I was getting the following log :

'Encryption Failure: according to the policy the packet should not have been decrypted'

So I created a group with the local subnet and the Office Mode subnet :

Then, I had to authorize the Office Mode subnet, on the remote gateway because the packets finished in the cleanup rule of the remote gateway.

This way from the remote client (on remote access), I was able to access to a PC on the remote site through the VPN tunnel

I hope this will help

 

Preview file
33 KB
Preview file
12 KB
Preview file
23 KB
0 Kudos
SenpaiNoticed_U
Employee
Employee
‎2024-05-13 06:05 AM
In response to patones1
Jump to solution

 

SK 36510

Remote-Access to S2S Vpn

  1. Define both the Checkpoint side domain and the Peer Gateway Domains with Group objects

2.On the Checkpoint side gateway, Put the Office mode IP range into the Gateway's Encryption domain. (NOTE: If the office mode IP range is going to be sent over the tunnel, make sure the Peer expects to see this network range(policy rule, etc). If using a Hide nat, add both Office mode and NAT IPs to the Checkpoint side gateway's domain)

  1. Create a New Group Object with BOTH the checkpoint and the Peer's Encryption Domain into the New Group.
  2. Manually define the Remote Access with the New Group
  3. Global Properties >> Remote Access Main page >>> check the box for "Enable Back connections (from Gateway to client)"

6.Install policy

 

===============

Double check,
>the S2S VPN community page: Un-check box for Disable NAT inside the community (Only if NAT is needed)
>May need to add a NO-NAT rule for the two way traffic,  Office Mode IP to Peer's network and Peer's network to Office Mode.
**unless OM is hide NATing**

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events