This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Libor_Kovar
Contributor
‎2019-02-07 04:36 AM

SecureRemote site address rewriting

Hello,

could you comment on this strange behavior ?

When I create remote site, I can connect for the first time and it works fine.

When I try to connect second time, it is not possible, as the site's IP is rewritten with the internal IP of itself.

SecuRemote 80.90, gate cluster 80.10

Many thanks

6 Replies
PhoneBoy
Admin
Admin
‎2019-02-08 01:58 PM

Is the gateway behind NAT or is it picking, say, a different (non-external) IP on the gateway?

0 Kudos
Libor_Kovar
Contributor
‎2019-02-22 03:54 AM
In response to PhoneBoy

Thanks for the reply and sorry for the delay (vacations)

The GW cluster public address is not   behind the NAT .

It is defined as usually, but the Securemote client  is picking the internal IP address of the cluster.

 Cluster address in „general properties“ is really the internal one.

 I hesitate to change it to public because of licenses, Site-to-site VPN and other stuff, as I don’t know the side effects.

Is there any other option to rectify this situation ? Hopefully, something what involves RAS VPN only ?

Many thanks

0 Kudos
Netanel_Cohen
Employee
Employee
‎2019-02-10 05:33 AM

This might happen due to wrong 'link selection' configurations.

The default configuration is to use the 'Main address' as the site's IP address for VPN connections.

The 'Main address' is the IP configured in the 'General Properties' tab of the GW\Cluster object.

In case the GW is behind NAT as Demeon suggested or in case the 'Main address' is not the external interface, you need to modify the 'Link Selection' configurations accordingly. 

Please note that by default the 'Link Selection' configurations take effect for both RA and Site-to-Site VPN connections.

0 Kudos
Libor_Kovar
Contributor
‎2019-02-22 04:02 AM
In response to Netanel_Cohen

Thanks for the reply and sorry for the delay , too.

The GW cluster public address is not   behind the NAT .

It is defined as usually, but the SecuRemote client  is picking the internal IP address of the cluster.

 Cluster address in „general properties“ is really the internal one, but in IPSec VPN Link selection section is chosen to always use the "selected address from topology table" with the value of external cluster address, not the "Main address"

0 Kudos
Libor_Kovar
Contributor
‎2019-02-22 04:10 AM
In response to Netanel_Cohen

Addendum: On the same page is following option ... link selection - source IP address Settings

Could it help if I change it accordingly as above, could it disturb the Site-toSite VPN's ?

Firewall is in production !

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-22 05:56 AM
In response to Libor_Kovar

Link Selection setting impacts Remote Access and Site-to-Site VPNs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events