Solved: Re: Split tunnel and exclude subnets

Air · ‎2024-07-21

Hi Team.

I have one SMS and two RA GW. The first RA GW configured that send into vpn tunnel only needed subnets other traffic send to local ISP. The second GW configured that send all traffic into vpn tunnel and exclude some subnets to local ISP.

But now I have problem when user connect to the first GW, they received route that configured on the second GW. But on the 1st GW configure correct VPN Domain and user must receive route to vpn tunnel for some subnets.

Air · ‎2024-08-01

Problem was decided when remove MEP in the file trac.defaults . Disable MEP from GW side did not work

View solution in original post

PhoneBoy · ‎2024-07-21

By design, when you “add new site” you get information about all VPN gateways managed by the same SMS.
Version/JHF level along with a diagram of what you’re trying to achieve will help tremendously.

Air · ‎2024-07-21

Version: R81.10 Take 150.

I installed two different RA GW, disable MEP.

And I want when users connect to first RA GW only office subnets route to vpn tunnel and other traffic through local ISP.

And when user connect to second RA GW all traffic route to vpn.

Now when user connect to first RA VPN that all traffic route to vpn and ignore VPN Domains for this GW.

I configured different VPN Domains.

Subnets that need route on first and second RA GW overlaps, because second RA GW route all traffic to vpn.

Is it possible using one SMS have two different rule for RA VPN?

PhoneBoy · ‎2024-07-22

There's an SK that covers this specific scenario: https://support.checkpoint.com/results/sk/sk111995

the_rock · ‎2024-07-22

Interesting...never recall having to follow this sk before.

Andy

the_rock · ‎2024-07-21

I think if you read below link ,it will clear certain things up. Specially section that talkes about IMPLICIT mep...

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

Air · ‎2024-07-21

I read this. MEP is disabled.

the_rock · ‎2024-07-21

So please answer this question...how are enc domains configured? Is it overlapping or they have seperate subnets/groups? This info is IMPORTANT.

Andy

Air · ‎2024-07-21

VPN-SINet-Subnets has list of subnets

ED-remoteaccess has All-Internet-group

the_rock · ‎2024-07-21

In such case, document says to follow ttm file to be manual, ie domains are NOT overlapping, which they are not in your case. I had done this for customers before and we followed exactly what it shows in the link I sent you, no issues.

Andy

Air · ‎2024-07-21

I am not sure that understood.

Now I have config ttm file:

automatic_mep_topology - false

mep_mode - dns_based

enable_gw_resolving - true

And nothing worked

the_rock · ‎2024-07-21

I will check in the morning, as I have this working in the lab. Make sure to follow al the steps from that document, it works 100%.

Andy

Air · ‎2024-08-01

Problem was decided when remove MEP in the file trac.defaults . Disable MEP from GW side did not work

the_rock · ‎2024-08-01

Thats what document was indicating as well.

Air · ‎2024-08-01

In the document indicated on GW side (need edit file on GW), I removed on client side (edit client file).

the_rock · ‎2024-08-01

Never had to do that myself...what are versions of the gw/client?

Andy

Air · ‎2024-08-01

GW - R81.10 Take 150, Client 88.30 and 86.50

the_rock · ‎2024-08-01

Done it with those versions, NEVER have I had to modify anything on the client side.

Are you a member of CheckMates?

Split tunnel and exclude subnets