This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nikolaos_Liakop
Explorer
‎2022-04-20 05:50 AM

VPN client from inside network

Hello,

My client's demand is to attempt to connect via endpoint vpn client from a WiFi network that is behind CP. 

I have exempted Office Mode addresses from the external interface, however I am still not able to establish the connection..the vpn client gets stuck at 47% 

checkpoint_client_vpn_connection_new.png

What I get from the logs is the following:

16:57:49.995884 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.258470 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.522939 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:50.831110 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
16:57:51.050687 IP 192.168.244.20.10415 > X.X.X.X.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]

Any guidance regarding this one ?

Let me specify that the external interface of Checkpoint is in the RFC1918 range and that the IPSEC Link selection mechanism is statically NATted where the red one is what is depicted as X.X.X.X in tcpdump.

link-selection.PNG

 

Regards

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-04-20 06:29 AM

The shown GW cluster properties for IP selection is used with S2S VPN, not RA VPN. As the client already is located behind the RA VPN GW, why is there any need to connect to the internal network using VPN ? If needed very hard, you could enable the internal IF for RA VPN.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nikolaos_Liakop
Explorer
‎2022-04-20 06:38 AM
In response to G_W_Albrecht

Because WiFi is giving only internet access and there is a need for some clients to get access to the internal network and this can be accomplished only through the vpn client.

How can I enable internal interface access ?

Also the IP Link selection mechanism depicted in the screenshot is used with endpoint vpn clients as well. I have attempted to change the link selection mechanism to that of the external interface of CP which is the LAN link of the load balancer and is a RFC1918 interface and checked that the vpn client took as an ip address the private one.

 

 

0 Kudos
Nikolaos_Liakop
Explorer
‎2022-04-26 07:00 AM
In response to Nikolaos_Liakop

Any update on this ?

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-07-28 07:52 AM
In response to Nikolaos_Liakop

hello dear,

did you solve the issue? are you able to connect to internal interface?

0 Kudos
JasonUllyot
Explorer
‎2023-07-31 07:43 AM
In response to Nikolaos_Liakop

Couldn't you setup a separate CORP SSID that is on a separate VLAN that has routes to internal resources?

0 Kudos
Mike_Schepers
Participant
‎2023-08-21 12:01 PM

We have exactly the same issue; guest wifi (internet only) users behind the same firewall that occasionally need to connect to corporate resources using a VPN to this same firewall.  Wish I could tell you that we solve this problem.  I would be interested if you find a solution.

0 Kudos
Jere_Virta
Explorer
‎2024-03-14 11:25 PM

Did someone solve this? I have a same kind of situation.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top