This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mc_na23
Participant
‎2024-01-10 07:40 PM

Windows routing table changes and not able to access LAN when connected to VPN (Check Point Mobile)

Greetings, 

I discovered this issue when attempting to configure a 3600 gateway device, working from home last week. I spoke to one of my network engineers who is in charge of the VPN and he isnt sure of a resolve. So I come here seeking an answer. Im not sure what product/server at the corporate office. Im awaiting this information, as it might prove valid in a resolution.

I work remote from our corporate network. I connect to the corporate network via CheckPoint Mobile client. No issues accessing corporate network files, etc. I have lab environment that I use to configure devices for deployment into our network infrastructure. I access the lab network via an physical adapter on my desktop. My wan feed comes from another physical network adapter, connected to my ISP router. 

When I am not connected to the VPN client, I am able to access any network device on my lab network, as well as my home network. When I am connected to the VPN client, I lose access, but still able to ping.

A traceroute revealed the VPN client sends all traffic (regardless of destination) over VPN and back to the pc. I understand why ping works, but I assume something is getting lost in translation over the VPN tunnel. For instance. If I am trying to access the Gaia gui in a 3600 gateway (connected to my lab environment). I get the login page at (192.168.1.1), but any login attempt, returns an error. If I disconnect from the vpn client, I am able to login just fine. There are other prevelant issues when trying to access systems in my lab or home network as well. this was just an example.

I took the time to see the routing table changes the vpn client makes to the local windows machine. I tried to delete/add routes, but to not avail. Any route table changes to local machine, just get overwritten. I assume by VPN client.

My thoughts were a configuration in the server, not so much the client.

Anyone care to shed some light on my issue or have a suggestion I can pass onto network engineer? I am in the IT group at my company, Im not in the network engineering group, nor do I have access to the vpn server. I am hoping I gather some info from this post and pass it along to the powers that be.

Thank you.

 

MC

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-01-11 04:37 PM

The VPN gateway is clearly configured to "Route All Traffic" based on this description (also called Hub Mode).
There is a configuration to allow local subnets to be used (exclude_local_networks_in_hub_mode) described here: https://support.checkpoint.com/results/sk/sk75221

0 Kudos
the_rock
Legend
Legend
‎2024-01-11 06:05 PM

100% Phoneboy is right. As soon as I read all you wrote, its first thing that came to my mind. Can send you some screenshots Friday morning on where to check this. One setting is under global properties (I believe remote access) and another one in gateway properties for vpn remote access. If those are enabled, thats the reason why. In layman's terms, if thats on, it forces all traffic through CP firewall once you connect to VPN and its essentially "omitting" your own ISP provider.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-12 10:26 AM

Here is doc I promised with screenshots. If you have it way I pointed out, then split tunnel is enabled, which is what most customers prefer anyway and is recommended. You want your users to ONLY access internal resources once connected, for anything else, let them use their own ISP.

Best,

Andy

Preview file
137 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events