This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mwakiz
Participant
‎2020-03-11 11:17 PM
Jump to solution

route office mode through Ipsec tunnel (site to site)

How do I route my office mode network through my site to site Ipsec tunnel to access resources in our remote offices?

1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-04-22 12:40 AM
In response to Daniel_Hainich
Jump to solution

RAVPN.png

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

11 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-03-12 02:15 AM
Jump to solution

By adding these networks to your RA VPN Encryption Domain !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mwakiz
Participant
‎2020-03-12 02:33 AM
In response to G_W_Albrecht
Jump to solution

Thanks. Which network? office mode or the remote office one?
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-03-12 05:21 AM
In response to mwakiz
Jump to solution

The target networks !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mwakiz
Participant
‎2020-03-17 09:32 AM
In response to G_W_Albrecht
Jump to solution

Let me rephrase my question:

I have users who are connecting to our network with SecureClient VPN 82.20.
The GW are on R77.
I am using Office Mode, the users are getting IP from the Office Mode pool and everything works fine when they are pointing to targets within our networks and all LAN resources are accessible.

Now, what I want to do is to also route them to another remote network thru site-to-site VPN that I've configured. The remote network is accessible from LAN.

How should I do that? What do I need to configure?
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-04-21 06:34 AM
In response to mwakiz
Jump to solution

A VPN client Encryption Domain, containing all nets that should be accessible. Go into Gateway > Network Management > VPN Domain > Set specific VPN Domain for GW Communities > Select the RA Community > Set > User Defined select a Network group created for this purpose.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Daniel_Hainich
Advisor
‎2020-04-21 06:23 AM
In response to G_W_Albrecht
Jump to solution

hi, please help - i cant find the right place where i have to configure the RA vpn domain. daniel

G_W_Albrecht
MVP Silver
MVP Silver
‎2020-04-22 12:40 AM
In response to Daniel_Hainich
Jump to solution

RAVPN.png

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-04-22 04:47 AM
In response to G_W_Albrecht
Jump to solution

Addition to the screenshot: This is R80.40, so you can select between different RA VPN communities. Up to R80.30, there was only one RA VPN community where the Domain could be set...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Juan_Brion_Garc
Explorer
‎2021-06-24 08:21 AM
In response to G_W_Albrecht
Jump to solution

Hi G_W_Albrecht,

I have done that you propose, but it does not work.

As RA VPN domain, I have created a group including internal networks and also internal networks from some remote peers, and it does not work.

 

We can reach, trough RA internal resources but no IPSEC site to site resources on remote peers.

From internal LAN, we can access them.

 

0 Kudos
Juan_Brion_Garc
Explorer
‎2021-06-24 08:27 AM
In response to G_W_Albrecht
Jump to solution

Hi G_W_Albrecht,

We have tried that you proposed (including internal networks from remote peers, with a S2S VPN with our cluster, on RA VPN domain) but we cannot reach them.

We can reach them from internal LAN only.

regards

0 Kudos
patones1
Collaborator
‎2024-05-14 06:32 AM
In response to Juan_Brion_Garc
Jump to solution

Hello Juan,

It is normal that it doesn't work. I tested in my lab by creating a group with the the local and remote subnets of the VPN tunnel; and adding the group to the VPN domain of the "RemoteAccess "community. It was OK but it wasn't enough.

In order to make it work, I had to add the Office Mode subnet (CP_default_Office ...) to the local VPN domain because I was getting the following log :

'Encryption Failure: according to the policy the packet should not have been decrypted'

So I created a group with the local subnet and the Office Mode subnet to be added to the VPN domain of the local site:

Net_interne_and_Office_mode.JPG  
Local_VPN_Domain.JPG

 

Then, I had to authorize the Office Mode subnet, on the remote gateway because the packets finished in the cleanup rule of the remote gateway.

Office_mode_subnet_authorization.JPG

This way from the remote client (on remote access), I was able to access to a PC on the remote site through the VPN tunnel

I hope this will help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events