This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mohammed1987
Participant
Monday

Remote Access VPN with Seven Links

HI Mr, 

My customer has this topology :

Smartconsole 700s running R82

Two Sgw 9100 on clusterXL HA deployment running R81.20.

Well, he has 7 Wan with private IP links behind broadband Routers (those routers configured with pppoe session with ISP)

The first two Wan are used for navigation and publishing some internet services vecises such website and mailing.

I have deactivated mobile access blade due to conflict port 443 on some devices such ISP broadband router which have closed firmware. 

I have configured link selection in smart console and also in GuiDBTool, but still facing some issues and instability, when I saw whireshark, PC witch E88 client shows That it is connected to sgw and move on to look for another attempt with private sgw main ip address.. 

With capsule android, I have no problem except when I change the sgw IP address it doesn't want to get up the tunnel. 

Is the any solution to meet the requirements for the customer to share the seven Wans among all vpn users? 

 

6 Replies
PhoneBoy
Admin
Admin
Tuesday

Since you responded to a very old thread, I decided to create a new thread for your question.
I also removed your attachment as it's not clear how it relates to the problem you've described and it appears to contain potentially sensitive information.

"PC witch E88 client shows That it is connected to sgw and move on to look for another attempt with private sgw main ip address." how precisely are you doing this?
Also what precise version of client?

"When I change the sgw IP address" what precisely are you doing here?

Not sure you can "load balance" remote access over multiple WANs as it has to terminate on the gateway itself. 

0 Kudos
mohammed1987
Participant
Wednesday
In response to PhoneBoy

Hi, 

Well I'm running E88.30 build 986105506.

On the client site, the server name filled is MyIP:18544 - - let say 196.195.194.193:18443 

Sgw 9100 in clusterXL HA configuration with R81.20

Smart1 700s with R82

On smartconsole : 

The ipsec VPN blade is activated 

Visitor mode listening on 18443.

I have configured link Selection for remote access only as mentioned on R82 remote access vpn administration guide, with probing loadsharing

When I activate the VPN client and doing some wireshark capture I see That the client re initiate tunnel to sgw with its main IP address which is internal

 

Hope it is clear

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to mohammed1987

Sounds like you didn't follow all the steps in: https://support.checkpoint.com/results/sk/sk32229 
You may need to delete and re-add the site after applying these changes.

0 Kudos
Rodrigo_Silva
Contributor
Thursday

Hi everyone,

We're seeing the same issue and have already identified the root cause: asymmetric routing.

During the Remote Access connection process, the SYN packet comes in through the VPN interface, while the SYN-ACK is routed out via the default internet interface.

We are currently working with support, but haven't been able to resolve it yet.

Applying sk32229 does not address this issue.

If anyone manages to resolve it, please update this case.

Good luck.

Rodrigo_Silva
Contributor
Thursday
In response to Rodrigo_Silva

When the default route points to the Remote Access VPN interface, the connection works normally.

0 Kudos
RS_Daniel
Advisor
Advisor
yesterday
In response to Rodrigo_Silva

Hi,

I think this is the expected behavior. Traffic from gateway to the user public IP address will always use routing table to decide outgoing interface. So use default route interface for remote access vpn is mandatory. On this post someone created a script which automatically creates static routes for vpn clients using secondary internet connection, and every nigth the script deletes the routes.

How to configure VPN Remote Access on non-default ... - Check Point CheckMates

Regards

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events