This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kryten
Collaborator
‎2022-07-12 05:50 AM
Jump to solution

Client VPN connections from same IP as Site to SIte VPN?

Hello all!

 

Is it possible to have Remote access Clients connect from the same public IP to our Gateway that is already configured for a Site to Site VPN?

A customer recently set up a Site to Site VPN with a peer address that is already used by some RA-Clients to connect to the same Gateway. Now we see rejects in the log, stating that IKEv1 is not supported (we use v2 for the Tunnel) and so we think that this comes from those RA Clients (still waiting for confirmation from those that they cannot connect anymore).

We would have the option to use a second ISP line for this, but that would mean that we have to switch all RA-Clients to this, which is a bit of an overkill to make this one Client work I think.

The customer suggested to try the beta Endpoint Client, which should support IKEv2, but I do not think that this would solve the problem.

Is it somehow possible to have these working while coming from the same public IP? I thought that it should be no problem, but it seems I was wrong here. Any suggestions are very welcome!

 

 

Regards,
Alex

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-07-12 07:04 AM
Jump to solution

This is not possible - also, why should remote access clients have the IP of a GW ? If the one client is hidden behind the VPN peer GW, he can use the VPN tunnel to directly connect to the remote site instead of RA VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-07-12 07:04 AM
Jump to solution

This is not possible - also, why should remote access clients have the IP of a GW ? If the one client is hidden behind the VPN peer GW, he can use the VPN tunnel to directly connect to the remote site instead of RA VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Kryten
Collaborator
‎2022-07-13 01:51 AM
In response to G_W_Albrecht
Jump to solution

Thanks for the confirmation that it is not possible.
From my point of view there is also no reason for a client connection when there is a site to site connection available, but if the customer assures me that it is indeed needed separately I can not do much besides disagreeing. They routed the client traffic now through the tunnel as a "workaround" 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-07-14 01:10 AM
In response to Kryten
Jump to solution

Routing the client traffic thru the tunnel is the solution - encrypting already encrypted traffic again is the customers decision 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
StackCap43382
Collaborator
Collaborator
‎2023-08-23 07:22 AM
In response to G_W_Albrecht
Jump to solution

Just in case anyone else comes across this when searching. 

If a user has the IPSEC RA VPN with Always Connect enabled and is behind a vpn device with a S2S VPN to the same IP as its Remote Access Termination point it will result in issues.

The Check Point gateway terminating the RA and S2S VPN will see two IPSEC connections from the same peer IP.

This results in annoying popups. 

Still need to review VPNd.elg but i expect it will treat the RA IPSEC as S2s matching on the peer IP and the encryption setting wont match. 

CCSME, CCTE, CCME, CCVS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events