Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kryten
Collaborator
Jump to solution

Client VPN connections from same IP as Site to SIte VPN?

Hello all!

 

Is it possible to have Remote access Clients connect from the same public IP to our Gateway that is already configured for a Site to Site VPN?

A customer recently set up a Site to Site VPN with a peer address that is already used by some RA-Clients to connect to the same Gateway. Now we see rejects in the log, stating that IKEv1 is not supported (we use v2 for the Tunnel) and so we think that this comes from those RA Clients (still waiting for confirmation from those that they cannot connect anymore).

We would have the option to use a second ISP line for this, but that would mean that we have to switch all RA-Clients to this, which is a bit of an overkill to make this one Client work I think.

The customer suggested to try the beta Endpoint Client, which should support IKEv2, but I do not think that this would solve the problem.

Is it somehow possible to have these working while coming from the same public IP? I thought that it should be no problem, but it seems I was wrong here. Any suggestions are very welcome!

 

 

Regards,
Alex

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

This is not possible - also, why should remote access clients have the IP of a GW ? If the one client is hidden behind the VPN peer GW, he can use the VPN tunnel to directly connect to the remote site instead of RA VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend

This is not possible - also, why should remote access clients have the IP of a GW ? If the one client is hidden behind the VPN peer GW, he can use the VPN tunnel to directly connect to the remote site instead of RA VPN...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Kryten
Collaborator

Thanks for the confirmation that it is not possible.
From my point of view there is also no reason for a client connection when there is a site to site connection available, but if the customer assures me that it is indeed needed separately I can not do much besides disagreeing. They routed the client traffic now through the tunnel as a "workaround" 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Routing the client traffic thru the tunnel is the solution - encrypting already encrypted traffic again is the customers decision 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
StackCap43382
Collaborator
Collaborator

Just in case anyone else comes across this when searching. 

If a user has the IPSEC RA VPN with Always Connect enabled and is behind a vpn device with a S2S VPN to the same IP as its Remote Access Termination point it will result in issues.

The Check Point gateway terminating the RA and S2S VPN will see two IPSEC connections from the same peer IP.

This results in annoying popups. 

Still need to review VPNd.elg but i expect it will treat the RA IPSEC as S2s matching on the peer IP and the encryption setting wont match. 

CCSME, CCTE, CCME, CCVS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events