This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrey_Gl
Explorer
Explorer
‎2022-02-24 09:04 AM

VPN Exlude network (VSX r80.40)

Hello. We need your advice:
There is vpn community s2s where 10.0.0.0/8 is our domain and 192.168.0.0/16 is remote peer's domain. There also remote access on this gateway and users get ip from 10.10.10.0/24 network. We have server 192.168.15.10 and it's available locally. Other users connect to this host through another gateway (without vpn) . This host is specified on remote peer but it's not working now and we need requests from 10.10.10.0/24 go to local network but s2s vpn. As i understand for traffic to get to vpn tunnel src ip must get in domain behind our gateway and dst ip get in remote peer domain. This i made exceptions group in our domain: network 10.0.0.0/8 (except 10.10.10.0/24) but it doesn't work

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-02-27 04:15 PM

So you have 192.168.15.10 in use locally as well as via the remote peer's domain?
VPN Routing is probably going to route that across to the S2S VPN unless you can exclude that IP from the remote peer's domain.
You might be able to do this with just the RemoteAccess encryption domain.

0 Kudos
Andrey_Gl
Explorer
Explorer
‎2022-02-28 02:58 AM
In response to PhoneBoy

Hello!

Tnank you for your response.
1) so to get inito the tunnel dest ip is significant? and the fact that src is not in our domain of this community doesnt matter?
2) i didnt understand that sentence - if i remove address  192.168.15.10 from remoteaccess then traffic won't flow to the gateway. i need traffic to flow to gateway to the local network but not to s2s

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-28 06:58 AM
In response to Andrey_Gl

The fundamental issue is you are using the same IP on both ends of your S2S VPN.
The best way to fix it is to ensure only unique IPs are used on both ends of the VPN.

The gateway can only route an IP to one location.
Right now, the encryption domain for your S2S VPN includes that IP and VPN Routing takes precedence over any OS routes.
Short of changing the IP that is being accessed by your Remote Access clients, you will need to remove that IP from the S2S VPN Encryption Domain and include that IP in your Remote Access encryption domain.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events