This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 11:12 AM
Jump to solution

VPN link selection question

Hey guys,

I honestly was not even going to post this, but had to, just for my own sanity : - ). Though Im 99.99% sure this is NOT possible, but since customer asked me, figured would pick ya'll brains. So, here is their question...is there ANY way to configure CP firewall (either via link selection or any other way) to use say external IP for specific VPN tunnels and then use a different IP for other tunnels?

Cheers.

Best,
Andy
0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2023-03-02 12:11 PM
Jump to solution

In the past this was possible via entry in user.def see Controlling which IP address VPN traffic passes through But I think ther‘s no support for this in the newer releases.

With link selection you can achieve this if the remote VPN gateways are available via different interface. You can route tunnel A via interface A and tunnel B via interface B, it depends on routing configuration. Source IP will be the interface IP of the outgoing interface. How to create VPN tunnels to a 3rd party peer using a specific ISP 

View solution in original post

(1)
9 Replies
Wolfgang
MVP Gold
MVP Gold
‎2023-03-02 12:11 PM
Jump to solution

In the past this was possible via entry in user.def see Controlling which IP address VPN traffic passes through But I think ther‘s no support for this in the newer releases.

With link selection you can achieve this if the remote VPN gateways are available via different interface. You can route tunnel A via interface A and tunnel B via interface B, it depends on routing configuration. Source IP will be the interface IP of the outgoing interface. How to create VPN tunnels to a 3rd party peer using a specific ISP 

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 12:17 PM
In response to Wolfgang
Jump to solution

Thanks @Wolfgang ! Never seen that sk before, but good to know, though I believe you are right, probably not supported in new versions. For your 2nd point, customer has only 1 external interface, so not sure that might be feasible. What about below setting, would this work possibly?

Screenshot_1.png

Thoughts?

Best,
Andy
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-03-02 12:29 PM
In response to the_rock
Jump to solution

@the_rock  the shown settings are for  the IP addresses they will be probed from the remote gateway to the local gateway (see description in the top) Additional you have to configure the IP address of the outgoing packets, second part of your shown screen. But I think your need does not work if all tunnel packets are going through the same interface.

the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 12:54 PM
In response to Wolfgang
Jump to solution

Thanks mate, I think what you gave is the closest to what they need, so I greatly appreciate it 🙌🙌

Best,
Andy
PhoneBoy
Admin
Admin
‎2023-03-02 01:29 PM
Jump to solution

You can configure Remote Access and Site-to-Site VPN tunnels with a different "Link Selection" IP.
However, you cannot configure "per peer" Link Selection, which is what it sounds like your customer wants.
Though sk31102 does seem like it would support that (if it works on current versions).

FYI, in R82, I believe we are overhauling the whole "Link Selection" mechanism.

the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 02:42 PM
In response to PhoneBoy
Jump to solution

Fair enough, thank you. Its weird how this client has route based tunnels configured (never seen that in 15 years with CP), so makes it a bit tricky to do all this, but you guys gave me excellent choice, so I will give this to them, probably tomorrow or some time next week. They understand the situation, so really this is the best they can get, whether they like it or not 😊

Thanks a lot as always @PhoneBoy and @Wolfgang !

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 04:22 PM
In response to PhoneBoy
Jump to solution

Hey @PhoneBoy ...I assume you were referring to visitor mode setting for remote access where it lets you select the interface?

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-02 04:28 PM
In response to the_rock
Jump to solution

No, I'm referring to: https://support.checkpoint.com/results/sk/sk32229 

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-03-02 04:52 PM
In response to PhoneBoy
Jump to solution

Ah, right...I remember seeing this sk couple of years ago. 

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events