Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Remi_Richer
Explorer

Mobile Access on separate external interface

Hello Checkmates,

I need some help with a new VPN setup we're trying to implement. I need to be using a second external interface leading to a second distinct ISP (eth1). We're trying to set Mobile Access on that interface for bandwidth reasons. My issue currently is that when we try to reach the portal, traffic comes in on eth1 but the http responses are going outbound on the other external interface/ISP (eth4) because of the default route and makes it impossible to access remotely (the portal works fine when accessing from internal networks).

Is there a way to get around this? So far I've looked at the documentation on ISP-Redundancy which doesn't seem to apply at all for my scenario. I also looked into Policy-Based-Routing but couldn't make it work; I think it's just not meant for what I'm trying to do, unless I'm implementing it wrong.

Any help is greatly appreciated.

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

Do you have the Support connectivity enhancement for gateways with multiple external interfaces option set?

VSX may also be an option depending on your intended use cases for the second ISP link.

Another would be to implement an external router for handling that element.

CCSM R77/R80/ELITE
0 Kudos
Remi_Richer
Explorer

Hi Chris, thanks for the reply.
We do have the 'Support connectivity enhancement for gateways with multiple external interfaces' option checked but the issue still remains.
Could you elaborate a little on how I could handle this with an external router?
The use case is quite simple, we want the 'Mobile Access' tunneled traffic to be on the second ISP link, to liberate some bandwidth on the main ISP connection where we're already at maximum capacity. There wouldn't be anything other than that VPN traffic on that link.
0 Kudos
PhoneBoy
Admin
Admin

I'm guessing this is how to solve the issue.
In the Gateway Object, go to IPSec VPN > Link Selection, hit the Setup button under Outgoing Route Selection and select Reply from Same Interface.
Install policy.

Screen Shot 2020-03-16 at 6.40.12 PM.png

0 Kudos
Cesar_Santos
Explorer

Hi,

 

I'm having the exact same issue.

 

Tried your suggestion, but did not worked.

 

Also, I thing is important to mention sk in https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut.... Also tried that, but no luck.

 

Anymore ideas?

 

Regards,

César Sant 

0 Kudos
Remi_Richer
Explorer

That didn't work for me, unfortunately. We are using the SSL network Extender currently so I don't think IPSec Link Selection impacts anything here. Maybe that could work with one of the VPN clients (so far I tried 'Endpoint Security VPN' but it's the same issue, it couldn't even create the site; 'site is not responding). We'll probably deploy a 2200 gateway we have lying around and handle this ISP separately with it. I can't find any built-in settings to make this work otherwise.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events