vpn-1 and home network

[grandfinalemike]

I work with a large enterprise and have setup vpn-1 with nokia appliances. Our setup works perfectly the way we need it to. We recently though, have found a need to allow users on a home network to be connected to the firewalls, BUT also be able to route through their home network as well. The end goal of our need is to be able to be securely connected to our enterprise network, and be allowed to print via the home network as well. I have been working with Checkpoint on finding a solution within their lab environment, but so far, they haven't been able to resolve our issue. I was hoping some of the real world people in this community have had the need for this operation as well. I am hoping that I am posting this thread in the right forum. I will also post in a couple others that it might effect. Thanks for reading.

our net setup and goal

192.168 ----> (internet) -----> vpn-1 <-----> vpn-1 <--------> corp

our goal:
192.168 <-----> (internet) -----> vpn-1 <-----> vpn-1 <-----> corp

Mike

[dantro]

In one sentence: you want to connect remotely from a home office and need to connect from your company to the internal hosts of the home office?

Where is your problem? That is what everyone here does every day. Just create a Site-to-Site VPN community and put a UTM-1 Edge appliance or something at your home office. Done.

[grandfinalemike]

no, what I need to do, is:
connect FROM my home office to the company. But, what happens is that I lose routing of my home network once I connect to the vpn. We have configured office mode/visitor mode on our secure client on the pc. We lose any home office routing once connected.

Thanks

[mcnallym]

I would suggest that you have Hub Mode enabled on the corporate gateway.

When you use Hub Mode then it routes all traffic down the VPN tunnel.

Turn off Hub Mode, and this will then only send traffic for the corporate network down the VPN tunnel. You will need to update the local client with the new topology after this is done.

[grandfinalemike]

Thanks for the reply, unfortunately, we can't turn hub mode off because it won't route from the vpn, it will route only from the client. Am I missing something on the vpn configuration to get this working?

As i quickly diagrammed
(bgn)
home ---- internet ---- vpn1 ---- vpn1 ---- secure network
\
\
Corp network

with hub mode off, we don't get internal routing

[mcnallym]

If you can't turn off Hub Mode then whenever you connect to the VPN then all of the traffic from the client is sent down the VPN Tunnel. This is exactly what Hub Mode is supposed to do.

If you want to be able to connect to resources inside your corporate network and outside at the same time, then you will have too turn off Hub Mode.

If you are running NGX software on the gateway then you can define a seperate Remote Access Encryption Domain to the Site-to-Site. This is what I did for a customer who wanted what you want.

The Remote Access Enc Dom covered the local networks and also the networks behind other site-to-site VPN tunnels along with anywhere connected via corporate network, ie MPLS, lease lines etc.

Hub Mode can then be turned off and providing your home net and corporate network don't have the same IP range then can access your home net and corporate network at the same time.

[vijayant]

Use an additional NATing device in the home network, NAT the printer to some IP that doesnot fall in the VPN domain. IF there is no way out you may try that.