Route all traffic to gateway problem

[henryvu]

Hello,

I am having a configuration problem with my CheckPoint device to use VPN. Basically, now I can use SecureClient to connect to the CheckPoint and access the local network behind the CheckPoint. However, the problem is that I would like to force all traffic from VPN client to go through gateway but I could not.

Below is the configurations I did
* in Global Properties.
route all traffic when connected
* in the Checkpoint object:
Enable Hub mode (Allow Secure Client to route traffic through this gateway)
Setup office mode to the group with all users

The error I got when I tried to connect from SecureClient was
- User xyz authenticated by FireWall-1 authentication.
- Gateway not responding
- Connection failed

Could any one tell me which problem I am having. Note that without selecting the option "Route all traffic to gateway" at the SecureClient, I can still connect to the Checkpoint.

Thank you.

[henryvu]

It seems that now I can make it work. In particular, I can connect SecureClient with the option "route all traffic through gateway" on. The problem, however, is that when turning it on, I cannot connect to the Internet.

Could anyone help me

[northlandboy]

Do you have appropriate NAT rules in place?

[henryvu]

No setup for NAT on the checkpoint device

However, for the local network, I choose "Add Automatic Address Translation Rules" with option "Hide behind Gateway"

[northlandboy]

What about your SecureClient users though?

When they're connected, and trying to get to the Internet, take a look at your logs, see if the logs show their traffic passing, and see if it is being natted.

[henryvu]

I tested the following two cases at SecureClient on Window Vista

1. Chose both Office mode and Hub mode. In this case, I saw a lot of dropping messages with error "encryption fail reason: Packet is from physical IP address but Office Mode is active". According to sk30481, this error may be caused because the IP address of client is overlapping with the external or internal IP address of the Checkpoint. (Actually, the testing machine I used is in the same network with the Checkpoint).

2. Chose only Hub mode (without using Office mode). In this case, I got different error: "encryption fail reason: Received a cleartext packet within an encrypted connection". The suggestion to fix this problem is to use in Office mode.

Thus, I do not know what to do. Actually, I also tried to connect with SecureClient from a different network (at home). But, at home, I could not connect with Hub mode. Could you let me know whether there are some specific configuration steps that are necessary and I may miss.

Actually, the purpose of my setting is quite simply. I just want to setup and collect "encrypted" traffic from VPN users when they access Internet, and analyze that traffic for research purpose. This is the reason why I need to configure VPN to run in Hub mode (to get all incoming and outgoing traffic of VPN users encrypted).

[skdreams]

Hello,

I was having the same problem, even though having all the NAT & allow rules in place. In the Gateway properties in SmartDashboard, Remote Access tab, you need to tick the box under Hub Mode Configuration "Allow SecureClient to route traffic through this gateway"
Double check your NAT & Allow rules just in case.
Make sure that the Gateway in your Primary Network knows how to get to the remote clients, i.e. through the firewall interface.