CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: ISP Redundnacy remote access VPN

  1. #1
    Join Date
    2006-03-11
    Posts
    61
    Rep Power
    14

    Default ISP Redundnacy remote access VPN

    Has anyone had experience with ISP redundnacy and remote acess VPNs? I am doing testing trying to replicate an issue in production. This made me thing of an obvious question im hoping someone can answer. If I am connected to remote access VPN via the Primary ISP in a HA ISP redundnacy connection and the primary ISP fails, do I have to manually reconnect my VPN or "should" it automatically reconenct to the second IP. Also how does the Secureremote client know about the second IP address, i assume its updated in the toopology updates etc but would be great if anyone can point me towards something that documents this.

    Thanks.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: ISP Redundnacy remote access VPN

    Has been some time since I had to do this and I don't believe has changed looking at the SecureClient Feature Support in Endpoint Security VPN R75/E75.x (SecureClient Next Generation), sk56580
    ,

    Link Selection: Multiple interface support with redundancy

    Only static Link Selection is supported. This means that if ('Gateway Properties > VPN > Link Selection > "Use a probing method"') is selected, then the setting that will actually apply is (Gateway Properties > VPN > Link Selection > "Always use this IP address" > Main address').

    Workaround: None

    Comments: Roadmap

    As such I believe that you have to cross fingers still that your primary link doesn't fail. I am not sure if you could try a second site definition on the client with the secondary link and see if the Secondary Connect feature would would, however it doesn't seem to be a recognised work around, so not sure if would work.

    Other features refer to E75.30 so indicates that the sk is aware of E75.30 remote access client.

    The one customer that had the ISP Redundancy and Remote Access no longer uses Check Point for Remote Access.

  3. #3
    Join Date
    2006-03-11
    Posts
    61
    Rep Power
    14

    Default Re: ISP Redundnacy remote access VPN

    Quote Originally Posted by mcnallym View Post
    Has been some time since I had to do this and I don't believe has changed looking at the SecureClient Feature Support in Endpoint Security VPN R75/E75.x (SecureClient Next Generation), sk56580
    ,

    Link Selection: Multiple interface support with redundancy

    Only static Link Selection is supported. This means that if ('Gateway Properties > VPN > Link Selection > "Use a probing method"') is selected, then the setting that will actually apply is (Gateway Properties > VPN > Link Selection > "Always use this IP address" > Main address').

    Workaround: None

    Comments: Roadmap

    As such I believe that you have to cross fingers still that your primary link doesn't fail. I am not sure if you could try a second site definition on the client with the secondary link and see if the Secondary Connect feature would would, however it doesn't seem to be a recognised work around, so not sure if would work.

    Other features refer to E75.30 so indicates that the sk is aware of E75.30 remote access client.

    The one customer that had the ISP Redundancy and Remote Access no longer uses Check Point for Remote Access.


    Thanks, i assuem this probably goes for R65 Secureclient aswell then.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: ISP Redundnacy remote access VPN

    Never tried it with the R60 SecureClient series as out of support by the time I was implementing the gateways The document however is only related to E75 series of software, I believe that the older R60 series actually did work however. When you say R65 SecureClient I presume that you mean the R60 HFA3 client.

Similar Threads

  1. IPSec VPN Remote Access can't access internal network after connect
    By arykustirin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-08-19, 18:17
  2. Can you have Office Mode VPN (for AD users) and Remote Access VPN (for 3rd parties)
    By kingbear in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2011-06-27, 02:43
  3. Remote Access VPN
    By antistatic in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2010-03-24, 14:50
  4. Remote VPN Users can't access neighboring VPN Site
    By hotice_ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-05-07, 11:44
  5. Remote Access Vpn
    By user111 in forum SmartDashboard
    Replies: 1
    Last Post: 2007-11-10, 03:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •