CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

  1. #1
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Hi Experts

    I have a LAN to LAN between office A and office B. A remote access configured terminating at Office A firewall. I want the remote access users to be able to access office A LAN and office B LAN.

    I have added remote access pool to encryption domain and vpn tunnel policy in office A firewall. The remoet access is configured as office mode and hub mode.

    The policy for remote access has office A LAN and office B LAN in destination. so when i connect via remote access * end point security vpn....i get the routes for office A LAN and office B LAN.

    But have access only to office A LAN, where my remote access terminates.

    Please help.

    Thanks
    Bhav

  2. #2
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Have tried this sk101239, ut no luck

  3. #3
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    I am presuming here that the VPN for Office A to Office B is also Check Point Gateways and the Site to Site Terminates on the Gateway A.

    This is what you need

    Gateway A - Enable Hub Mode, configure Office Mode Network, Specify Encryption Domain as the Office Mode Network & the Networks at Office A. Then specify a separate Remote Access Community Encryption Domain that consists of the Office A and Office B Networks but NOT the Office Mode Networks.

    Gateway B - Encryption Domain = Office B Networks

    This way Gateway A see's its Site to Site VPN Encryption Domain as the Office A and the Office Mode Network, Gateway B also see's the Gateway A Enc Domain including the Office Mode so knows to encrypt the traffic back to Gateway A for the Office Mode.

    Remote Access Clients however see the Gateway A Enc Dom as Office A and Office B Networks.

    I cannot see in your information that specified the separate Enc Dom for Remote Access on Gateway A so Gateway A won't provide details of Office B Networks in it's Topology that is sent to the VPN Client.

  4. #4
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Mcnallym, you are a legend...guess what checkpoint had a look at this and went away to investigate.

    They set the automatic_mep default value to true and thats it.

    I have done what you reqyested, configure separate encryption domains for remote access and vpn tunnel encryption domain.

    The only issue is, as both office A and office B firewalls are managed by the same management server, i get the below error during policy pushes


    "Gateways A and B have partial overlapping encryption domainds. Therefore Endpoint connect users will not support MEP configuration. Securemote/Secureclient users will not be able to create site. if any of the GWs should not be exported to SR/SC, please remove it from the remote access community or uncheck the exportable for SR box. the overlapping domains contain $%"%%"%%"

    Also, i am using Endpoint security vpn client and not securemote/secureclient. i see your explanation in sk36510, but i ignored it as i am using only Endpoint security vpn client
    Last edited by bhavinjbhatt; 2015-02-04 at 12:50.

  5. #5
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    I take it then that Gateway B is also part of the Remote Access Community. ( You simply said that Remote Access terminated at Gateway A ) If it is then ALL Gateways will need the same Remote Access Encryption Domain, ie Fully Overlap This will need to include ALL Networks behind ALL Gateways that are part of the Remote Access Encryption Domain. It should also include the Gateways themselves. Or they should have not overlap at all, which is what had before whereas now the Remote Access partially overlap ( Gateway B is part of the EncDom for Gateway B as not using an explicit Remote Access EncDom whereas Gateway A is Network A and Network B only so there is a partial overlap (Network B)which is what it is reporting.

    As you didn't mention that Gateway B was also part of the Remote Access Community then I went with the way I suggested where you centralise the Remote Access Entry Point and then communicate across the Site to Site VPN's to the other offices. You only have 1 Gateway with my solution in the Remote Access Community, so it isn't an issue.

    What you need to determine is what you want your Remote Access Solution to do

    1) Centralise Access via Gateway A and then across the Site to Site VPN
    2) Secondary Connect where Access Network A using Gateway A and Network B using Gateway B
    3) Multiple Entry Point where using Gateway A can access Network A and B, and also use Gateway B to access Network A and Network B.

    Each One requires a different configuration, and you need to be clear which one you require.

    From what Check Point suggested then it sound like your discussion with them was for Multiple Entry Point, however that isn't what asked for here.

    Pick which you want and we can help you from there

  6. #6
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Hi Budd,

    The client keeps changing requirements :-(

    Hence the change in my post.

    We now want to achieve option 3, which is remote access to either gateway A or gateway B and be able to access both networks A and B.

    Also, do i need to leave hub mode checked, or uncheck it ?

    Your help is very very much appreciated.

    Thanks
    Bhav
    Last edited by bhavinjbhatt; 2015-02-05 at 10:10.

  7. #7
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    For Option 3

    Gateway A - Enc Domain = Office Mode A, Network A
    Gateway B - Enc Domaon = Office Mode B Network B

    Remote Access Enc Domain = Gateway A, Gateway B, Network, A and Network B - Set this on both Gateway A and Gateway B

    Enable the trac_client_1.ttm file so that the automatic_mep_topology is set to true.

    You only need to create one site on the Client and will then be able to use the first gateway that responds to access Network A and Network B, or from memory you should be able to select the gateway want to connect too.

    As an alternative to the implicit MEP then can use sk75221 to configure manually to meet the clients specific requirements, ie primary backup / load sharing etc.

  8. #8
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Quote Originally Posted by mcnallym View Post
    For Option 3

    Gateway A - Enc Domain = Office Mode A, Network A
    Gateway B - Enc Domaon = Office Mode B Network B

    Remote Access Enc Domain = Gateway A, Gateway B, Network, A and Network B - Set this on both Gateway A and Gateway B

    Enable the trac_client_1.ttm file so that the automatic_mep_topology is set to true.

    You only need to create one site on the Client and will then be able to use the first gateway that responds to access Network A and Network B, or from memory you should be able to select the gateway want to connect too.

    As an alternative to the implicit MEP then can use sk75221 to configure manually to meet the clients specific requirements, ie primary backup / load sharing etc.
    Hi Mcnallym,

    Thanks for that, i have just come to the forum after the last post.

    In the mean time, the whole scenario has been changed by the client. i will shed light on the scenario, and what i have configured to get the requirement working

    Three gateways in mesh vpn community.

    Gateway A - with network A behind it
    Gateway B - with network B behind it
    Gateway C - with network C behind it

    different endpoint security clients will connect to any of the gateways, based on their location and should be able to access networks A, B and C all the time.

    Here is how i have got it working.

    The remote access encryption domain on all three gateways contains networks A, B and C.

    The VPN Encryption domains on the gateways are as follows.

    Gateway A - Enc Domain Network A
    Gateway B - Enc Domain Network B
    Gateway C - Enc Domain Network C

    On all the firewall objects, hub mode is disabled and the sk78180 was followed.

    I am not sure whether this is a correct implementation, but now i dont get MEP errors during policy push, and everything seems to be working as the client wants it to.


    Thanks
    Bhav
    Last edited by bhavinjbhatt; 2015-02-05 at 18:29.

  9. #9
    Join Date
    2014-10-27
    Posts
    150
    Rep Power
    5

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    Hello experts, after implementing the above mentioned scenario, i am having an issue where the client keeps disconnecting every 5-10 minutes, any idea why this could be happening and how i can stop that ?

    Thanks
    Bhav

  10. #10
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: route between Remote Access VPN and lan to lan vpn tunnel - R77 4400

    You have disabled MEP following the sk78180 article - sk78180 Disabling MEP for Endpoint VPN Client
    , so of course you won't get mep errors when installing policy.

    You have disabled Hub Mode, so you won't be able to route through the gateways to get to the other Networks across the Site to Site VPNs. You have removed the Office Mode from the Gateways Enc Domain so even if you could route through then the traffic wouldn't route back.

    As such why would Gateway A have Network B and Network C in it's remote access enc domain as you cannot get to those networks based on your configuration and information supplied.

    I don't see how you can say that your configuration is doing what the customer asked for, unless you are leaving out other information.

    Are you not looking to use the the Site to Site VPN's anymore to get between the Office for the Remote Access ( you disabled Hub Mode ) if not then how is the traffic to get from Gateway A to Network B and C, is there some internal Network Connection?

    Based upon your customers latest requirements which is the same as before but simply adds a 3rd site and Network then can extend my 2 site just to include a 3rd site, unless there is now an Internal Network connectivity between the offices that don't route through the Firewalls.

Similar Threads

  1. Is it possible to route traffic from a remote VPN to another VPN tunnel ?
    By gustave69 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2012-03-26, 08:42
  2. How to exclude service from a Remote Access VPN tunnel
    By itziks in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2011-11-28, 06:22
  3. Advertise route for remote access clients
    By loki74 in forum SecureClient/SecuRemote
    Replies: 6
    Last Post: 2010-06-23, 02:52
  4. Trying to route internet site over VPN tunnel
    By BrianT in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-03-14, 05:10
  5. Default gateway on route all traffic through tunnel
    By elzilcho in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-12-05, 15:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •