CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Cant reach resorses via static IPsec over remote VPN

  1. #1
    Join Date
    2016-07-21
    Posts
    25
    Rep Power
    0

    Default Cant reach resorses via static IPsec over remote VPN

    Hi!

    Please note that this is a localy manage checkpoint GW. It is configured and managed via embedded Gaia (WebUI) and not via smart dashboard!

    I have set up a checkpoint 790 with a static IPsec VPN between the GW and a datacenter. Its working fine to access resourses "on the other side" when you are at the office.
    But when we connect to the office LAN over remote VPN using checkpoint endpoint security VPN software we get connected and get access to all servers etc on the office LAN but we cant reach the stuff on the other side of the IPsec VPN.

    I dont manage the datacenter. But I have told the peronel that they need to allow traffic from 172.16.10.0/24 network (thats the IP range you are given when you connect with VPN) and have told me that they have done this.
    But it dosent work. I have set up rules in the policy to allow the remote VPN to get access through the static IPsec.

    Is there anyting I have missed?

    Thanks!

  2. #2
    Join Date
    2007-06-04
    Posts
    3,305
    Rep Power
    17

    Default Re: Cant reach resorses via static IPsec over remote VPN

    Does the SMB Code allow VPN Routing, as in Pass Traffic between VPN Tunnels.

    I know that on regular gateways that can enable Hub Mode which allows Remote Access Clients to route traffic through the Gateway. Is there an equivalent setting on the Locally Managed SMB Appliances.

    You also then end up having the separate Encryption Domain for Remote Access without your Office Mode IP Network, and the regular Encryption Domain that does include your Office Mode IP.

    I am not certain that is even possible with the SMB Appliances that are Locally Managed. For Centrally Managed then you can do this.

    Someone else with more experience with the SMB boxes may be able to confirm this for you.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Cant reach resorses via static IPsec over remote VPN

    I'm pretty sure it works. Just need to add the office mode subnet to local encryption domain. I planning on spinning up a point to point vpn later today. I'll report back findings.

  4. #4
    Join Date
    2016-07-21
    Posts
    25
    Rep Power
    0

    Default Re: Cant reach resorses via static IPsec over remote VPN

    Quote Originally Posted by mcnallym View Post
    Does the SMB Code allow VPN Routing, as in Pass Traffic between VPN Tunnels.

    I know that on regular gateways that can enable Hub Mode which allows Remote Access Clients to route traffic through the Gateway. Is there an equivalent setting on the Locally Managed SMB Appliances.

    You also then end up having the separate Encryption Domain for Remote Access without your Office Mode IP Network, and the regular Encryption Domain that does include your Office Mode IP.

    I am not certain that is even possible with the SMB Appliances that are Locally Managed. For Centrally Managed then you can do this.

    Someone else with more experience with the SMB boxes may be able to confirm this for you.
    Thanks for your answer.

    If I go to advanced settings in the Remote Access menu I can check a box that says "Route internet traffic from connected clients through this gateway" and below that it says "Local encryption domain is defined automatically accroding to topology"

    If i press the link "Automatically according to topology" I am given the choise to "Automaticlly determine local network topology" or "Define local network topology manually" I can then either create a new network object or choose one that is already created.

    Is that something that could help me?

    Thanks in advanced!

    BR
    Eric

  5. #5
    Join Date
    2016-07-21
    Posts
    25
    Rep Power
    0

    Default Re: Cant reach resorses via static IPsec over remote VPN

    Quote Originally Posted by jflemingeds View Post
    I'm pretty sure it works. Just need to add the office mode subnet to local encryption domain. I planning on spinning up a point to point vpn later today. I'll report back findings.
    Did you manage to test?

    So I should add their LAN subnet to the encryption domain? Not the subnet the Remote VPN client gets or the subnet on the other side of the IPsec tunnel?

    Thanks for your help!

    BR
    Eric

  6. #6
    Join Date
    2016-07-21
    Posts
    25
    Rep Power
    0

    Default Re: Cant reach resorses via static IPsec over remote VPN

    I found this in the administration guide

    "To manually configure a local encryption domain for remote access users only:
    The local encryption domains are the internal networks accessible by encrypted traffic from
    remote access VPN users. By default, the local encryption domain is determined automatically by
    the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local
    encryption domain.
    Optionally, you can manually create a local encryption domain to be used by remote access users
    only instead. It is possible to configure a different manual local encryption domain for VPN remote
    access and VPN site to site. See VPN > Site to Site Blade Control page.
    1. Click on the local encryption domain link: automatically according to topology or manually.
    The link shown is a reflection of what is currently configured.
    2. Select Define local network topology manually.
    3. Click Select to show the full list of available networks and choose the relevant checkboxes.
    4. Click New if the existing list does not contain the networks you need. For information on
    creating a new network object, see the Users & Objects > Network Objects page.
    5. Click Apply.
    The Remote Access Local Encryption Domain window opens and shows the services you
    selected."

    I did add the LAN subnet that is located on the other side of the static IPsec but it did not work.

    It has to possible to reach the other network over VPN????

    BR
    Eric

Similar Threads

  1. cant access webUI interface on remote GW over IPSEC
    By MrKindell in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2017-06-02, 17:11
  2. Remote Office IPSEC across DSL with 3G backup link - How to allow tunnel through 3G?
    By EBrander in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2011-10-05, 20:26
  3. Can't back-connect from LAN to remote clients via L2TP/IPSEC VPN tunnel.
    By kikv08 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2010-03-11, 16:55
  4. Adding a static Route to remote network
    By mdalton in forum Topology Issues
    Replies: 6
    Last Post: 2009-05-26, 13:33
  5. Remote Management and Static NAT to Static NAT
    By checkpointrookie in forum NAT (Network Address Translation)
    Replies: 2
    Last Post: 2006-07-06, 06:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •