CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: Cant Access Local VMs when on VPN

  1. #1
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Question Cant Access Local VMs when on VPN

    When I am on VPN on my laptop, I cant access my local VM on my PC, thats because VPN is set for Full Tunnel.

    I don't want to configure split tunnel on the security gateway, I was wondering how I can exclude my subnet from full tunnel setup, is there any options?
    Last edited by jessica; 2018-05-10 at 16:40.

  2. #2
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Quote Originally Posted by jessica View Post
    When I am on VPN on my laptop, I cant access my local VM on my PC, thats because VPN is set for Full Tunnel.

    I don't want to configure split tunnel on the security gateway, I was wondering how I can exclude my subnet from full tunnel setup, is there any options?

    I tried to search on the forum but could find any one with similar senario , cant find anything on checkpoint support documentation.

  3. #3
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,139
    Rep Power
    12

    Default Re: Cant Access Local VMs when on VPN

    Jessica,

    You are using what they call Hub mode, so looking for that on the knowledgebase I found sk121766 for you:
    In Endpoint Security VPN Client E80.70 or higher, it is possible to exclude local networks from the Hub Mode.
    Find the following line in the $FWDIR/conf/trac_client_1.ttm file on the CMA: exclude_local_networks_in_hub_mode and update the value to true.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  4. #4
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Quote Originally Posted by msjouw View Post
    Jessica,

    You are using what they call Hub mode, so looking for that on the knowledgebase I found sk121766 for you:
    In Endpoint Security VPN Client E80.70 or higher, it is possible to exclude local networks from the Hub Mode.
    Find the following line in the $FWDIR/conf/trac_client_1.ttm file on the CMA: exclude_local_networks_in_hub_mode and update the value to true.
    Thanks Maarten

    I am getting this needs to be done on the Security Gateway, not on the Client machine (my laptop) right? And if we have to do this on the SG(FW) , will this open up , a split tunnel for all the other users or just me?

  5. #5
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,139
    Rep Power
    12

    Default Re: Cant Access Local VMs when on VPN

    All settings that you do to trac_client_1.ttm on the gateway will be applied to all clients, there are some options that you can set to Client_Decide, but I don't know if this holds true for one.

    The file will be collected from the gateway on a regular base. In some cases you want this file distributed from the CMA to all gateways (when you use multiple gateways with secondary connect) and there is an SK to force that as well.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  6. #6
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Quote Originally Posted by msjouw View Post
    All settings that you do to trac_client_1.ttm on the gateway will be applied to all clients, there are some options that you can set to Client_Decide, but I don't know if this holds true for one.

    The file will be collected from the gateway on a regular base. In some cases you want this file distributed from the CMA to all gateways (when you use multiple gateways with secondary connect) and there is an SK to force that as well.

    Thanks, do you have option to exclude certain subnet only from the VPN and have everything else full tunnel?

  7. #7
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,139
    Rep Power
    12

    Default Re: Cant Access Local VMs when on VPN

    Not to my knowledge.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Cant Access Local VMs when on VPN

    The reason you use hub mode might be relevant. Do you only want to force clients' Internet traffic through your central firewalls, or do you also want to prevent clients from talking to local printers, for example?

    If all you care about is Internet access, you can always turn off hub mode and throw the whole public IP space into your remote access encryption domain. This is a little unwieldy, but you shouldn't need to mess with it often. You then include exact private networks you want to be covered, and all other private networks don't go through the tunnel.
    Zimmie

  9. #9
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Quote Originally Posted by Bob_Zimmerman View Post
    The reason you use hub mode might be relevant. Do you only want to force clients' Internet traffic through your central firewalls, or do you also want to prevent clients from talking to local printers, for example?

    If all you care about is Internet access, you can always turn off hub mode and throw the whole public IP space into your remote access encryption domain. This is a little unwieldy, but you shouldn't need to mess with it often. You then include exact private networks you want to be covered, and all other private networks don't go through the tunnel.
    Thanks Zimmerman.

    We want all client Internet traffic to go through central firewalls but the client should be able to access there local VM on there local machine.

    I dont know if sk121766 will work in this case?

  10. #10
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Hiya

    I have done everything as per sk121766

    But still when I try to access the local network, the traffic seems to be going to the security gateway.

    I dont know how I can change this behaviour and access my local VMs on my VMworkstation when I am connected to VPN.

    Any suggestions would be greatly appreciated, I am preparing for my Checkpoint Exam and need to access my EVE-NG VM which I use for checkpoint lab but because of this silly checkpoint VPN client, I am not able to access it on VPN.

  11. #11
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,139
    Rep Power
    12

    Default Re: Cant Access Local VMs when on VPN

    Have you tried to create a local static route? That should override the client behavior.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  12. #12
    Join Date
    2017-09-21
    Posts
    39
    Rep Power
    0

    Default Re: Cant Access Local VMs when on VPN

    Quote Originally Posted by msjouw View Post
    Have you tried to create a local static route? That should override the client behavior.
    Thanks , i will try to get the static route added.

    But I thought following the sk121766 should have done the work and didnt require the static route on the host PC.


    Is there any other option other than sk121766, to exclude local subnet from going through security gateways which is configured for HUB mode.
    Last edited by jessica; 2018-05-23 at 03:30.

Similar Threads

  1. Local Encryption Domain per peer instead of local Gateway in R80.x
    By slowfood27 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2016-11-11, 13:51
  2. Replies: 0
    Last Post: 2011-12-13, 04:18
  3. IPSec VPN Remote Access can't access internal network after connect
    By arykustirin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-08-19, 18:17
  4. NAT a LOCAL ip tru VPN
    By thesyko in forum NAT (Network Address Translation)
    Replies: 4
    Last Post: 2009-08-10, 10:54
  5. Local LAN access?
    By vdhawan in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2006-11-14, 23:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •