CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Simultaneous SSLVPN & IPSEC VPN

  1. #1
    Join Date
    2018-05-13
    Posts
    7
    Rep Power
    0

    Default Simultaneous SSLVPN & IPSEC VPN

    Hello,

    On our checkpoint we have setup a site2site VPN with a remote site which use a cisco router (interoperable device).
    Is it possible for the employees of the remote site to have simultaneous SSLVPN access as well ?
    I am asking that because, whenever an IPSEC session is established between Checkpoint and Cisco, then an employee cannot access https://external_checkpoint_ip/sslvpn.

    Regards.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,278
    Rep Power
    16

    Default Re: Simultaneous SSLVPN & IPSEC VPN

    Short Answer is that if a Check Point has a Site to Site VPN with an IP then it cannot establish a Remote Access from it.

    Basic idea is that if have a Site to Site then why not just use that.

    The fix is to hide traffic leaving the Cisco behind a second IP so that the SSL VPN seen coming from a different IP address.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,171
    Rep Power
    16

    Default Re: Simultaneous SSLVPN & IPSEC VPN

    Quote Originally Posted by mcnallym View Post
    Short Answer is that if a Check Point has a Site to Site VPN with an IP then it cannot establish a Remote Access from it.

    Basic idea is that if have a Site to Site then why not just use that.

    The fix is to hide traffic leaving the Cisco behind a second IP so that the SSL VPN seen coming from a different IP address.
    The answer is yes IF you setup the site-to-site VPN in "traditonal mode" instead of "simplified mode (aka VPN community)". In traditional mode, Checkpoint does not see the Cisco VPN peer as part of the encryption domain. Haven't used CP VPN in a while so I am not sure if "tradidional mode" is even available in R77.30 or R80.x

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: Simultaneous SSLVPN & IPSEC VPN

    Quote Originally Posted by cciesec2006 View Post
    Haven't used CP VPN in a while so I am not sure if "tradidional mode" is even available in R77.30 or R80.x
    Simplified Mode was introduced in NG FP3 and has been the recommended configuration since then.
    Traditional Mode is formally deprecated in R80.x.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. CPSB-SSLVPN-500 and CPSB-SSLVPN-U
    By Irek_Romaniuk in forum Licensing
    Replies: 2
    Last Post: 2017-03-14, 10:18
  2. SSLVPN Blade license has expired
    By mick.ryan@cca.com in forum Licensing
    Replies: 3
    Last Post: 2011-10-23, 15:37
  3. SecuRemote multiple simultaneous connections
    By peckerwood in forum SecureClient/SecuRemote
    Replies: 4
    Last Post: 2010-04-06, 10:30
  4. Number of simultaneous VPN connection
    By bahuguna_praveen in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2008-01-11, 12:28
  5. 50 simultaneous tunnels?
    By sturgeonda in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-04-07, 21:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •