• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

Check Point VPN Problem

Hi
We have in our company Check Point NG FP2 with VPN.
When someone try to connect from outside everything is ok.
Our internal Lan have few subnets (192.168.0.* ,192.168.1.* ,192.168.2.* , 192.168.254.*)

The problem is : When someone on Business travel try to connect from the hotel, the Hotal lan address is usually 192.168.0.* or 192.168.1.* , and on this case it is not possible to connect to the VPN (usually the Checkpoint SecureRemote hangs).

Thanks for any help
Idan
0
idana2
Asked:
idana2
  • 2
1 Solution
 
foadCommented:
check point is operating as it's suppossed to. When the remote user trys to connect with the same lan ip as you lan, it treats it as a spoof attempt to hack your network. i'll see if i can find a work around from checkpoint for you...

0
 
foadCommented:
here is what i found so far...

Product: SecureClient
Version: NG AI
Last Modified: 01-Feb-2006

 Symptoms
 
 Failure to connect with SecureClient to a Security Gateway, when on a network with a private IP range that is also in the VPN Domain
 
Cause
 
The SecureClient is located at a remote site, which uses the same IP address range as the internal interface of the Gateway to which the client wishes to connect. The dynamic-resolution feature of SecureClient sees the "closest possible interface" of the remote Gateway as the private IP range address, because the client sees that network as local to the client.
 
Solution
 
The suggested and (in most cases) only solution is to use Office Mode. The suggested solution is only helpful when the statically determined Gateway IP address belongs to the remote client's local LAN.

Configure the Gateway to use "Dynamic interface resolving":

In SmartDashboard:
Open Policy > Global Properties > Remote Access.
Select "VPN Advanced", and change the setting for the resolving mechanism from Static to Dynamic.
Edit all firewalled objects, and select VPN > VPN Advanced.
Click "Dynamic interface resolving configuration", and enable option "Enable dynamic resolution for SecuRemote/SecureClient".

Install the Security Policy. SecureClient users must update the site to get the new information.

At this point, the clients will resolve the interface with an RDP mechanism, before connecting or choosing the address of the interface to which they wish to connect. This occurs by sending an RDP packet to determine if the address is reachable.  
 
Applies To:

VPN-1/FireWall-1 NG with Application Intelligence R55
VPN-1 SecureClient NG with Application Intelligence R56
Dynamic interface resolving
VPN Domain
Hotel IP address

it's tricky, so do a backup before hand, just in case...
 
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now