Check Point VPN Problem

Hi
We have in our company Check Point NG FP2 with VPN.
When someone try to connect from outside everything is ok.
Our internal Lan have few subnets (192.168.0.* ,192.168.1.* ,192.168.2.* , 192.168.254.*)

The problem is : When someone on Business travel try to connect from the hotel, the Hotal lan address is usually 192.168.0.* or 192.168.1.* , and on this case it is not possible to connect to the VPN (usually the Checkpoint SecureRemote hangs).

Thanks for any help
Idan
idana2Asked:
Who is Participating?
 
foadCommented:
here is what i found so far...

Product: SecureClient
Version: NG AI
Last Modified: 01-Feb-2006

 Symptoms
 
 Failure to connect with SecureClient to a Security Gateway, when on a network with a private IP range that is also in the VPN Domain
 
Cause
 
The SecureClient is located at a remote site, which uses the same IP address range as the internal interface of the Gateway to which the client wishes to connect. The dynamic-resolution feature of SecureClient sees the "closest possible interface" of the remote Gateway as the private IP range address, because the client sees that network as local to the client.
 
Solution
 
The suggested and (in most cases) only solution is to use Office Mode. The suggested solution is only helpful when the statically determined Gateway IP address belongs to the remote client's local LAN.

Configure the Gateway to use "Dynamic interface resolving":

In SmartDashboard:
Open Policy > Global Properties > Remote Access.
Select "VPN Advanced", and change the setting for the resolving mechanism from Static to Dynamic.
Edit all firewalled objects, and select VPN > VPN Advanced.
Click "Dynamic interface resolving configuration", and enable option "Enable dynamic resolution for SecuRemote/SecureClient".

Install the Security Policy. SecureClient users must update the site to get the new information.

At this point, the clients will resolve the interface with an RDP mechanism, before connecting or choosing the address of the interface to which they wish to connect. This occurs by sending an RDP packet to determine if the address is reachable.  
 
Applies To:

VPN-1/FireWall-1 NG with Application Intelligence R55
VPN-1 SecureClient NG with Application Intelligence R56
Dynamic interface resolving
VPN Domain
Hotel IP address

it's tricky, so do a backup before hand, just in case...
 
0
 
foadCommented:
check point is operating as it's suppossed to. When the remote user trys to connect with the same lan ip as you lan, it treats it as a spoof attempt to hack your network. i'll see if i can find a work around from checkpoint for you...

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.