Check Point VPN Problem

Hi
We have in our company Check Point NG FP2 with VPN.
When someone try to connect from outside everything is ok.
Our internal Lan have few subnets (192.168.0.* ,192.168.1.* ,192.168.2.* , 192.168.254.*)

The problem is : When someone on Business travel try to connect from the hotel, the Hotal lan address is usually 192.168.0.* or 192.168.1.* , and on this case it is not possible to connect to the VPN (usually the Checkpoint SecureRemote hangs).

Thanks for any help
Idan
idana2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

foadCommented:
check point is operating as it's suppossed to. When the remote user trys to connect with the same lan ip as you lan, it treats it as a spoof attempt to hack your network. i'll see if i can find a work around from checkpoint for you...

foadCommented:
here is what i found so far...

Product: SecureClient
Version: NG AI
Last Modified: 01-Feb-2006

 Symptoms
 
 Failure to connect with SecureClient to a Security Gateway, when on a network with a private IP range that is also in the VPN Domain
 
Cause
 
The SecureClient is located at a remote site, which uses the same IP address range as the internal interface of the Gateway to which the client wishes to connect. The dynamic-resolution feature of SecureClient sees the "closest possible interface" of the remote Gateway as the private IP range address, because the client sees that network as local to the client.
 
Solution
 
The suggested and (in most cases) only solution is to use Office Mode. The suggested solution is only helpful when the statically determined Gateway IP address belongs to the remote client's local LAN.

Configure the Gateway to use "Dynamic interface resolving":

In SmartDashboard:
Open Policy > Global Properties > Remote Access.
Select "VPN Advanced", and change the setting for the resolving mechanism from Static to Dynamic.
Edit all firewalled objects, and select VPN > VPN Advanced.
Click "Dynamic interface resolving configuration", and enable option "Enable dynamic resolution for SecuRemote/SecureClient".

Install the Security Policy. SecureClient users must update the site to get the new information.

At this point, the clients will resolve the interface with an RDP mechanism, before connecting or choosing the address of the interface to which they wish to connect. This occurs by sending an RDP packet to determine if the address is reachable.  
 
Applies To:

VPN-1/FireWall-1 NG with Application Intelligence R55
VPN-1 SecureClient NG with Application Intelligence R56
Dynamic interface resolving
VPN Domain
Hotel IP address

it's tricky, so do a backup before hand, just in case...
 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.