jonnyIT
asked on
How does Checkpoint SecuRemote know which traffic to send down the VPN?
Moving from a perfectly-functioning Cisco VPN on which DNS and everything 'just worked' we are now trying to remotely connect to the office via a Checkpoint Edge UTM and SecuRemote-based solution.
There are some instances where we'd like traffic to go down the VPN when it seems to just look out to the internet instead. How does Checkpoint work out what traffic goes down the VPN tunnel and what is dealt with as normal non-VPN traffic? We can get it to force everything down the VPN but this causes other problems.
Any ideas Experts?
Cheers,
Jonny
There are some instances where we'd like traffic to go down the VPN when it seems to just look out to the internet instead. How does Checkpoint work out what traffic goes down the VPN tunnel and what is dealt with as normal non-VPN traffic? We can get it to force everything down the VPN but this causes other problems.
Any ideas Experts?
Cheers,
Jonny
ASKER
Ah ok. Is that something that should be configurable on our Checkpoint UTM-1 Edge device, or on the main Checkpoint servers at our parent company?
Regards,
Jonny
Regards,
Jonny
Jonny,
Yes, this is configured in SmartDashboard on the firewall object -> Topology -> VPN Domain.
Lars
Yes, this is configured in SmartDashboard on the firewall object -> Topology -> VPN Domain.
Lars
ASKER
Just to clarify: We can't configure this on our device and we have to ask our parent company?
Is the Edge device also configured by the parent company?
ASKER
I can log into the my.firewall interface and there is a Topology view in Reports/Tunnels/VPN Topology but I can't see where to change the settings though. We have control over NAT and routing rules etc and have created the VPN settings to allow remote computers to connect in, but the box is also connected via a site-to-site VPN at our parent company, so I don't know what power they hold over us!
Cheers for the comments so far,
Jonny
Cheers for the comments so far,
Jonny
Jonny,
Go to VPN / VPN Sites and edit your vpn site config. It will start a wizard that will have your current settings. After a few steps you will come to "VPN Network Configuration" where you can specify manually what networks you want to push through the vpn instead of loading this config automatically.
Lars
vpn-site-wizard.jpg
sbox-vpn-topology.jpg
Go to VPN / VPN Sites and edit your vpn site config. It will start a wizard that will have your current settings. After a few steps you will come to "VPN Network Configuration" where you can specify manually what networks you want to push through the vpn instead of loading this config automatically.
Lars
vpn-site-wizard.jpg
sbox-vpn-topology.jpg
ASKER
This doesn't seem to be the right way round. It seems like these settings are for configuring the Checkpoint Edge device to connect to another network whereas I want to configure the VPN server settings so that I affect what happens when people connect remotely to our Edge device using the SecuRemote software client.
ok.. I guess I misunderstood your question a bit then..
It's not the site-to-site vpn that is the problem, but the client vpn where people use SecuRemote to connect to your Edge box.
By default, the standard topology provided by the edge device would be all of it's internal networks, and I'm not sure if you can change this on the Edge boxes.
Lars
It's not the site-to-site vpn that is the problem, but the client vpn where people use SecuRemote to connect to your Edge box.
By default, the standard topology provided by the edge device would be all of it's internal networks, and I'm not sure if you can change this on the Edge boxes.
Lars
ASKER
In this case, is there a way I can manually edit the usersc.c file so that traffic to the 192.168.66.x network goes down the tunnel?
Cheers,
Jonny
Cheers,
Jonny
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Just for information's sake then, would I add a section like the code below into the topology section?
:topology (
: (
:name (##.44.##.##.##.44.##.##)
:type (network)
:ipaddr (192.168.66.0)
:ipmask (255.255.255.0)
In the directory where you've installed SecuRemote there is a file database\userc.C
This is a text file where all the vpn settings are defined. For your vpn there is a field called "topology" that describes for what networks it should send the traffic down the vpn pipe when the vpn is active.
These topology definitions are normally retrieved automatically from the gateway when you first setup the vpn.
Lars