Solved

How does Checkpoint SecuRemote know which traffic to send down the VPN?

Posted on 2008-06-09
12
1,023 Views
Last Modified: 2013-11-16
Moving from a perfectly-functioning Cisco VPN on which DNS and everything 'just worked' we are now trying to remotely connect to the office via a Checkpoint Edge UTM and SecuRemote-based solution.
There are some instances where we'd like traffic to go down the VPN when it seems to just look out to the internet instead. How does Checkpoint work out what traffic goes down the VPN tunnel and what is dealt with as normal non-VPN traffic? We can get it to force everything down the VPN but this causes other problems.

Any ideas Experts?
Cheers,
Jonny
0
Comment
Question by:jonnyIT
  • 6
  • 6
12 Comments
 
LVL 18

Expert Comment

by:larstr
Comment Utility
Jonny,
In the directory where you've installed SecuRemote there is a file database\userc.C

This is a text file where all the vpn settings are defined. For your vpn there is a field called "topology" that describes for what networks it should send the traffic down the vpn pipe when the vpn is active.

These topology definitions are normally retrieved automatically from the gateway when you first setup the vpn.

Lars
0
 

Author Comment

by:jonnyIT
Comment Utility
Ah ok. Is that something that should be configurable on our Checkpoint UTM-1 Edge device, or on the main Checkpoint servers at our parent company?
Regards,
Jonny
0
 
LVL 18

Expert Comment

by:larstr
Comment Utility
Jonny,
Yes, this is configured in SmartDashboard on the firewall object -> Topology -> VPN Domain.

Lars
0
 

Author Comment

by:jonnyIT
Comment Utility
Just to clarify: We can't configure this on our device and we have to ask our parent company?
0
 
LVL 18

Expert Comment

by:larstr
Comment Utility
Is the Edge device also configured by the parent company?
0
 

Author Comment

by:jonnyIT
Comment Utility
I can log into the my.firewall interface and there is a Topology view in Reports/Tunnels/VPN Topology but I can't see where to change the settings though. We have control over NAT and routing rules etc and have created the VPN settings to allow remote computers to connect in, but the box is also connected via a site-to-site VPN at our parent company, so I don't know what power they hold over us!
Cheers for the comments so far,
Jonny
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:larstr
Comment Utility
Jonny,
Go to VPN / VPN Sites and edit your vpn site config. It will start a wizard that will have your current settings. After a few steps you will come to "VPN Network Configuration" where you can specify manually what networks you want to push through the vpn instead of loading this config automatically.

Lars
vpn-site-wizard.jpg
sbox-vpn-topology.jpg
0
 

Author Comment

by:jonnyIT
Comment Utility
This doesn't seem to be the right way round. It seems like these settings are for configuring the Checkpoint Edge device to connect to another network whereas I want to configure the VPN server settings so that I affect what happens when people connect remotely to our Edge device using the SecuRemote software client.
0
 
LVL 18

Expert Comment

by:larstr
Comment Utility
ok.. I guess I misunderstood your question a bit then..

It's not the site-to-site vpn that is the problem, but the client vpn where people use SecuRemote to connect to your Edge box.

By default, the standard topology provided by the edge device would be all of it's internal networks, and I'm not sure if you can change this on the Edge boxes.

Lars
0
 

Author Comment

by:jonnyIT
Comment Utility
In this case, is there a way I can manually edit the usersc.c file so that traffic to the 192.168.66.x network goes down the tunnel?
Cheers,
Jonny
0
 
LVL 18

Accepted Solution

by:
larstr earned 250 total points
Comment Utility
Jonny,
Editing userc.C will probably work, but I'm not sure if it's a permanent fix to the problem. In the full CheckPoint firewall there is a setting for automatic topology updates. This setting is AFAIK not present in the sofaware line of products, but if it's enabled it will overwrite your changes to the userc.C file.

I guess you just have to test this and see how it turns out.

Lars
0
 

Author Comment

by:jonnyIT
Comment Utility
Just for information's sake then, would I add a section like the code below into the topology section?
:topology (

	: (

		:name (##.44.##.##.##.44.##.##)

		:type (network)

		:ipaddr (192.168.66.0)

		:ipmask (255.255.255.0)

Open in new window

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now