asked on

How does Checkpoint SecuRemote know which traffic to send down the VPN?

Moving from a perfectly-functioning Cisco VPN on which DNS and everything 'just worked' we are now trying to remotely connect to the office via a Checkpoint Edge UTM and SecuRemote-based solution.
There are some instances where we'd like traffic to go down the VPN when it seems to just look out to the internet instead. How does Checkpoint work out what traffic goes down the VPN tunnel and what is dealt with as normal non-VPN traffic? We can get it to force everything down the VPN but this causes other problems.

Any ideas Experts?
Cheers,
Jonny

larstr

Jonny,
In the directory where you've installed SecuRemote there is a file database\userc.C

This is a text file where all the vpn settings are defined. For your vpn there is a field called "topology" that describes for what networks it should send the traffic down the vpn pipe when the vpn is active.

These topology definitions are normally retrieved automatically from the gateway when you first setup the vpn.

Lars

jonnyIT

ASKER

Ah ok. Is that something that should be configurable on our Checkpoint UTM-1 Edge device, or on the main Checkpoint servers at our parent company?
Regards,
Jonny

larstr

Jonny,
Yes, this is configured in SmartDashboard on the firewall object -> Topology -> VPN Domain.

Lars

jonnyIT

ASKER

Just to clarify: We can't configure this on our device and we have to ask our parent company?

larstr

Is the Edge device also configured by the parent company?

jonnyIT

ASKER

I can log into the my.firewall interface and there is a Topology view in Reports/Tunnels/VPN Topology but I can't see where to change the settings though. We have control over NAT and routing rules etc and have created the VPN settings to allow remote computers to connect in, but the box is also connected via a site-to-site VPN at our parent company, so I don't know what power they hold over us!
Cheers for the comments so far,
Jonny

larstr

Jonny,
Go to VPN / VPN Sites and edit your vpn site config. It will start a wizard that will have your current settings. After a few steps you will come to "VPN Network Configuration" where you can specify manually what networks you want to push through the vpn instead of loading this config automatically.

Lars
vpn-site-wizard.jpg
sbox-vpn-topology.jpg

jonnyIT

ASKER

This doesn't seem to be the right way round. It seems like these settings are for configuring the Checkpoint Edge device to connect to another network whereas I want to configure the VPN server settings so that I affect what happens when people connect remotely to our Edge device using the SecuRemote software client.

larstr

ok.. I guess I misunderstood your question a bit then..

It's not the site-to-site vpn that is the problem, but the client vpn where people use SecuRemote to connect to your Edge box.

By default, the standard topology provided by the edge device would be all of it's internal networks, and I'm not sure if you can change this on the Edge boxes.

Lars

jonnyIT

ASKER

In this case, is there a way I can manually edit the usersc.c file so that traffic to the 192.168.66.x network goes down the tunnel?
Cheers,
Jonny

ASKER CERTIFIED SOLUTION

larstr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jonnyIT

ASKER

Just for information's sake then, would I add a section like the code below into the topology section?

:topology (
	: (
		:name (##.44.##.##.##.44.##.##)
		:type (network)
		:ipaddr (192.168.66.0)
		:ipmask (255.255.255.0)

Open in new window