Endpoint Security vs. Mobile Access vs. SecuRemote
This is the first and foremost headache you’ll run in to. Mac only supports Endpoint Security, but Windows clients will have 3 options. The descriptions are pretty silly as “Enterprise Grade” is just a marketing term that doesn’t help anyone make a decision.
- CheckPoint Mobile uses the Mobile access blade and thus licensing
- Checkpoint Endpoint Security requires endpoint security on management server
- SecuRemote does not require a license, but does not support Office Mode
So they key take-away on Endpoint Security VPN vs. Check Point Mobile are fundamentally the same feature-wise, but work on different licensing models.
The main benefit of Office Mode is it mitigates IP conflict between a user’s home network and the VPN domain. For example, the user’s home network is 10.10.10.0/24 and 10.10.0.0/16 is to be routed via the VPN. Since the client will simply show up as 10.10.10.100 or whatever for the CheckPoint, this will clash with the topology and the client will be disconnected after a few seconds.
VPN Client IP address pool
By default, VPN client IP are controlled by this object:
CP_default_Office_Mode_addresses_pool = 172.16.10.0/24
An automatic NAT rule to hide behind the gateway will be enabled as well, so it’s usually OK to leave this as is. But, it can be changed at the gateway level under VPN Clients -> Office Mode
Split Tunnel network list
CheckPoint calls this the VPN domain. By default, it’s generated via the topology. It can instead be manually set on the gateway under Network Management -> VPN Domain.
Common VPN Client Problems
Uninstalling Endpoint Security version 81.10 on Windows 10 horks all network adapters
Workaround is to install/uninstall and older client version such as 80.89
Can’t install client on Windows 10 version 1803
Installation fails with ugly error message “An error occurred during the installation of assembly “Microsoft.VC80.ATL, type=”win32”, version “8.0.50727.42”
This is a known issue. Newer versions like 81.10 or 80.96 may work, but I didn’t have any luck with these either.
Can’t uninstall Mac Client
Simply dragging to the trash won’t fully un-install the client. Instead, Re-open the .dmg file and Ctrl + click the black and green Uninstaller icon, then Select Open
Clients connect to the gateway’s Internal IP address
This is usually because the gateway is behind NAT, referenced by internal IP address in SmartConsole, and Link selection is using the main IP address, which is the default.
The fix is under IPSec VPN -> Link selection. Put the public IP address as the statically NAT’d IP and the clients will then stay connected to the public IP address.
Clients connect, but can’t access anything, then drop a few second later
In my case this this was due to giving the VPN clients a 10.X.X.X address but having a route to 10.0.0.0/8 via the internal interface, which triggered anti-spoofing rules:
@;2251823;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=1 10.135.200.81:2048 -> 10.135.202.161:33536 dropped by fw_antispoof_log Reason: Address spoofing; @;2251849;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=17 10.135.200.81:18011 -> 10.135.202.199:18234 dropped by fw_antispoof_log Reason: Address spoofing; @;2251849;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=17 10.135.200.81:18012 -> 10.135.202.199:18234 dropped by fw_antispoof_log Reason: Address spoofing
The simple solution is disable spoofing on the external interface.
An alternate work-around is choose IP address for the VPN clients that are outside the internal interface’s topology. I used 198.51.100.0/24
Common Gateway/SmartConsole problems not related to VPN
Can’t SSH to gateway after hooking in to SmartConsole
Unlike the Web Admin access, which is implicit, SSH has to be explicitly allowed in the policy.