Have you considered writing a new manual for CheckPoint? Their's is horrid and impossible to decipher.
I also run a CheckPoint DHCP system (Meta IP). The way it works is you bind the Scope to the gateway (Router typically) that the request is coming through. (See Cisco Helper statements). In our example, if a system in the 10.1.33.0 network requests an IP Address, the router relay's that request to the DHCP server using a helper IP Address in the Cisco config. The DHCP server needs to know which scopes should go to which routers, so it has us "Bind" the scope to the router interface.
I suppose then, in your example, we would create a DHCP scope outside of the IP Range used by the VPN Gateway itself. As an example, the VPN gateway exists in the 10.1.1.0/24 subnet at 10.1.1.21 and the Meta IP Server in the 10.1.4.0/24 network at 10.1.4.15. We'd define on Meta IP a DHCP scope of 10.1.254.0/24 with the range of 10.1.254.1 - 10.1.254.253 keeping 10.1.254.254 excluded, and Bind the scope to 10.1.254.254 and set up the Virtual IP for DHCP replies on the VPN gateway as that 10.1.254.254 address.
Your definition makes a lot more sense to me now.
Thank you, Layne Meier Atlanta Newspapers
On Thursday, July 3, 2003, at 09:00 AM, Sid Van den Heede wrote:
On Tue, 1 Jul 2003, Layne Meier wrote:
When trying to configure Office Mode, it says that I need to define a Virtual IP Address for DHCP server replies. Should I not use the IP Address of the LAN interface of the Enforcement Module?
No. Read on.
I have defined a DHCP scope on our DHCP server in the same subnet as the VPN Server resides in.
You'll need to define a scope that is outside the subnet. Read on.
I have two Cisco 6513 routers within that subnet as well. Here is a pseudo breakdown of that subnet:
10.1.1.0 / 255.255.255.0
Cisco#1 10.1.1.2 Cisco#2 10.1.1.3 Virtual Router (HSRP) 10.1.1.1
VPN Gateway 10.1.1.21
DHCP Server 10.1.4.15
Ok, so let's assume that you have uniformly subnetted 10 with 24-bit subnet masks. Your VPN Gateway is on the 10.1.1.0/24 network. Your DHCP server is on a separate network (10.1.4.0/24), but that's not important right now.
I've defined the scope, and bound it to these interfaces 10.1.1.1, 10.1.1.2, 10.1.1.3 and 10.1.1.21.
No idea why you've bound the scope to anything. The DHCP server could be configured to listen on specific subinterfaces on the machine it is running on, but that's not important here, unless, of course, it's not listening on an appropriate subinterface.
Shouldn't DHCP replies simply go back to the VPN Gateway?
That's a routing question. Not relevant to this topic.
Why would I have to define a "Virtual IP Address".
Ok, here's where we get to the real issue.
Pretend you are doing dhcp relay through your firewall. That means you have a DHCP server on one side of the firewall providing addresses for a network that is on another side of the firewall (read "side" = "network interface").
When a machine on the client network sends a DHCP request, it sends a broadcast on that network. Since the firewall is running dhcp relay, it picks up the request and forwards it to a real DHCP server. How does the DHCP server know that this request is from another side of the firewall instead of from the network on which the DHCP server is located? The request has a "gateway" entry, that specifies an address on the client network. Usually that is the primary address of the firewall's interface on that client network. When the server sees such a gateway entry, it picks an available address from the scope for that network and offers it to the firewall, who in turn offers it to the client.
Office Mode works by emulating this behaviour. It pretends that there is another side from which DHCP requests are initiated. Like a real dhcp relay, it needs to send a "gateway" address to the DHCP server so that the server knows which scope to pick an address from. That "gateway" address is what you put in for the "virtual IP address for DHCP server replies". (Much of the confusion comes from this caption. It's very misleading.) Just pick an IP address that is in the subnet that you want to use for Office Mode, and omit that address from the scope on the DHCP server. When the server sees that "gateway" address, it knows to offer an address from the scope that you have defined for the office mode subnet.
Let's say you use 10.2.0.0/24 for your Office Mode subnet. You could set the "virtual IP address for DHCP server replies" (NG FP3 caption, might vary in NG AI) to 10.2.0.1, and define the scope to be 10.2.0.2 - 10.2.0.254. When a SecureClient client requests an office mode address, the firewall will send a request to the DHCP server (at 10.1.4.15, which you define in "Use specific DHCP server"), with the "gateway" address set to 10.2.0.1. The DHCP server will then pick an address from the 10.2.0.2 - 10.2.0.254 range and offer that to the firewall for this client.
This, of course, will be the only time the address 10.2.0.1 will be used for anything.
Note that your routers on the 10.1.1.0/24 and the 10.1.4.0/24 networks will need to route traffic destined for 10.2.0.0/24 to the firewall.
Does that mean I'd have to create a virtual address on the primary interface on the VPN gateway?
No. The only place the virtual address appears is in the "Virtual IP address for DHCP server replies" box.
I'm running VPN on a Sun SunFire V480, dual 900MHz CPU's, 4Gb of RAM and dual 40Gb hard drives. It's running Sun Solaris 2.8 and CheckPoint FireWall-1/VPN-1 NG with Application Intelligence.
Thank you, Layne Meier Atlanta Newspapers
------------------------------------------------------------------ Sid Van den Heede Open Text Corporation ------------------------------------------------------------------ Join us in Orlando for LiveLinkUp 2003!
Open Text Conference Orlando, Florida, USA November 3-6, 2003
Find out how we're helping sixteen million great minds work together to improve efficiencies and save money.
www.opentext.com/livelinkup/2003-orlando
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
