>>
IP Pools works with SecuRemote to assign an internal address, too
>>
Yes and no. You do not assign an IP address as such, you NAT on the VPN-1
gateway.
With OfficeMode, the IP address is used on a "shim" interface on the client,
and thus as the source for all packets to be encrypted. It's essentially the
same thing the Cisco VPN client's been doing for the past few years, should you
be more familiar with Cisco gear.
With IP Pool, the source IP of traffic to be encrypted is the physical IP of
the interface the traffic is routed through on the client, and that gets NATed
on the gateway.
IP Pool will therefore resolve the "I have a client with an IP address that my
servers don't route correctly to" issue, but it won't resolve the "I have N
clients with default 192.168.0.2 addresses that all conflict with each other".
Why's that so? The NAT table is a one-to-one between original source IP and
NATed IP. Two or more clients with the same source IP spells trouble.
In today's environment with mini-routers on about every broadband connection,
and employees coming in from hotel LANs and WLANs, there's no way around
OfficeMode for most installations.
And just because, some packets, showing IP only as the port stuff is pretty
much uninteresting for this discussion:
IP Pool NAT, client 192.168.0.1, behind router 4.1.1.1, IP Pool NAT address
10.1.1.1
packet before encryption
src 192.168.0.1 dst server
packet after encryption - encrypted stuff in brackets - being sent to gateway
src 192.168.0.1 dst gateway | ( src 192.168.0.1 dst server)
packet after NAT by router - encrypted stuff in brackets
src 4.1.1.1 dst gateway | ( src 192.168.0.1 dst server)
packet after decryption on gateway, before IP Pool NAT
src 192.168.0.1 dst server <-- several clients will have 192.168.0.1 at this
point, causing conflicts
packet after IP Pool NAT, being sent to server
src 10.1.1.1 dst server
Office Mode, client 192.168.0.1, behind router 4.1.1.1, Office Mode address
10.1.1.1
packet before encryption
src 10.1.1.1 dst server <- source address of packet is address of Office Mode
shim interface
packet after encryption - encrypted stuff in brackets - being sent to gateway
src 192.168.0.1 dst gateway | ( src 10.1.1.1 dst server)
packet after NAT by router - encrypted stuff in brackets
src 4.1.1.1 dst gateway | ( src 10.1.1.1 dst server)
packet after decryption on gateway, being sent to server
src 10.1.1.1 dst server <-- each client has a unique address from the Office
Mode pool, no conflicts
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is
sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
