Hey, Thorsten -
Thanks very much for your explanation, but I'm not clear on one point... we've been using IP pools with SR for a while now for selected users without any problems... there are only 5 IP addresses allocated, and AFAIK, we've never run out, so there aren't that many concurrent users, so our experience doesn't prove anything. BUT, I don't recall any caveats from Checkpoint about IP pools having the problem you describe, as that would make IP Pools essentially useless. Since we didn't pay for SecureClient, we have to use SecuRemote, and since we have wrapped internal servers which limit access by IP address range, we have to use IP Pools. It's been a couple of years, but I thought we discussed SR & IP Pools in the Checkpoint Management II class, and I don't recall any caveats like you describe.
The part I'm unclear about, is when the Checkpoint VPN gateway handles the packet before the IP Pool NAT-ing:
> packet after decryption on gateway, before IP Pool NAT > src 192.168.0.1 dst server <-- several clients will have 192.168.0.1 at this point, causing conflicts >
-- the gateway has to "remember" that the packet came from the routable IP address (your example is 4.1.1.1) so it can get sent back where it came from -- isn't Checkpoint smart enough to keep all these VPN separate? And, I'm not an expert on TCP/IP, but I seem to recall that the NAT process uses session numbers to keep track of which packet goes to which non-routable private IP address... I think that would enable the gateway to figure out which packet goes where.
Sounds like you know more about this than I do, or at least have thought about it a LOT more, so I appreciate your efforts to explain this to me, and any other list readers who are interested. Thanks. -- David Strom
Thorsten Behrens wrote:
IP Pools works with SecuRemote to assign an internal address, too
Yes and no. You do not assign an IP address as such, you NAT on the VPN-1 gateway.
With OfficeMode, the IP address is used on a "shim" interface on the client, and thus as the source for all packets to be encrypted. It's essentially the same thing the Cisco VPN client's been doing for the past few years, should you be more familiar with Cisco gear.
With IP Pool, the source IP of traffic to be encrypted is the physical IP of the interface the traffic is routed through on the client, and that gets NATed on the gateway.
IP Pool will therefore resolve the "I have a client with an IP address that my servers don't route correctly to" issue, but it won't resolve the "I have N clients with default 192.168.0.2 addresses that all conflict with each other".
Why's that so? The NAT table is a one-to-one between original source IP and NATed IP. Two or more clients with the same source IP spells trouble.
In today's environment with mini-routers on about every broadband connection, and employees coming in from hotel LANs and WLANs, there's no way around OfficeMode for most installations.
And just because, some packets, showing IP only as the port stuff is pretty much uninteresting for this discussion:
IP Pool NAT, client 192.168.0.1, behind router 4.1.1.1, IP Pool NAT address 10.1.1.1
packet before encryption src 192.168.0.1 dst server
packet after encryption - encrypted stuff in brackets - being sent to gateway src 192.168.0.1 dst gateway | ( src 192.168.0.1 dst server)
packet after NAT by router - encrypted stuff in brackets src 4.1.1.1 dst gateway | ( src 192.168.0.1 dst server)
packet after decryption on gateway, before IP Pool NAT src 192.168.0.1 dst server <-- several clients will have 192.168.0.1 at this point, causing conflicts
packet after IP Pool NAT, being sent to server src 10.1.1.1 dst server
Office Mode, client 192.168.0.1, behind router 4.1.1.1, Office Mode address 10.1.1.1
packet before encryption src 10.1.1.1 dst server <- source address of packet is address of Office Mode shim interface
packet after encryption - encrypted stuff in brackets - being sent to gateway src 192.168.0.1 dst gateway | ( src 10.1.1.1 dst server)
packet after NAT by router - encrypted stuff in brackets src 4.1.1.1 dst gateway | ( src 10.1.1.1 dst server)
packet after decryption on gateway, being sent to server src 10.1.1.1 dst server <-- each client has a unique address from the Office Mode pool, no conflicts
Please note that:
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent.
http://www.integralis.com
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
