All in glorious detail my exchange with the bright minds at CheckPoint... My response to "it works this way"... The functionality of the VPN server should not require me to monitor my end users connectivity setup. If they come from a hotel/motel that has a private NAT, this could collide with each other, and I have no control over the remote installation of NAT.
I need a procedure for allowing multiple users coming from different VPN peers which may have the same source IP to get a separate IP on the SR NAT. Or to not be DENIED access on the VPN because their point of origin has a certain router subnet defined. The tracker logs record the connection as the following, so the gateway is logging everything particular to the state of the connection so it should be able to translate each session as an individual tunnel, not that userx and usery have the same source IP, they still have different VPN peers, which can distinguish them. VPN Peer Source IP Destination IP Source Port Destination Port Xlate src Their response... I have spoken to the escalation team and there is nothing that can be changed. Securemote encrypts the packet at the client with the clients IP address not the IP address of the NAT device. When the packet is decrypted it is decrypted with the source IP. Just as you can't have two devices on your network with the same IP addresses you can't have two vpn clients with the same IP address. This is a limitation of TCP/IP not CheckPoint. We developed office mode to overcome this limitation. The NAT device is part of the vpn. You can have Securemote clients connecting from behind the the same NAT device because each client has a unique source IP. Can you put in a feature request to add an extra field to the state table such that when a packet is decrypted from a certain VPN peer, it is translated to a unique NAT IP. When this IP is then returned to the gateway, it is then encrypted and sent to the proper VPN peer. My response... Can you put in a feature request to add an extra field to the state table such that when a packet is decrypted from a certain VPN peer, it is translated to a unique NAT IP. When this IP is then returned to the gateway, it is then encrypted and sent to the proper VPN peer. Their response... You can submit an RFE the following link https://www.checkpoint.com/jsp/rfeLogin/login.jsp The problem with your proposed solution is that the encyrption takes place at the client. The peer is the client, it is not the NAT device. The NAT device is not part of the vpn. My response... Actually the VPN peer is the public address of the NAT device. I can submit logs to show that my enforcement point is already aware of this. I have VPN peer - Public IP I have src IP - client's private nat address So you have all the information necessary to differentiate these connections, it's just this would require major code revisions to take this into account, and since you have a product that we can spend $50000 or more on, it's not in checkpoints best interest. If I could utilize office mode in securemote then I would :( The other major players in this market allow this functionality for free, just disappointed that something that's a major problem has not been addressed. Derek O'Flynn -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of David Strom Sent: Wednesday, June 08, 2005 3:09 PM To: [email protected] Subject: Re: [FW-1] VPN ip pool Did Checkpoint say *why* they did this "by design"? If it was a mistake, then a big one, if not, then they're punishing those of us using SecuRemote. And, Office Mode/Secure Client doesn't seem to permit exactly the same type of configuration (range of IPs within the local, vpn-ed to subnet). Maybe they messed up, & decided it was a good thing to force SR users to pay for SC, so they decided it's a "design feature". -- David Strom O'Flynn, Derek wrote: > Just a note on this, if you use IP Pool NAT this does nothing to help > endpoints that have the same source ip. For instance, two users behind > routers at their house with 192.168.1.1 as their IP address. If they both > connect at the same time, you will notice connectivity issues. I just > recently worked with CheckPoint Support on this and they confirmed the issue > with me and verified it is by design, and to resolve it I'll need to upgrade > to SecureClient or have one of the end users change their router subnet. > > Derek O'Flynn > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Neil Kemp > Sent: Sunday, June 05, 2005 2:46 AM > To: [email protected] > Subject: Re: [FW-1] VPN ip pool > > You can use IP Pools where you create an address range (has to be outside of > your Internal Network) and assign it. > > Works OK, done this a couple of times. > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Cem Akbas > Sent: Saturday, June 04, 2005 8:31 AM > To: [email protected] > Subject: [FW-1] VPN ip pool > > Using VPN-1 - Securemote, how can i assign IP address to clients. Or > is it possible only for SecureClient. > > Thanks > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > ############################################################################ > ######### > This e-mail message has been scanned for Viruses and Content and cleared > by 3DMail > ############################################################################ > ######### > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
