May any one please give me the steps to configure Office Mode-IP POOL on SecureClient R55?
I tried to follow steps described on VPN-1 guide but I still have problems (my SecureClient cannot communicate with policy server)! My architecture consists on the following: - some hosts on the LAN. - a SmartCenter server that lies on the LAN - a VPN-1 Pro gateway that has two interfaces: an external one and a local one (connected to the LAN) - a remote access client (the SecureClient) whose default gateway is set to the VPN-1 Pro gateway. I actually have no router. As David suggested, my VPN domain is actually a Group with exclusions. It is the LAN except Office Mode IP POOL subnetwork addresses'. I noticed that tunnel test succeeds when I activate both Office Mode and Hub mode. But the tunnel test fails when I only activate Office mode. Communication with policy server always fails. Kind regards --- "David S. Barker" <[EMAIL PROTECTED]> a écrit : > I've been reading this thread and now I'm confused. > > Not on how this is supposed to work but how the > terminology is being used, seems like POOL is being > used to describe the encryption domain. > > When someone says POOL in reference to Check Point > I'm thinking one of two things, IP POOL NAT or > OFFICE MODE IP POOL. In the case of IP POOL NAT > these can be used for Gateway to Gateway or for > Remote Access. These are allowed as a global > property (NAT) and then assigned on gateways, > encrypted connections are translated to these ip > addresses to help eliminate asyncronous routing. > > The only other mention of POOL has to do with Office > mode IP POOL. > > Now, with Office Mode it is important that these > networks are NOT part of your Remote access > encryption domain. These addresses are assigned to > your clients on the client side, so think of them as > the Remote encryption domain. Also, If you want to > use a subset of your existing internal address space > for your Office Mode addresses then you need to also > make sure that the topology for all of the internal > interfaces NOT include these networks. You can do > this by using Groups with Exclusions. The > exclusions will be the Office Mode networks. > Finally, you'll have to make sure that if you use > any generalized routes like 10/8 points to a router > inside, and your office mode is 10.10.10.0/24, > you'll have to specifically add a route on your > gateways to not point 10.10.10.0/24 to the inside > router. It doesn't really matter where you point > the route as long as it's being reflected > externally, in general I point this to the default > gateway. > > As a general practice I use different Office Mode > networks from my local networks/encryption domain > networks so that I don't have to do this. With > larger networks I had to use the Group with > exclusions frequently. > > Also note if you're using both Office Mode and IP > POOL NAT, by default the Office Mode addresses will > be NATted to the IP POOL NAT addresses too. You can > prevent this by creating a No NAT rule for the > Office Mode Network, or by setting the > om_prevent_ippool_nat_for_users property to true in > the objects_5_0.C on the management server. > > > > Compuquip TECHNOLOGIES > "Providing Solutions Since 1980" > > David Barker > Senior Security Engineer > Internet Security Division > > Phone: 305.436.7272 X 1364 > Fax: 305.436.9149 > email:[EMAIL PROTECTED] > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] > On Behalf Of cp user > Sent: Saturday, October 08, 2005 5:46 PM > To: [email protected] > Subject: Re: [FW-1] Office Mode & SecureClient > > Hi Bill, > > This means that the "POOL" network object (internal > addresses that will be affected to remote clients) > is located in a group that is defined as VPN domain. > > --- Bill Smith <[EMAIL PROTECTED]> a écrit : > > > Hi there, > > > > what do you mean by network pool BEHIND YOUR VPN > DOMAIN. > > Could you please expan a bit? > > > > Thx, > > > > Bill > > > > cp user <[EMAIL PROTECTED]> wrote: > > > Be sure to put your SecureClient NETWORK POOL > > behind > > > your VPN Domain. > > > As Mike says it's probably "address spoofing". > > > > I set the SecureClient network pool behind my VPN > domain but the > > problem is still here!! what may I do please? > > > > > > > > -----Original Message----- > > > From: Sahli, Mike [mailto:[EMAIL PROTECTED] > > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m. > > > To: [email protected] > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > Your problem is probably "address spoofing" > check your logs for all > > > traffic coming in from a known client that is > failing. > > > > > > Michael D Sahli > > > Sr. Network Engineer > > > Lockheed Martin IT @ SMECO > > > > > > > > > -----Original Message----- > > > From: cp user [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, October 06, 2005 7:54 AM > > > To: [email protected] > > > Subject: [FW-1] Office Mode & SecureClient > > > > > > Hi list, > > > > > > I configured Office Mode with IP Pool on the > > gateway > > > side. > > > Once I check "Support Office Mode" on my > SecureClient, it can no > > > longer logon to policy server and download > policy. The "Connect" > > returnes: > > > Connecting to gateway... > > > Negociation succeeded, tunnel test failed > Connected to gateway: MyGW > > > Login on to policy server MyServer... > > > Logon to policy server failed. > > > Connection succeeded. > > > > > > I try again to logon to policy server. But this > failes with the > > > following message: "SecureClient failed to > communicate with policy > > > server MyServer > > at > > > site MySite". > > > > > > Logs return: > > > Connecting to site MySite using profile MySite > Interface change: > > > VPN-1 SecureClient Adapter - Miniport > d'ordonnancement de paquets > > > interface added, current ip: 192.168.34.65 > Default Desktop Security > > > Policy Loaded SecureClient failed to communicate > with Policy Server > > > MyServer at site MySite Successfully connected > to site > > > > > > Any idea is wolcome! > > > > > > Many thanks > > > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________________________________ > > > Appel audio GRATUIT partout dans le monde avec > le nouveau Yahoo! > > > Messenger Téléchargez cette version sur > > > http://fr.messenger.yahoo.com > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away > messages, send an email to > > [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > > ================================================= > > > To unsubscribe from this mailing list, please > see the instructions > > > at > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > If you have any questions on how to change your > subscription > > > options, email [EMAIL PROTECTED] > > > > ================================================= > > > > === message truncated === ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
