Does your firewall object have the external IP or the internal IP? It has to
be the external IP.
If it works with hub mode, that tells me it's a routing issue. SecureClient
doesn't know how to find the policy server until it's already inside the
firewall.
Ray
From: cp user <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Office Mode & SecureClient
Date: Tue, 11 Oct 2005 11:45:06 +0200
May any one please give me the steps to configure
Office Mode-IP POOL on SecureClient R55?
I tried to follow steps described on VPN-1 guide but I
still have problems (my SecureClient cannot
communicate with policy server)!
My architecture consists on the following:
- some hosts on the LAN.
- a SmartCenter server that lies on the LAN
- a VPN-1 Pro gateway that has two interfaces: an
external one and a local one (connected to the LAN)
- a remote access client (the SecureClient) whose
default gateway is set to the VPN-1 Pro gateway. I
actually have no router.
As David suggested, my VPN domain is actually a Group
with exclusions. It is the LAN except Office Mode IP
POOL subnetwork addresses'.
I noticed that tunnel test succeeds when I activate
both Office Mode and Hub mode. But the tunnel test
fails when I only activate Office mode. Communication
with policy server always fails.
Kind regards
--- "David S. Barker" <[EMAIL PROTECTED]> a écrit
:
> I've been reading this thread and now I'm confused.
>
> Not on how this is supposed to work but how the
> terminology is being used, seems like POOL is being
> used to describe the encryption domain.
>
> When someone says POOL in reference to Check Point
> I'm thinking one of two things, IP POOL NAT or
> OFFICE MODE IP POOL. In the case of IP POOL NAT
> these can be used for Gateway to Gateway or for
> Remote Access. These are allowed as a global
> property (NAT) and then assigned on gateways,
> encrypted connections are translated to these ip
> addresses to help eliminate asyncronous routing.
>
> The only other mention of POOL has to do with Office
> mode IP POOL.
>
> Now, with Office Mode it is important that these
> networks are NOT part of your Remote access
> encryption domain. These addresses are assigned to
> your clients on the client side, so think of them as
> the Remote encryption domain. Also, If you want to
> use a subset of your existing internal address space
> for your Office Mode addresses then you need to also
> make sure that the topology for all of the internal
> interfaces NOT include these networks. You can do
> this by using Groups with Exclusions. The
> exclusions will be the Office Mode networks.
> Finally, you'll have to make sure that if you use
> any generalized routes like 10/8 points to a router
> inside, and your office mode is 10.10.10.0/24,
> you'll have to specifically add a route on your
> gateways to not point 10.10.10.0/24 to the inside
> router. It doesn't really matter where you point
> the route as long as it's being reflected
> externally, in general I point this to the default
> gateway.
>
> As a general practice I use different Office Mode
> networks from my local networks/encryption domain
> networks so that I don't have to do this. With
> larger networks I had to use the Group with
> exclusions frequently.
>
> Also note if you're using both Office Mode and IP
> POOL NAT, by default the Office Mode addresses will
> be NATted to the IP POOL NAT addresses too. You can
> prevent this by creating a No NAT rule for the
> Office Mode Network, or by setting the
> om_prevent_ippool_nat_for_users property to true in
> the objects_5_0.C on the management server.
>
>
>
> Compuquip TECHNOLOGIES
> "Providing Solutions Since 1980"
>
> David Barker
> Senior Security Engineer
> Internet Security Division
>
> Phone: 305.436.7272 X 1364
> Fax: 305.436.9149
> email:[EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED]
> On Behalf Of cp user
> Sent: Saturday, October 08, 2005 5:46 PM
> To: [email protected]
> Subject: Re: [FW-1] Office Mode & SecureClient
>
> Hi Bill,
>
> This means that the "POOL" network object (internal
> addresses that will be affected to remote clients)
> is located in a group that is defined as VPN domain.
>
> --- Bill Smith <[EMAIL PROTECTED]> a écrit :
>
> > Hi there,
> >
> > what do you mean by network pool BEHIND YOUR VPN
> DOMAIN.
> > Could you please expan a bit?
> >
> > Thx,
> >
> > Bill
> >
> > cp user <[EMAIL PROTECTED]> wrote:
> > > Be sure to put your SecureClient NETWORK POOL
> > behind
> > > your VPN Domain.
> > > As Mike says it's probably "address spoofing".
> >
> > I set the SecureClient network pool behind my VPN
> domain but the
> > problem is still here!! what may I do please?
> >
> > >
> > > -----Original Message-----
> > > From: Sahli, Mike [mailto:[EMAIL PROTECTED]
> > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m.
> > > To: [email protected]
> > > Subject: Re: [FW-1] Office Mode & SecureClient
> > >
> > > Your problem is probably "address spoofing"
> check your logs for all
> > > traffic coming in from a known client that is
> failing.
> > >
> > > Michael D Sahli
> > > Sr. Network Engineer
> > > Lockheed Martin IT @ SMECO
> > >
> > >
> > > -----Original Message-----
> > > From: cp user [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, October 06, 2005 7:54 AM
> > > To: [email protected]
> > > Subject: [FW-1] Office Mode & SecureClient
> > >
> > > Hi list,
> > >
> > > I configured Office Mode with IP Pool on the
> > gateway
> > > side.
> > > Once I check "Support Office Mode" on my
> SecureClient, it can no
> > > longer logon to policy server and download
> policy. The "Connect"
> > returnes:
> > > Connecting to gateway...
> > > Negociation succeeded, tunnel test failed
> Connected to gateway: MyGW
> > > Login on to policy server MyServer...
> > > Logon to policy server failed.
> > > Connection succeeded.
> > >
> > > I try again to logon to policy server. But this
> failes with the
> > > following message: "SecureClient failed to
> communicate with policy
> > > server MyServer
> > at
> > > site MySite".
> > >
> > > Logs return:
> > > Connecting to site MySite using profile MySite
> Interface change:
> > > VPN-1 SecureClient Adapter - Miniport
> d'ordonnancement de paquets
> > > interface added, current ip: 192.168.34.65
> Default Desktop Security
> > > Policy Loaded SecureClient failed to communicate
> with Policy Server
> > > MyServer at site MySite Successfully connected
> to site
> > >
> > > Any idea is wolcome!
> > >
> > > Many thanks
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
___________________________________________________________________________
> > > Appel audio GRATUIT partout dans le monde avec
> le nouveau Yahoo!
> > > Messenger Téléchargez cette version sur
> > > http://fr.messenger.yahoo.com
> > >
> > >
> =================================================
> > > To set vacation, Out-Of-Office, or away
> messages, send an email to
> > [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > >
> =================================================
> > > To unsubscribe from this mailing list, please
> see the instructions
> > > at
> http://www.checkpoint.com/services/mailing.html
> > >
> =================================================
> > > If you have any questions on how to change your
> subscription
> > > options, email [EMAIL PROTECTED]
> > >
> =================================================
> > >
>
=== message truncated ===
___________________________________________________________________________
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez cette version sur http://fr.messenger.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
