[melipla]

Your post prompted me to run some tests on ipassignment.conf (its been on my list of things to try for a while). I'm using R60 HFA3 for managmenet server and my two cluster members. I was able to get it working by setting up the ipassignment on each cluster member, using the cluster object's name as the gateway. My secure client had previously been assigned an OM IP address & it's lease hadn't expired yet, so I had to remove that address from my secure client machine before I was assigned my new address--it sounds like this is what you need. In order to do this, I stopped my Secure Client, opened regedit and remove the following registry folder:

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Se cuRemote\5.0\OM\

The OM folder contains entries for each gateway & what IP address it assigned to you last. Everytime you reconnect (seemingly even if the lease period has expired) secure client will try to assign that IP address to you.

Also, changes to the ipassignment.conf file are not active until the policy is pushed.

Once you set up the ipassignemnt.conf, verify it's config with this splat command: vpn ipafile_check ipassignment.conf detail

There is a note in the R60 VPN-1 documentation stating that "However, when the Office Mode per Site
feature is in use, the IP-per-user feature cannot be implemented.". The ipassignment.conf is the "IP-per-user" feature referenced. Why you can't do this with OM per Site I don't know....

HTH