[RayPesek]

"2) If you set it to allocate IP's from a defined network (note you can't specify a range on an existing network!) and then change that network range it will still allocate to the address range before it was changed!"

Correct. There is an SK article on this that says you have to reboot the enforcement module if you change the defined network for Office Mode.

"Correct" as in "that's the way it works." Not necessarily the most user-friendly behavior, though.

We use certificates for authentication and noticed that the virtual SecureClient MAC address is somehow tied to all of this. If I have two certificates on my computer, one in ipassignment.,conf and one not, and I connect with the "not" one, I have to wait fifteen minutes to connect with the ipassignment.conf one. If I try to connect earlier, SmartCenter shows the IP address is already in use in the log.

On R55, you have to push the policy to get changes to ipassignment.conf to work.

DO NOT set the lease time longer than fifteen minutes! This setting is tied to other things somehow and setting it longer than the default messes up other stuff, although I can't remember what. There is now an SK article on this as well. I had reset it to one day and caused all kinds of problems (on R55).

If you get no erriors with "vpn ipafile_check", you should be good to go. Note that this file MUST be copied to the enforcement module; you cannot modify the one on the SmartCenter and have it pushed out. (I saw you did this; the comment is for future readers).

HTH,

Ray