VPN-1 Edge in Remote Access Client Mode - No idea how to configure

[jimbul]

Hi All,

We have an R62 install of checkpoint on 3 gateways, with a management server behind one of them.

We're using VPN-1 Edge ADSL-W devices to connect our branch offices - which is working beautifully (using them in site-to-site gateway VPN config in a mesh).

In order to provide out CTO with network access from home (he never comes into the office) i set him up also as another subnet, in site-to-site mode in a mesh, partly as this was a config i knew and partly because i could be sure his IP Phone would work.

Our technical architect is not so happy about this as its generating AD errors (i never added that subnet as a site as has no dc and seemed pointless). He is convinced i can assign a block of private addresses (he needs more than one for his IP Phone + 2 laptops) and connect the Edge device in Remote access client mode.

I can find precious little documentation on how to do this, how to assign these private addresses (except for the occasional mention of office mode). Can anyone point me in the right direction? I am being hounded on this as we have 4 or 5 other people who need to home work permanently, and this seems a much more elegant and secure solution than a software VPN client.

Looking forward to any response!

Cheers,

Jim

[mcnallym]

Same as you would a Site-to-Site but set as a Remote Access VPN on the gateway object.

You can then goto the Remote Access VPN and select the VPN-1 Embedded Devices defined as Remote Access for users.

In the security policy then you can specify the VPN-1 Embedded Devices as users in the User Access coloum under source.

The gateway doesn't appear as a gateway that can be added to normal VPN configuration's, only the Remote Access.

If you set Office Mode to all users then I believe will get an Office Mode IP, however all of the devices behind the gateway will get a single IP address. You will not get a block of IP addresses allocated.

You will also need to configure the VPN Routing to allow Remote Access Clients to talk to each other, or the phones will only be able to talk to the other phones at other VPN-1 Edge sites.

If all that is bothering the technical architect is the AD warnings then just add the subnets to the AD, as it will be far easier.

[jimbul]

thanks so much, has been hard work finding stuff out on this!

[jimbul]

One last thing, so i presume if i am assigning addresses via ipassignment.conf, i use the name of the VPN1_Edge device as the user name? is this a correct assumption?

I also would understand it to mean that the .conf file is edited on the smartcentre and would then be distributed to the gateways when the policy is pushed? is that correct? or do they need editing per-gateway?

Thanks again!

[stuartgreen]

just to clear up on this one - vpn-1 edge (safe@ office boxes too for that matter) will not receive an office mode IP address. Office mode is part of the secure client functionality and utilises a virtual adapter (see ipconfig /all) to assign the office mode IP address. As the edge devices don't use the virtual adapter this will not work on the edge devices. IP Pool nat might be an alternative as this is implemented at the firewall and should function regardless of the peer device :)



Stu

[stuartgreen]

although...



this will only give you 1 IP address per peer gateway - not one per device behind the gateway. The best way for this is a site to site VPN with no NAT occurring on the community (non-remote access gateway too). We've used this before and works perfectly with domain settings / VoIP phones etc... (so long as you use the DHCP on the edge device to dish out the DNS of your INTERNAL dns server as primary and the ISP dns as secondary.) Then it will literally be an extension of your local network.

If its simply a home worker without any other IP devices then take a look into secure client with office mode (possibly even securemote which you get a number of licences for free with a FW-1 gateway i believe?)