VPN (SecureClient) problem

[tolu60]

I am experiencing problems when trying to establish VPN tunnel using secureclient... My configuration is this:
Running clusterXL on secure platform.
6 interfaces on each member, 2 internet, 2 DMZ, 1 internal LAN and sync interface.
IP configuration (identical on both):
eth0: 192.168.50.x (cluster 192.168.50.x) - LAN
eth1: 10.10.1.x (cluster 192.168.255.x) - DMZ
eth2: 10.10.2.x (cluster x.x.x.x) - ISP A
eth3: 10.10.3.x (cluster x.x.x.x) - ISP B
eth4: 10.10.4.x (cluster 192.168.254.x) - 2nd DMZ
eth5: x.x.x.x (synchronisation interface)

ISP redundancy and cluster failover works perfectly. Just not able to connect using SecureClient from internet. I am however able to establish VPN when I'm connecting from internal LAN (via the 192.168.50.x subnet).
Has anyone come across a similar configuration or have any suggestions as to what I may be doing wrong?

[northlandboy]

What topology do you have configured for SecureClient? Manual/automatic?

Is your encryption domain meant to be just the DMZ interfaces?

When you try and create a tunnel remotely, what happens?

I suspect you may have some issues going on with link selection - you've probably got the 192.168.50.x cluster IP as the primary IP of the cluster object, which is why the internal system can connect, but not the remote one.

[tolu60]

The encryption domain should include all networks available via the internal eth interface. My internal network is on 192.168.x.x accessible via 192.168.50.x (Firewall cluster IP and cluster member internal interfaces).
When trying to connect, SecureClient times out with a timeout error message - no response from gateway.
I'm not sure what you mean by manual/automatic topology on SecureClient?
The strange thing is that I am able to add the site in the 1st place and it can definitely communicate with the gateway. When I check the logs, it appears that the connection it trying to talk to the Cluster IP of the internal LAN... 192.168.50.x and I can't seem to understand why if I'm connecting from externally.
The cluster IP on the internal LAN is my gateway when accessing the internet (from internally), and the associated interfaces have been configured as the management interfaces on the cluster members.

[northlandboy]

There's your problem.

When you add a new site with SecureClient, it connects to the IP address you give it, and uses that to download topology. That's why you can successfully add the site either internally or externally.

Once it's downloaded topology, it uses the information in the users.C file to connect. It will use whatever you have put as the cluster object IP in SmartDashboard to try and establish a VPN.

Since you've set up that cluster object with the internal IP, that's why it works when you connect internally, and not externally.

Do you want to be able to establish a tunnel both from your LAN and the Internet? If you do, you'll need to look into NGX link selection, assuming you're using NGX.

If you only want to establish a tunnel from the Internet, then you'll need to change the cluster object IP to use the external cluster address.

[tolu60]

I'm not sure what you mean by changing the cluster IP object to use the internal IP instead of the external one. I don't need to be able to establish tunnel internally, just externally from the internet.
What I meant earlier about the management interface is to do with managing the cluster members... I had to select the internal one in order to be able to manage them from the internal LAN rather than the external.
I am using NGX R60 on SecurePlatform with the management console on a Windows 2003 box.

[northlandboy]

Go into Smart Dashboard.

Open up the cluster object you have representing your gateway.

On the first tab, "General", there will be a field for the cluster object IP. Right now you have probably got the internal cluster address. Change it to the external address. Save that.

Reinstall policy.

Update topology on your client. You will then be able to connect from the Internet.