On Tue, 1 Jul 2003, Layne Meier wrote:
When trying to configure Office Mode, it says that I need to define a
Virtual IP Address for DHCP server replies. Should I not use the IP
Address of the LAN interface of the Enforcement Module?
No. Read on.
I have defined a DHCP scope on our DHCP server in the same subnet as
the VPN Server resides in.
You'll need to define a scope that is outside the subnet. Read on.
I have two Cisco 6513 routers within that
subnet as well. Here is a pseudo breakdown of that subnet:
10.1.1.0 / 255.255.255.0
Cisco#1 10.1.1.2
Cisco#2 10.1.1.3
Virtual Router (HSRP) 10.1.1.1
VPN Gateway 10.1.1.21
DHCP Server 10.1.4.15
Ok, so let's assume that you have uniformly subnetted 10 with 24-bit
subnet
masks. Your VPN Gateway is on the 10.1.1.0/24 network. Your DHCP
server is on
a separate network (10.1.4.0/24), but that's not important right now.
I've defined the scope, and bound it to these interfaces 10.1.1.1,
10.1.1.2, 10.1.1.3 and 10.1.1.21.
No idea why you've bound the scope to anything. The DHCP server could
be
configured to listen on specific subinterfaces on the machine it is
running on,
but that's not important here, unless, of course, it's not listening
on an
appropriate subinterface.
Shouldn't DHCP replies simply go back to the VPN Gateway?
That's a routing question. Not relevant to this topic.
Why would I have to define a "Virtual IP Address".
Ok, here's where we get to the real issue.
Pretend you are doing dhcp relay through your firewall. That means
you have a
DHCP server on one side of the firewall providing addresses for a
network that
is on another side of the firewall (read "side" = "network interface").
When a machine on the client network sends a DHCP request, it sends a
broadcast
on that network. Since the firewall is running dhcp relay, it picks
up the
request and forwards it to a real DHCP server. How does the DHCP
server know
that this request is from another side of the firewall instead of from
the
network on which the DHCP server is located? The request has a
"gateway"
entry, that specifies an address on the client network. Usually that
is the
primary address of the firewall's interface on that client network.
When the
server sees such a gateway entry, it picks an available address from
the scope
for that network and offers it to the firewall, who in turn offers it
to the
client.
Office Mode works by emulating this behaviour. It pretends that there
is
another side from which DHCP requests are initiated. Like a real dhcp
relay,
it needs to send a "gateway" address to the DHCP server so that the
server
knows which scope to pick an address from. That "gateway" address is
what you
put in for the "virtual IP address for DHCP server replies". (Much of
the
confusion comes from this caption. It's very misleading.) Just pick
an IP
address that is in the subnet that you want to use for Office Mode,
and omit
that address from the scope on the DHCP server. When the server sees
that
"gateway" address, it knows to offer an address from the scope that
you have
defined for the office mode subnet.
Let's say you use 10.2.0.0/24 for your Office Mode subnet. You could
set the
"virtual IP address for DHCP server replies" (NG FP3 caption, might
vary in NG
AI) to 10.2.0.1, and define the scope to be 10.2.0.2 - 10.2.0.254.
When a
SecureClient client requests an office mode address, the firewall will
send a
request to the DHCP server (at 10.1.4.15, which you define in "Use
specific
DHCP server"), with the "gateway" address set to 10.2.0.1. The DHCP
server
will then pick an address from the 10.2.0.2 - 10.2.0.254 range and
offer that
to the firewall for this client.
This, of course, will be the only time the address 10.2.0.1 will be
used for
anything.
Note that your routers on the 10.1.1.0/24 and the 10.1.4.0/24 networks
will
need to route traffic destined for 10.2.0.0/24 to the firewall.
Does that mean I'd have to create a virtual address on the
primary interface on the VPN gateway?
No. The only place the virtual address appears is in the "Virtual IP
address
for DHCP server replies" box.
I'm running VPN on a Sun SunFire V480, dual 900MHz CPU's, 4Gb of RAM
and dual 40Gb hard drives. It's running Sun Solaris 2.8 and
CheckPoint
FireWall-1/VPN-1 NG with Application Intelligence.
Thank you,
Layne Meier
Atlanta Newspapers
------------------------------------------------------------------
Sid Van den Heede Open Text Corporation
------------------------------------------------------------------
Join us in Orlando for LiveLinkUp 2003!
Open Text Conference
Orlando, Florida, USA
November 3-6, 2003
Find out how we're helping sixteen million great minds
work together to improve efficiencies and save money.
www.opentext.com/livelinkup/2003-orlando