Pages

Monday, August 16, 2010

Routing for Office Mode IPs in Checkpoint

When configuring Remote Access VPNs in checkpoint, Office Mode is used very often. When using Office Mode, we can allocate a Network Rage to be assigned to the Remote Access VPN clients. So when the Remote Access VPN clients get connected, they get a private IP from the pool we have assigned. This becomes handy when we want to assign rules that allow internal users/devices to access the remotely connected clients.
We don't want to create an explicit route for the set of Office Mode IPs. This is because, it is routed via the default gateway. But there are instances where you should create a route for the set of office mode IPs. Consider the following example.
The firewall is Internal network is 192.168.x.0/24, and there are branch networks (around 20) with 192.168.w.0/24. You assign the office mode IPs to be 192.168.y.0/24. Since there are many networks internal to the router, the easiest way to configure the routing is to have 192.168.0.0/16 pointed to the internal router.
When you do this kind of a routing configuration, the Remote VPN clients won't get any return packets to them. In simple words, they cannot access any resource which they are intended to access, though the VPN tunnel get established. This because the return traffic is routed to the Internal network because of the summary route we have inserted.f To overcome this issue, you have to add a specific route for the Office Mode IPs. The route should be as follows.
192.168.w.0/24 via Default route.
Say the office mode IPs are assigned from 192.168.23.0/24 network, and the external interface is eth2. Then go to sysconfig. Choose 6 for Routing configuration. Select 1 to Add a Network Route.
Network IP: 192.168.23.0
Subnet mask: 255.255.255.0
Gateway:

This will route the traffic via the VPN tunnel.

No comments: