topic Remote Access VPN multiple pools and IP assignment in SASE and Remote Access

Remote Access VPN multiple pools and IP assignment

Cisco59 — Mon, 03 Aug 2020 10:42:06 GMT

Dear All,

I actually have a R80.20 cluster with 2 gateways.

All employees are allowed to have a remote access using Checkpoint Mobile.

When they do so, they get a 172.16.10.0/23 address.

First problem :

I wanted to allocate few IP addresses in this range. I did it by modifying the ipassignment.conf file .

In the beginning it was working fine. But, I then realized the IP address was given to another employee who has connected earlier in the day...how is it possible to overwrite the reservation like that ?

Second problem :

I decide to allocate static IP address for the concerned users in another subnet (let's say 10.x.x.x/24), so that I'm not bothered by the first problem.

The problem is, as soon I'm connected by VPN with the new IP address I set, I get disconnected 30 seconds later .

In the logs, I can see that my traffic links with the external interfaces but all the packets get dropped with "Address spoofing" error message. In fact, my traffic isn't listed as "VPN" feature.

How could I fixe one or both problems ?

Thanks in advance,

Re: Remote Access VPN multiple pools and IP assignment

PhoneBoy — Wed, 05 Aug 2020 03:20:39 GMT

If you want to assign a specific user a specific IP, it cannot be in your general Office Mode range, at least as I understand it.

Re: Remote Access VPN multiple pools and IP assignment

MartinTzvetanov — Fri, 07 Aug 2020 12:26:10 GMT

First problem:

Networks in ipassignment.conf must be different than the Office mode network.

Second problem:

You have to add the network that you give for VPN users in the SmartConsole->GW options->Network Management->your external interface, facing VPN users->Modify topology->Don't check packets from, or just disable anti-spoofing on the external interface (not so secure).