Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Geomix7
Collaborator
Jump to solution

IP POOL - STATIC IP

Do we have the possibility to assign some static IP address from VPN pool (office mode) R80.20 ?

0 Kudos
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Remote Access VPN clients are assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file.

More read here:

sk33422: Office Mode IP and ipassignment.conf file

➜ CCSM Elite, CCME, CCTE

View solution in original post

G_W_Albrecht
Legend
Legend

The user has to be present in Dashboard, either as local or LDAP user. The SK gives reference to the following detailed explanations and examples: https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuid...

CCSE CCTE CCSM SMB Specialist

View solution in original post

8 Replies
HeikoAnkenbrand
Champion Champion
Champion

Remote Access VPN clients are assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file.

More read here:

sk33422: Office Mode IP and ipassignment.conf file

➜ CCSM Elite, CCME, CCTE
Geomix7
Collaborator
Thanks a lot , Do you know that for every user that i will have static IP do i have to create an obkject on FW ?
0 Kudos
Geomix7
Collaborator
We have some more questions because it is not clear on the SK . Do we have to create a specific LDAP group fro the login users? Do we have to create an object for each assigned static IP? This questions have been raised from the notes where it mentions "Objects referenced within the ipassignment.conf MUST exist within SmartConsole."
0 Kudos
G_W_Albrecht
Legend
Legend

The user has to be present in Dashboard, either as local or LDAP user. The SK gives reference to the following detailed explanations and examples: https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuid...

CCSE CCTE CCSM SMB Specialist
Albert_Wilkes
Collaborator

Fun fact, it seems you can't "reserve" an IP from the OfficeMode pool - at least not in R80.30 JHF 196 and I couldn't find this documented neither in the SK nor in the VPN guide but I asked for the SK to be amended. We found out the hard way, see these vpnd.elg logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.

CP support confirmed that the assigned IP should be outside the pool.

 

0 Kudos
Kaloyan_Kirchev
Contributor

Can we assign IP based on source and based on user?

Or just one.

$Fwdir\conf\user.def keep getting me syntax errors.

Any help? I want to specify just a single source public IP and assign exactly one Office mode IP.

0 Kudos
_Val_
Admin
Admin

According to sk30919, you can do that per range. 

0 Kudos
Albert_Wilkes
Collaborator

Correction: I mentioned the above based on first hand information from the logs and a chat with support. Fortunately the guys from the SK team are very thorough when working on SK documentation and they imply that this is actually a bug and that using IPs from the pool SHOULD be possible.

Thank you for providing your feedback to SecureKnowledge on sk33422, titled "Office Mode IP and ipassignment.conf file". 


Your feedback was:

------------------
Neither of the documentation mentions the fact that the IP used in ipassignment.conf MUST NOT be part of the pool. We found out the hard way, see these logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.
------------------

After checking with RnD, they verified in the code that upon Policy install, the ipassignment.conf file is parsed and save the specified OMs in a local hash table, and during the negotiations, there is a check if the OM is already in the on_assigned_ips kernel table.

There might be a limitation in the code, however to investigate this we will need the vpnd logs from the time of the issue.

 In case the issue will happen again please  open a new service request with the logs.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events