Solved: Re: IP POOL - STATIC IP

Geomix7 · ‎2020-05-07

Do we have the possibility to assign some static IP address from VPN pool (office mode) R80.20 ?

HeikoAnkenbrand · ‎2020-05-07

Remote Access VPN clients are assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file.

More read here:

sk33422: Office Mode IP and ipassignment.conf file

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Geomix7 · ‎2020-05-08

Thanks a lot , Do you know that for every user that i will have static IP do i have to create an obkject on FW ?

Geomix7 · ‎2020-05-08

We have some more questions because it is not clear on the SK . Do we have to create a specific LDAP group fro the login users? Do we have to create an object for each assigned static IP? This questions have been raised from the notes where it mentions "Objects referenced within the ipassignment.conf MUST exist within SmartConsole."

G_W_Albrecht · ‎2020-05-08

The user has to be present in Dashboard, either as local or LDAP user. The SK gives reference to the following detailed explanations and examples: https://sc1.checkpoint.com/documents/R80.10_andhigher/WebAdminGuides/EN/CP_RemoteAccessVPN_AdminGuid...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Albert_Wilkes · ‎2020-07-08

Fun fact, it seems you can't "reserve" an IP from the OfficeMode pool - at least not in R80.30 JHF 196 and I couldn't find this documented neither in the SK nor in the VPN guide but I asked for the SK to be amended. We found out the hard way, see these vpnd.elg logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.

CP support confirmed that the assigned IP should be outside the pool.

Kaloyan_Kirchev · ‎2020-08-21

Can we assign IP based on source and based on user?

Or just one.

$Fwdir\conf\user.def keep getting me syntax errors.

Any help? I want to specify just a single source public IP and assign exactly one Office mode IP.

_Val_ · ‎2020-08-25

According to sk30919, you can do that per range.

Albert_Wilkes · ‎2020-08-25

Correction: I mentioned the above based on first hand information from the logs and a chat with support. Fortunately the guys from the SK team are very thorough when working on SK documentation and they imply that this is actually a bug and that using IPs from the pool SHOULD be possible.

Thank you for providing your feedback to SecureKnowledge on sk33422, titled "Office Mode IP and ipassignment.conf file".

Your feedback was:

------------------
Neither of the documentation mentions the fact that the IP used in ipassignment.conf MUST NOT be part of the pool. We found out the hard way, see these logs:
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: registering non-protected IP c0a8f80b to user user2 for 900 seconds in kernel instance 0
[vpnd 11166 4092880800]@FW1[6 Jul 16:34:44] registerAssignedIP: IP c0a8f80b already belongs to user user1. User user2 registration must fail.
------------------

After checking with RnD, they verified in the code that upon Policy install, the ipassignment.conf file is parsed and save the specified OMs in a local hash table, and during the negotiations, there is a check if the OM is already in the on_assigned_ips kernel table.

There might be a limitation in the code, however to investigate this we will need the vpnd logs from the time of the issue.

In case the issue will happen again please open a new service request with the logs.

Are you a member of CheckMates?

IP POOL - STATIC IP