Good Day All,

We have a challenge whereby re-authentication fails for our RA VPN clients.

Background:

Our VPN gateways (R81.20 T99 / SMS T105) are NAT'd behind perimeter gateways, so the VPN gateway "public" IP's are actually RFC1918 IP's (10.x.x.x). Furthermore, when connecting to the "internal" LAN you'll need to connect via VPN to access any resources, so external clients resolve vpn.domain.com to a public IP, and internal clients will resolve vpn.domain.com to an internal IP (external cluster interface on VPN gateways).

Both internal and external clients can log into the VPN just fine - as per the SAML login process clients get redirected to https://vpn.domain.com/saml-vpn on either the NAT'd public IP of the perimeter gateways or the internal IP of the VPN gateway, depending on whether the RA client is inside or out.

Clients completes authentication and life is good.

The problem

The problem comes when their authentication expires (ours is set to 8h). The VPN client will attempt to re-auth by hitting https://vpn.domain.com/saml-vpn which now resolves to the internal (10.x.x.x) cluster IP. This is where we run into issues.

Even though our encryption domain includes the entire subnet in which the VPN cluster's physical and cluster interface sit, clients only get offered the physical interfaces via the encryption domain (confirmed via RA client routing table). For example, I can traceroute to the VPN gateway's physical interfaces fine, but the cluster interface breaks out via the client's local gateway.

The checkbox to "Exclude gateway's external IP address from VPN domain" is NOT selected. The VPN domain is User defined, but as mentioned includes the entire subnet on which the VPN gateways external interfaces sit.

Would appreciate any and all ideas on how we can get our RA clients to hit the external IP / SAML portal WHILST connected via VPN.

Thanks,
Ruan