This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Saturday
Jump to solution

R82 DHCP office mode setup

Hey guys,

Im attaching a doc I put together with bunch of screenshot/troubleshooting steps I had taken so far to try make dhcp office mode work in R82 lab. I feel Im getting close, but hopefully once I have another TAC remote session, we finally get it going.

This is related to my post below.

https://community.checkpoint.com/t5/Remote-Access-VPN/Office-mode-DHCP-method-failure/td-p/240525/ju...

I will update the doc as I go along.

Lab details:

R82 standalone - 172.16.10.253, R82 jumbo 10

DHCP server - windows server 2022 - 172.16.10.199 (latest windows update installed, windows fw turned off)

dhcp scope - 10.20.30.1-10.20.30.254

exclusion - vip address 10.20.30.1

allow list on dhcp server - whatever mac address is listed by running vpn macutil andy (thats my local vpn user) and tcpdump from the gateway, filtering for dhcp server ip and ports 67 and 68

Best,

Andy

Preview file
1228 KB
1 Solution

Accepted Solutions
the_rock
Legend
Legend
Monday
Jump to solution

Here is the fix in case anyone has this problem.

Andy

 

IMPORTANT, that was sadly missing.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

 

  • In Virtual IP address for DHCP server replies, enter an IP address from the sub network of the IP addresses which are designated for Office Mode usage.

    Office Mode supports DHCP Relay method for IP assignment, so you can direct the DHCP server as to where to send its replies. The routing on the DHCP server and that of internal routers must be adjusted so that packets from the DHCP server to this address are routed through the Security Gateway.

View solution in original post

Preview file
98 KB
Preview file
2116 KB
5 Replies
the_rock
Legend
Legend
Saturday
Jump to solution

Have not tried same in R81.20, but will try that if I can get R82 working first.

0 Kudos
the_rock
Legend
Legend
Sunday
Jump to solution

Quick update...had lengthy RS with lady from Ottawa TAC and she was extremelly nice AND helpful! We did bunch of debugs and checked logs on dhcp server, though now we keep seeing discover and offer, but no response or acknowledge for dhcp. She told me would ask around to see how this can be solved in my R82 lab. I will keep updating the document and post it again once we find the solution.

Andy

0 Kudos
the_rock
Legend
Legend
Monday
Jump to solution

Here is the fix in case anyone has this problem.

Andy

 

IMPORTANT, that was sadly missing.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

 

  • In Virtual IP address for DHCP server replies, enter an IP address from the sub network of the IP addresses which are designated for Office Mode usage.

    Office Mode supports DHCP Relay method for IP assignment, so you can direct the DHCP server as to where to send its replies. The routing on the DHCP server and that of internal routers must be adjusted so that packets from the DHCP server to this address are routed through the Security Gateway.

Preview file
98 KB
Preview file
2116 KB
the_rock
Legend
Legend
Monday
Jump to solution

Another, I feel is super IMPORTANT step, because if mac address entries are not in allowed list, I am unable to connect. If its local vpn user, you get this by running whatever username is, example (my username is andy). The other mac address is for 2nd user I added as a test. Other 2 are broadcast and universal mac, but they are not needed, I just had them there from previous testing.

[Expert@R82:0]# vpn macutil andy
DA-41-BC-EF-F9-7B, "andy"
[Expert@R82:0]#

Preview file
90 KB
0 Kudos
the_rock
Legend
Legend
Monday
Jump to solution

LATEST UPDATED document...apologies for so many screnshots, but I feel it was needed. 

Andy

Preview file
2279 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events