Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Libor_Kovar
Contributor

SecureRemote site address rewriting

Hello,

could you comment on this strange behavior ?

When I create remote site, I can connect for the first time and it works fine.

When I try to connect second time, it is not possible, as the site's IP is rewritten with the internal IP of itself.

SecuRemote 80.90, gate cluster 80.10

Many thanks

6 Replies
PhoneBoy
Admin
Admin

Is the gateway behind NAT or is it picking, say, a different (non-external) IP on the gateway?

0 Kudos
Libor_Kovar
Contributor

Thanks for the reply and sorry for the delay (vacations)

The GW cluster public address is not   behind the NAT .

It is defined as usually, but the Securemote client  is picking the internal IP address of the cluster.

 Cluster address in „general properties“ is really the internal one.

 I hesitate to change it to public because of licenses, Site-to-site VPN and other stuff, as I don’t know the side effects.

Is there any other option to rectify this situation ? Hopefully, something what involves RAS VPN only ?

Many thanks

0 Kudos
Netanel_Cohen
Employee
Employee

This might happen due to wrong 'link selection' configurations.

The default configuration is to use the 'Main address' as the site's IP address for VPN connections.

The 'Main address' is the IP configured in the 'General Properties' tab of the GW\Cluster object.

In case the GW is behind NAT as Demeon suggested or in case the 'Main address' is not the external interface, you need to modify the 'Link Selection' configurations accordingly. 

Please note that by default the 'Link Selection' configurations take effect for both RA and Site-to-Site VPN connections.

0 Kudos
Libor_Kovar
Contributor

Thanks for the reply and sorry for the delay , too.

The GW cluster public address is not   behind the NAT .

It is defined as usually, but the SecuRemote client  is picking the internal IP address of the cluster.

 Cluster address in „general properties“ is really the internal one, but in IPSec VPN Link selection section is chosen to always use the "selected address from topology table" with the value of external cluster address, not the "Main address"

0 Kudos
Libor_Kovar
Contributor

Addendum: On the same page is following option ... link selection - source IP address Settings

Could it help if I change it accordingly as above, could it disturb the Site-toSite VPN's ?

Firewall is in production !

0 Kudos
PhoneBoy
Admin
Admin

Link Selection setting impacts Remote Access and Site-to-Site VPNs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events