This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sunray
Explorer
‎2022-01-27 07:34 AM

VPN RA with two Office Mode pools

I would ask you how to resolve the below problem.

 

At the moment we use 6 Check Point gateways for our VPN Remote Access system.

Each gateway has dedicated Office Mode pool:

 

gw05                     Office Mode Pool             10.76.0.0/19 

gw01                     Office Mode Pool             10.76.32.0/19 

gw03                     Office Mode Pool             10.76.64.0/19 

gw06                     Office Mode Pool             10.76.128.0/19 

gw02                     Office Mode Pool             10.76.160.0/19 

gw04                     Office Mode Pool             10.76.192.0/19 

 

Despite that each pool has 8190 IP addresses it is not enough for us. We need to double each pool.

Of course we can change subnet mask to /18 but we don’t want do it. Instead of this we looking for solution where we will use two pools (each of them with subnet mask /19). When the first pool will be full IP address should be assigned from second pool

It should looks like this:

 

 

gw05                     Office Mode Pool             10.76.0.0/19                      and        10.77.0.0/19 

gw01                     Office Mode Pool             10.76.32.0/19                     and        10.77.32.0/19 

gw03                     Office Mode Pool             10.76.64.0/19                     and        10.77.64.0/19 

gw06                     Office Mode Pool             10.76.128.0/19                   and        10.77.128.0/19 

gw02                     Office Mode Pool             10.76.160.0/19                   and        10.77.160.0/19 

gw04                     Office Mode Pool             10.76.192.0/19                   and        10.77.192.0/19 

 

At the moment we use “Manual method” for Office Mode

 

Sunray_0-1643297586340.jpeg

 

 

 

In this method it is possible indicate only one pool / network so we decided to use ipassignment.conf file with content like this:

Sunray_1-1643297586344.png

 

 

 

Because this is new configuration for us, so we decided to test it in our lab.

Of course we hadn’t possibilities to conduct that test in that scale like in production environment, so ipassignment.conf file in our lab looked like below.

 

Sunray_2-1643297586345.png

 

 

 

 

The test was that 3 clients try to connect to VPN and the results was like below:

 

Client-1                get address        10.76.0.4

Client-2                get address        10.76.0.5

Client-3                didn’t get address (screen below)

 

Sunray_3-1643297586351.png

 

 

 

So my questions are:

  • could you confirm that is any method to use two pools (on one gateway) in Office Mode
  • if answer on above question is “YES” how should it be done

 

 

 

 

 

The software we used during the tests is:

Check Point R80.40 take 294 (HFA take 139)

Endpoint Security E85.40

 

 

 

Thanks in advance

 

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2022-01-27 07:44 AM

Thats super interesting topic. Just wondering, have you actually followed below article? I would certainly confirm with TAC if this is officially supported, to use 2 subnets.

Andy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

0 Kudos
Sunray
Explorer
‎2022-01-31 01:01 AM
In response to the_rock

Hello Andy,

 

I have already gone through this article, it will not work in this case.

 

Thanks 

Mayank

0 Kudos
the_rock
Legend
Legend
‎2022-01-31 08:19 AM
In response to Sunray

Yea, I hear you, I also went through it myself and logically, does not appear it would help. I would certainly open an official TAC case and see if they can assist you.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-02-01 12:24 AM

Using two OM IP pools on the same GW is not supported - so you would have to double the number of pool addresses instead.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events