Link Selection for Remote Access Clients

Overview

Link Selection is a method used to determine which interface to use for incoming and outgoing VPN traffic and the best possible path for the traffic. Using Link Selection, you choose which IP addresses are used for VPN traffic on each Security Gateway.

Load Sharing and Service Based Link Selection are not supported when the peer is a Remote Access Client. If the Probing Redundancy mode configuration is Load Sharing and the peer is a remote access client, High Availability will be enforced for the client's tunnel.

For more information on Link Selection, see Link Selection.

Configuring Link Selection for Remote Access Only

Link selection is configured on each Security Gateway in the Security Gateway Properties > IPSec VPN > Link Selection window. The settings apply to

• Security Gateway to Security Gateway connections, and to
• remote access client to Security Gateway connections.

You can configure Link Selection for remote users separately. These settings override the settings configured on the Link Selection page. For more about Link Selection options, see Link Selection.

To configure separate Link Selection settings for remote access VPN:

1. Using GuiDBedit, the Check Point Database Tool, select the Security Gateway object.
2. Change the value apply_resolving_mechanism_to_SR to false on the Security Gateway object.
3. Edit the ip_resolution_mechanism attribute to determine how remote access clients resolve the IP address of the local Security Gateway. Add one of the following:
   • mainIpVpn - Always use the main IP address specified in the IP Address field on the General Properties page of the Security Gateway
   • singleIpVpn - The VPN tunnel is created with the Security Gateway using an IP address set in single_VPN_IP_RA
   • singleNATIpVPN - The VPN tunnel is created using a NATed IP address set in single_VPN_IP_RA
   • topologyCalc - Calculate the IP address used for the VPN tunnel by network topology based on the location of the remote peer
   • oneTimeProb - Use one time probing to determine which link will be used.
   • ongoingProb - Use ongoing probing to determine which link will be used.
4. If you are using ongoing or one time probing, also edit these parameters:
   • interface_resolving_ha_primary_if – The primary IP address used for one-time / ongoing probing.
   • use_interface_IP – Set to true if all IP addresses defined in topology tab should be probed. Set to false if the manual list of IP addresses should be probed.
   • available_VPN_IP_list - A List of IP addresses that should be probed. (This list is used only if the value of use_interface_IP is false).
5. Save changes.