Link Selection for Remote Access Clients

In This Section: Overview Configuring Link Selection for Remote Access Only

Overview

Link Selection is a method used to determine which interface to use for incoming and outgoing VPN traffic and the best possible path for the traffic. Using Link Selection, you choose which IP addresses are used for VPN traffic on each Security Gateway.

Load Sharing and Service Based Link Selection are not supported when the peer is a Remote Access Client. If the Probing Redundancy mode configuration is Load Sharing and the peer is a remote access client, High Availability will be enforced for the client's tunnel.

For more information on Link Selection, see Link Selection.

Configuring Link Selection for Remote Access Only

Link selection is configured on each Security Gateway in the Security Gateway Properties > IPSec VPN > Link Selection window. The settings apply to

• Security Gateway to Security Gateway connections, and to
• remote access client to Security Gateway connections.

You can configure Link Selection for remote users separately. These settings override the settings configured on the Link Selection page.

To configure separate Link Selection settings for remote access VPN:

1. Connect with GuiDBedit Tool (see sk13009) to Security Management Server.
2. In the top left pane, to Network Objects > network_objects.
3. In the top right pane, select the Security Gateway / cluster object.
4. In the bottom pane, change the value of apply_resolving_mechanism_to_SR to false.
5. In the bottom pane, edit the ip_resolution_mechanism attribute to determine how remote access clients resolve the IP address of the local Security Gateway. Add one of the following:
   • mainIpVpn - Always use the main IP address specified in the IP Address field on the General Properties page of the Security Gateway
   • singleIpVpn - The VPN tunnel is created with the Security Gateway using an IP address set in single_VPN_IP_RA
   • singleNATIpVPN - The VPN tunnel is created using a NATed IP address set in single_VPN_IP_RA
   • topologyCalc - Calculate the IP address used for the VPN tunnel by network topology based on the location of the remote peer
   • oneTimeProb - Use one time probing to determine which link will be used.
   • ongoingProb - Use ongoing probing to determine which link will be used.
6. In the bottom pane, edit these parameters if you are using ongoing or one time probing:
   • interface_resolving_ha_primary_if – The primary IP address used for one-time / ongoing probing.
   • use_interface_IP – Set to true if all IP addresses defined in topology tab should be probed. Set to false if the manual list of IP addresses should be probed.
   • available_VPN_IP_list - A List of IP addresses that should be probed. (This list is used only if the value of use_interface_IP is false).
7. Save changes (File menu > Save All).
8. Close the GuiDBedit Tool.
9. In SmartDashboard, install policy on the Security Gateway / cluster object.

To use multiple external links with remote access clients:

1. Open SmartDashboard.
2. Double-click the Security Gateway / cluster object.

   The gateway window opens and shows the General Properties page.

3. From the navigation tree, click VPN Clients > Office Mode.
4. In the Multiple Interfaces section, select Support connectivity enhancement for gateways with multiple external interfaces.
5. Click OK.
6. Install policy on the gateway / cluster object.