In This Section: |
As remote access to internal networks of organizations becomes widespread, it is essential that remote users are able to access as many of the internal resources of the organization as possible. Typically, when remote access is implemented, the client connects using an IP address locally assigned by, for example, an ISP. The client may even receive a non-routable IP which is then hidden behind a NATing device. Because of this, several problems may arise:
For example, if a client user receives an IP of 10.0.0.1 which is entered into the headers of the IPSec packet. The packet is NATed. The packet’s new source IP is 192.168.17.5. The Security Gateway decapsulates the NATed IP and decrypts the packet. The IP address is reverted to its original source IP of 10.0.0.1. If there is an internal host with the same IP, the packet will probably be dropped (if Anti-Spoofing is turned on). If there is no duplicate IP, and the packet is forwarded to some internal server, the server will then attempt to reply to a non-existent address.
Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected. The address may be taken either from a general IP address pool, or from an IP address pool specified per user group. The address can be specified per user, or via a DHCP server, enabling the use of a name resolution service. With DNS name resolution, it is easier to access the client from within the corporate network.
It is possible to allow all your users to use Office Mode, or to enable the feature for a specific group of users. This can be used, for example, to allow privileged access to a certain group of users (e.g., administrators accessing the LAN from remote stations). It is also useful in early integration stages of Office Mode, allowing you time to "pilot" this feature on a specific group of users, while the rest of the users continue to work in the traditional way.
Office Mode is supported with the following:
When you connect to the organization, an IKE negotiation is initiated automatically to the Security Gateway. When using Office Mode, a special IKE mode called config mode is inserted between phase 1 and phase 2 of IKE. During config mode, the client requests an IP from the Security Gateway. Several other parameters are also configurable this way, such as a DNS server IP address, and a WINS server IP address.
After the Security Gateway allocates the IP address, the client assigns the IP to a Virtual Adapter on the Operating system. The routing of packets to the corporate LAN is modified to go through this adapter. Packets routed in this way bear the IP address assigned by the Security Gateway as their source IP address. Before exiting through the real adapter, the packets will be IPsec encapsulated using the external IP address (assigned to the real adapter) as the source address. In this way, non-routable IP addresses can be used with Office Mode; the Office Mode non-routable address is concealed within the IPsec packet.
For Office Mode to work, the IP address assigned by the Security Gateway needs to be routable to that Security Gateway from within the corporate LAN. This lets packets on the LAN being sent to the client to be routed back through the Security Gateway.
Note - A remote user with SecuRemote only is not supported in Office Mode. |
The following steps illustrate the process taking place when a remote user connected through Office Mode wishes to exchange some information with resources inside the organization:
The internal IP addresses assigned by the Security Gateway to the remote user can be allocated using one of the following methods:
The System Administrator designates a range of IP addresses to be utilized for remote client machines. Each client requesting to connect in Office Mode is provided with a unique IP address from the pool.
IP addresses from the IP pool may be reserved and assigned to remote users based on their source IP address. When a remote host connects to the Security Gateway, its IP address is compared to a predefined range of source IP addresses. If the IP address is found to be in that range, then it is assigned an Office Mode IP address from a range dedicated for that purpose.
The IP addresses from this reserved pool can be configured to offer a separate set of access permissions given to these remote users.
A Dynamic Host Configuration Protocol (DHCP) server can be used to allocate IP addresses for Office Mode clients. When a remote user connects to the Security Gateway using Office Mode, the Security Gateway requests the DHCP server to assign the user an IP address from a range of IP addresses designated for Office Mode users.
Security Gateway DHCP requests can contain various client attributes that allow DHCP clients to differentiate themselves. The attributes are pre-configured on the client side operating system, and can be used by different DHCP servers in the process of distributing IP addresses. Security Gateways DHCP request can contain the following attributes:
A RADIUS server can be used for authenticating remote users. When a remote user connects to a Security Gateway, the username and password are passed on to the RADIUS server, which checks that the information is correct, and authenticates the user. The RADIUS server can also be configured to allocate IP addresses.
Note - Authentication and IP assignment must be performed by the same RADIUS server. |
A flat network is one in which all stations can reach each other without going through a bridge or a router. One segment of a network is a "flat network". A static route is a route that is manually assigned by the system administrator (to a router) and needs to be manually updated to reflect changes in the network.
If the LAN is non-flat (stations reach each other via routers and bridges) then the OM address of the remote client must be statically assigned to the routers so that packets on the LAN, destined for the remote client, are correctly routed to the Security Gateway.
When a remote user's machine is assigned an Office mode IP address, that machine can use it for a certain amount of time. This time period is called the "IP address lease duration." The remote client automatically asks for a lease renewal after half of the IP lease duration period has elapsed. If the IP lease duration time is set to 60 minutes, a renewal request is sent after 30 minutes. If a renewal is given, the client will request a renewal again after 30 minutes. If the renewal fails, the client attempts again after half of the remaining time, for example, 15 minutes, then 7.5 minutes, and so on. If no renewal is given and the 60 minutes of the lease duration times out, the tunnel link terminates. To renew the connection the remote user must reconnect to the Security Gateway. Upon reconnection, an IKE renegotiation is initiated and a new tunnel created.
When the IP address is allocated from a predefined IP pool on the Security Gateway, the Security Gateway determines the IP lease duration period. The default is 15 minutes.
When using a DHCP server to assign IP addresses to users, the DHCP server's configuration determines the IP lease duration. When a user disconnects and reconnects to the Security Gateway within a short period of time, it is likely that the user will get the same IP address as before.
To facilitate access of a remote user to resources on the internal network, the administrator can specify WINS and DNS servers for the remote user. This information is sent to the remote user during IKE config mode along with the IP address allocation information, and is used by the remote user's operating system for name-to-IP resolution when the user is trying to access the organization's internal resources.
With Anti-Spoofing, a network administrator configures which IP addresses are expected on each interface of the Security Gateway. Anti-Spoofing ensures IP addresses are only received or transmitted in the context of their respective Security Gateway interfaces. Office Mode poses a problem to the Anti-Spoofing feature, since a client machine can connect and authenticate through several interfaces, e.g. the external interface to the Internet, or the wireless LAN interface; thus an Office Mode IP address may be encountered on more than one interface. Office Mode enhances Anti-Spoofing by making sure an encountered Office Mode IP address is indeed assigned to the user, authenticated on the source IP address on the IPsec encapsulating packet, i.e. the external IP.
Typically, routing is performed before encryption in VPN. In some complex scenarios of Office Mode, where the Security Gateway may have several external interfaces, this might cause a problem. In these scenarios, packets destined at a remote user's virtual IP address will be marked as packets that are supposed to be routed through one external interface of the Security Gateway. Only after the initial routing decision is made do the packets undergo IPsec encapsulation. After the encapsulation, the destination IP address of these packets is changed to the original IP address of the client. The routing path that should have been selected for the encapsulated packet might be through a different external interface than that of the original packet (since the destination IP address changed), in which case a routing error occurs. Office Mode has the ability to make sure that all Office Mode packets undergo routing after they are encapsulated.
After a remote user connects and receives an Office Mode IP address from a Security Gateway, every connection to that Security Gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address.
The Office Mode IP address assigned by a specific Security Gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind Security Gateways that are members of the same VPN community as the assigning Security Gateway. Since the remote hosts' connections are dependent on the Office Mode IP address it received, if the Security Gateway that issued the IP becomes unavailable, all the connections to the site will terminate.
In order for all Security Gateways on the site to recognize the remote users Office Mode IP addresses, the Office Mode IP range must be known by all of the Security Gateways and the IP ranges must be routable in all the networks. However, when the Office Mode per Site feature is in use, the IP-per-user feature cannot be implemented.
Note - When Office Mode per Site is activated, Office Mode Anti-Spoofing is not enforced. |
In this scenario:
In some configurations, a router or other device restricts access to portions of the network to specified IP addresses. A remote user connecting in Office Mode must be able to ensure that he or she is allocated an IP address which will allow the connection to pass through the router.
Note - If this feature is implemented, it is imperative to enable Anti-Spoofing for Office Mode. |
There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.
There are two ways to implement this feature, depending on whether IP addresses are allocated by a DHCP server or IP Pool.
If Office Mode addresses are allocated by a DHCP server, proceed as follows:
vpn macutil <username>
The $FWDIR/conf/ipassignment.conf
file on the Security Gateway, is used to implement the IP-per-user feature. It lets the administrator to assign specific addresses to specific users or specific ranges to specific groups when they connect using Office Mode or L2TP clients.
Note - This file must be manually added to all Security Gateways. |
# This file is used to implement the IP-per-user feature. It allows the # administrator to assign specific addresses to specific users or specific # ranges to specific groups when they connect using Office Mode or L2TP. # # The format of this file is simple: Each line specifies the target # Security Gateway, the IP address (or addresses) we wish to assign and the user # (or group) name as in the following examples: # # Security Gateway Type IP Address User Name # ============= ===== =========================== # Paris-GW, 10.5.5.8, Jean # Brasilia, addr 10.6.5.8, Joao # comments are allowed # Miami, addr 10.7.5.8, CN=John,OU=users,O=cpmgmt.acme.com.gibeuu # Miami range 100.107.105.110-100.107.105.119/24 Finance # Miami net 10.7.5.32/28 Accounting # # Note that real records do not begin with a pound-sign (#), and the commas # are optional. Invalid lines are treated as comments. Also, the # user name may be followed by a pound-sign and a comment. # # The first item is the Security Gateway name. This could be a name, an IP # address or an asterisk (*) to signify all Security Gateways. A gateway will # only honor lines that refer to it. # # The second item is a descriptor. It can be 'addr', 'range' or 'net'. # 'addr' specifies one IP for one user. This prefix is optional. # 'range' and 'net' specify a range of addresses. These prefixes are # required. # # The third item is the IP address or addresses. In the case of a single # address, it is specified in standard dotted decimal format. # ranges can be specified either by the first and last IP address, or using # a net specification. In either case you need to also specify the subnet # mask length ('/24' means 255.255.255.0). With a range, this is the subnet # mask. With a net it is both the subnet mask and it also determines the # addresses in the range. # # The last item is the user name. This can be a common name if the # user authenticates with some username/password method (like hybrid # or MD5-Challenge) or a DN if the user authenticates with a # certificate.
|
The question of whether IP addresses should be assigned by the Firewall (using IP pools) or by a DHCP server is a network administration and financial issue. Some network administrators may prefer to manage all of their dynamic IP addresses from the same location. For them, a central DHCP server might be preferable. Moreover, DHCP allows a cluster to assign all the addresses from a single pool, rather than have a different pool per cluster member as you have to with Firewall IP pools. On the other hand, purchasing a DHCP server can be viewed by some as an unnecessary financial burden, in which case the IP pool option might be preferred.
IP addresses, assigned by Office Mode need to be routed by the internal LAN routers to the Security Gateway (or Security Gateway cluster) that assigned the address. This is to make sure packets, destined to remote access Office Mode users, reach the Security Gateway in order to be encapsulated and returned to the client machine. This may require changes to the organization's routing tables.
Enabling this feature instructs Office Mode to perform routing decisions after the packets are encapsulated using IPsec, and prevents possible routing problems. This feature adds new checks and changes to the routing of packets through the Security Gateway, and has an impact on performance. As a result, we recommend that you use this feature only when these conditions are met:
Before configuring Office Mode the assumption is that standard VPN Remote Access has already been configured.
Before starting the Office Mode configuration, you must select an internal address space designated for remote users using Office Mode. This can be any IP address space, as long as the addresses in this space do not conflict with addresses used within the enterprise domain. It is possible to choose address spaces which are not routable on the Internet, such as 10.x.x.x.
The basic configuration of Office Mode is using IP pools. You can also configure Office Mode using DHCP for address allocation.
To deploy the basic Office Mode (using IP pools):
It is possible to specify which WINS and DNS servers Office Mode users should use. To specify WINS and/or DNS servers, continue to step 3. Otherwise skip to step 6.
Note - WINS and DNS servers should be set on the Security Management Server machine only when IP pool is the selected method. |
In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office Mode.
Configure the settings of the IP Assignment Based on Source IP Address feature in the $FWDIR/conf/user.def
file. This file is located on the Security Management Server, which manages the gateways used for remote access.
You must define a range of source IP addresses and a range of Office Mode addresses. The $FWDIR/conf/user.def
file can contain multiple definitions for multiple gateways.
The first range defined in each line is the source IP address range. The second range in the line is the Office Mode IP address range.
For example:
all@module1 om_per_src_range={<10.10.5.0, 10.10.5.129; 1.1.1.5, 1.1.1.87>,
<10.10.9.0, 10.10.9.255; 1.1.1.88, 1.1.1.95>};
all@module2 om_per_src_range={<70.70.70.4, 70.70.70.90; 8.8.8.6,8.8.8.86>};
In this scenario:
For example: A user with a source IP address between 10.10.10.5.0 and 10.10.5.129, will receive an Office Mode address between 1.1.1.5 and 1.1.1.87.
To enable IP Assignment Based on Source IP Address:
In the $FWDIR/conf/user.def
file add: om_use_ip_per_src_range (
<value>)
Where valid values are:
You can over-ride the Office Mode settings created on Security Management server. Edit the plain text file called ipassignment.conf
in $FWDIR/conf
on the Check Point Security Gateway. The gateway uses these Office Mode settings and not those defined for the object in Security Management server.
ipassignment.conf
can specify:
You cannot use the ipassignment.conf file to assign a subnet mask to a single user. If using IP pools, the mask is taken from the network object, or defaults to 255.255.255.0 if using DHCP.
The syntax of the ipassignment file can be checked using the command ipafile_check.
From a shell prompt run: vpn ipafile_check ipassignment.conf
The two parameters are:
For example:
[user@Checkpoint conf]# vpn ipafile_check ipassignment.conf warn Reading file records... Invalid IP address specification in line 0057 Invalid IP address specification in line 0058 Invalid subnet in line 0060
[user @Checkpoint conf]# vpn ipafile_check ipassignment.conf detail Reading file records...
Line 0051 is a comment (starts with #) Line 0052 is a comment (starts with #) Line 0053 is a comment (starts with #) Line 0054 is a comment (starts with #) Line 0055 is a comment (starts with #) Line 0056 ignored because it is empty Invalid IP address specification in line 0057 Invalid IP address specification in line 0058 line 0059 is OK. User="paul" Invalid subnet in line 0060 line 0061 is OK. Group="dns=1.1.1.1 Line 0062 ignored because it is empty Line 0063 ignored because it is empty Could not read line 64 in conf file - maybe EOF [user@Checkpoint conf]#
|
In the Network Properties — General tab, set the DHCP address range as follows:
In addition to the steps mentioned for the Security Gateway side configuration, a few configuration steps have to be performed on the client side in order to connect to the Security Gateway in Office mode.
Note - Office Mode is supported only in Connect Mode. |
To configure the RADIUS server to allocate IP addresses:
The RADIUS Server Properties window appears.
To configure the RADIUS server to perform authentication for remote users:
On the client's machine the following steps should be performed in order to connect to the Security Gateway using Office mode:
The administrator can simplify configuration, by configuring a profile in advance and providing it to the user.
The VPN - Advanced page shows the office Mode Settings.