If the Security Gateway has multiple external interfaces, there may be a routing problem for a packet whose destination address is a client running Office Mode. The destination IP address is replaced when the packet is encapsulated. Previous routing information thus becomes irrelevant.
You can resolve this problem by configuring the Gateway to support connectivity enhancement for Gateways with multiple external interfaces.
As an example, use the following SecureClient setup topology:
Internet Router A
VPN-1 Gateway 192.168.1.1/24-----Internal Network 192.168.1.0/24
Internet Router B
In this sample configuration, the VPN-1 Gateway allocates an Office Mode IP address from the Office Mode IP pool 172.16.1.0/24, to the SecureClients.
As a result:
- SecureClient A (with real IP address 220.127.116.11/24) uses Office Mode IP address 172.16.1.1.
- SecureClient B (with real IP address 18.104.22.168/24) uses Office Mode IP address 172.16.1.2.
As shown in this topology, the VPN-1 Gateway has two external interfaces, 22.214.171.124/24 and 126.96.36.199/24.
Since the SecureClient users are using Office Mode, the reply packets of the SecureClient VPN will be routed by the VPN-1 Gateway, based on the destination IP address of these reply packets, which will be the Office Mode IP address allocated to that specific SecureClient.
At the same time, the VPN-1 Gateway has two external interfaces, and SecureClient users are establishing the VPN with the VPN-1 gateway on both of these external interfaces.
The routing issue that develops, due to this type of topology, is that under normal circumstances, the VPN-1 Gateway is not able to judge to which external interface the packets returning to the Office Mode IP addresses should be forwarded.
The VPN-1 Gateway in this case will either have a routing entry for the office mode IP pool (172.16.1.0/24), pointing to either the Router A (188.8.131.52/24) IP address, or Router B (184.108.40.206/24) IP address. Since the VPN-1 Gateway will have only one routing entry for the Office Mode IP addresses, the reply packets returning to their appropriate Office Mode IP address will be routed to either the Router A (220.127.116.11/24) IP address or the Router B (18.104.22.168/24) IP address, depending on how the routing entry was set for the Office Mode IP pool IP addresses.
In some cases, only certain protocols will be affected while others will work as expected.
The problem is that the VPN-1 Gateway needs a routing mechanism that can route packets, returned to the Office Mode IP addresses, to the appropriate external router when the VPN-1 Gateway has two external interfaces, based on from which VPN-1 Gateway external IP address the SecureClient Office Mode connections came.
The option "Support connectivity enhancement for gateways with multiple external interfaces" addresses this specific need.
To enable this mechanism, proceed with the following:
- Select 'Manage > Network Objects'.
- In the Network Objects dialog box, select the VPN-1 gateway object.
- Click "Edit".
- In the Check Point Gateway dialog box, select the 'Remote Access > Office Mode branch' in the left pane.
- In the Office Mode page, check the following checkbox in the Multiple Interfaces section: "Support connectivity enhancement for gateways with multiple external interfaces"
- Click "OK" in the Check Point Gateway dialog box.
- Click "Close" in the Network Objects dialog box.
- Install Security Policy.