Yewah, I had something similar happen. I had another person's certificate on
my computer (I get an address by ipassignment.conf, they don't) because they
forgot their password. I eventually figured it out and got connected using
their certificate.
I disconnected and reconnected using my certificate, but couldn't get
connected. No error messages that I could see in SecureClient.
SmartView Tracker showed I could not get my Office Mode ipassignment.conf
address because it was assigned to the other certificate, which should only
get an IP Pool address! It cleared itself after awhile, so I figure that
FW-1 must keep a table of what SecureClient Virtual MAC address is assigned
to a user specified in the ipassignment.conf file.
I know that if you image a PC and it already had SecureClient installed,
then you must delete the registry key that holds the Virtual MAC address or
you will have Office Mode problems.
Ray
From: Gerson Levitz <glevitz AT GMAIL DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Office Mode IP assignment (ipassignment.conf)
Date: Thu, 31 Mar 2005 09:56:38 +0200
Hi all,
I have office mode working with manual assignment which is working fine.
I recently had the need to provide a small group of users with
addresses from a different range.
I modified the ipassignment.conf file as required. (At first the range
for the group only had two addresses.)
When I tested it first with user1 I got the first address in the range
then I tested it with user2 and got the second address. (user2 is the
actual user who will be connecting)
I then called the actual end user who is half way around the world and
when he tried with user2 he got an address from the pool of addresses
configured in Smart Dashboard and not from the range of addresses
configured in the ipassignment.conf file.
After some time the user got the address from the ipassignment.conf file.
My questions are:
1. It appears that the FW Module assigns the IP addresses not only
based upon user name but also based upon some other piece of
information. Does anyone know what this other information is?
(external IP address, external mac address, cookie on the client, etc)
2. Once an address has been assigned to a user from the
ipassignment.conf, how long does it keep that address resevered for
that user/machine combination even after the user has disconnected
from the VPN?
3. Is there anyway to see what Addresses are in use or still being
reserved on the FW Module?
4. Is there a command to clear the existing addresses that are not
currently being used but are still reserved?
Thanks
Gers(h)on
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
