Checkpoint VPN-1 NG FP3, Pocket PC 2003 iPAQ 6315 running latest SecureClient from Checkpoint downloads

PDA has an okay WIFI connection to the internet this is tested and confirmed working.

I cannot successfully get my site configured or any access to/through my firewall.  

I have tried creating a certificate and using this for authentication but either get 'connection refused' or when I added IKE over TCP in the users.c file I now get 'incorrect certificate, check clock' - the clock is correct as is the timezone.

I can't find any troubleshooting documentation (Firewall is a Nokia IP120 with FW-1, VPN-1 NG, FP3)

I guess I need some step by step notes if anyone is familiar with this setup/version of FW-1/VPN-1.

500 points for a successful solution as I need this functionality up and running ASAP

MANY thanks in advance

Chris
Chris-MooreAsked:
Who is Participating?
 
Tim HolmanConnect With a Mentor Commented:
That should be OK.  Note that you will be able to support multiple simultaneous VPN protocols anyway, so just ticking the box and enabling it will not affect existing IPSEC users and cause any problems.
I would imagine there may be a bit of tinkering around to get the Windows L2TP client working direct with Check Point NG.

There's an older thread here that may help - http://oldfaq.phoneboy.com/gurus/200302/msg00009.html

Plus the L2TP doc @ Check Point should help -

http://secureknowledge.checkpoint.com/pub/sk/docs/public/vpn1/ng/pdf/L2TP_2K.pdf
0
 
Tim HolmanCommented:
Does SecuRemote work ?
What do your Check Point log files say ?
0
 
Chris-MooreAuthor Commented:
Is there a SecureRemote for PDA?  

I have SecureClient on my XP laptop and can log in with my Checkpoint username and password account

I tried setting it up like the suggested topology account using a certificate so I can get the site information downloaded/sync'd on the PDA but no go.

I cannot configure my SecureClient (XP) in the same way as the Pocket PC client I get an error cannot connect/contact the Internal CA, this is the same Ceritifcate I generated on the Management station and then sync'd to my PDA.

I don't understand why the PDA client has to be special?!?!?!

HELP!
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Tim HolmanCommented:
The 6315 isn't on the supported list yet -

http://www.checkpoint.com/techsupport/downloads/docs/securemote/4_1/ce_b0131/SecureClient_for_Pocket_PC_2003.pdf

Also, only PKCS#12 certs are supported, so make sure you are using these.

0
 
Chris-MooreAuthor Commented:
Well I managed to create an account using a certificate and this allowed me to add the site and authenticate, I left the firewall overnight, came in and tested it and it worked okay.  Now I have the site added to the PDA.  I can now authenticate with the policy server but do not seem to get a client connection to my LAN, there does not seem to be a way to Connect and start up a VPN connection?!?  I saw that the 6315 is not supported specifically but it runs on all the other iPAQs and seems to operate okay now I have authentication working......I can now use the same credentials as I use for SecureClient in XP and get a successful response back...but no evidence of a tunnel.

Have you used this client at all and how should it operate, what should I expect to see/do.....there is no user instructions/manual as such just the release notes which are patchy to say the least when I am trying to configure my firewall and am not an expert by any means!!!!!

Thanks again for your help!
0
 
Tim HolmanCommented:
If you're using SecureClient, then you need to setup a Desktop Policy for it using the management server.
If SecuRemote, then as long as you have setup rules, and the SecuRemote address pool (eg the IPAQ once it has its tunnel up) is routable to from your LAN, then things should be fine.
I've used both clients, but never with an IPAQ.  I would follow the generic instructions to setup SecuRemote first, then once that's working, setup SecureClient.
0
 
Chris-MooreAuthor Commented:
If I have a working SecureClient connection on my laptop running XP using my credentials and if I have managed to get the site updated via the 'topology' user should using my credentials from the XP machine allow me to get a tunnel up and running to my site?  It seems not to be the case or I am doing something wrong and I guess this is where I need some guidance??

where can I get SecureRemote for the Pocket PC to try as you suggest, I can only find SecureClient?

Thanks for your patience Tim


Chris
0
 
Tim HolmanCommented:
The SecuRemote and SecureClient installation packages are the same - however, you select either SecuRemote or SecureClient during the installation process.
Can you go to the advanced tab, enable logging, and send me the logfiles - tim_holman@hotmail.com ?
0
 
Chris-MooreAuthor Commented:
Hi Tim

I have it cracked I think......its not 100% BUT this is what I am able to do now:

When I restart Secureclient on the iPAQ I can authenticate via GPRS and access one server via IP only - not getting DNS or gateway from VPN-1 like I do from an XP client

I cannot it seems route over the WIFI card so I think this is an incompatibility, I have tried rebinding all adapters but this does not help

Seems I am stuck with GPRS for access to at least one of my servers, WIFI would be nice as it incurs no roaming charges when travelling but I guess this is a PDA and there are more limits than I thought there would be!

I might have to resort to implementing RRAS and setting up a VPN PPTP tunnel across my server to use a Microsoft solution across the board, unless I can implement something similar MS compatible through VPN-1 i.e. more secure!

Thanks for your help Tim, let me know if you can give me any more pointers, if not I'll send you on the points for your great assistance!
0
 
Tim HolmanCommented:
Not sure what to do next really, unless you want to buy me an iPAQ so I can troubleshoot this further ??  ;)
0
 
Chris-MooreAuthor Commented:
Ha ha!!! Good call!

I guess my last question before throwing the points your way is can I define a VPN tunnel on my FW-1/VPN-1 box that I can access via the PPTP client on a Windows PDA thus not having to use the SecureClient software that will not bind to my WIFI adapter on the iPAQ?
0
 
Tim HolmanCommented:
No...  Check Point doesn't support PPTP...
Although isn't there an IPSEC client you can use for Windows PDA instead ?
0
 
Chris-MooreAuthor Commented:
You can use IPSEC with L2TP as I found here:

IPsec is generally regarded to be more secure than PPTP. There is a catch though: the IPsec client included with PPC 2003 can only be used in combination with another protocol called L2TP. With the built-in client it is probably not possible to use 'plain' IPsec without L2TP. If you really need plain IPsec (for instance when your VPN server does not support L2TP/IPsec) or when your platform does not support L2TP/IPsec, then you should buy a third-party IPsec client.

Does VPN-1 support this config of L2TP and IPSEC?


0
 
Chris-MooreAuthor Commented:
Ok, so it supports L2TP, thanks for the link to the docs.  As I already have all my users running via SecureClient, officemode, etc already configured, can I simply add the L2TP support via the tickbox in VPN, remote access and then authenticate with a different user using a created and exported certificate?

Thanks
0
 
Chris-MooreAuthor Commented:
Thanks Tim, I have not made this work but its probably a tinkering thing so thanks for all the info, I'll try out the FAQs and take it from there

Thanks for your help and useful info!  Points coming your way!
0
 
psimonovCommented:
I have exact same problem that you are and we are even worked with consulting who represent Check pout and here that they say.
Because our Firewall is NG and only one Secure Client that is available for PDA is 4.1. According Checkpoint, there is no Secure Client for NG for at least another year. Existing client is good enough as far your WiFi Access point has TCP/UDP 500 and TCP 2746 open. If you lucky enough and Hotspot there you establish connection configured this way you have to problem to have VPN.
As a solution they recommended any third party alternative, but here you have to pay again.
0
 
Chris-MooreAuthor Commented:
Thanks psimonov guess that proves at least I am not going mad!!

Going to try the L2TP way to see if I have any luck but from reading this is painful also as you cannot get the certificates imported without a whole loads of utilities/faffing around.

You're probably right though until Checkpoint get their butts in gear and provide an NG workable client we have to pay to find some other software or get support from consultants.  

Less than happy Checkpoint customer here.
0
 
psimonovCommented:
Tell me if you succeed with L2TP and how you gonna configure it on PDA.
0
 
Chris-MooreAuthor Commented:
ok, will do
0
All Courses

From novice to tech pro — start learning today.