Solved

Checkpoint VPN-1 NG FP3, Pocket PC 2003 iPAQ 6315 running latest SecureClient from Checkpoint downloads

Posted on 2004-09-14
20
21,582 Views
Last Modified: 2013-11-16
PDA has an okay WIFI connection to the internet this is tested and confirmed working.

I cannot successfully get my site configured or any access to/through my firewall.  

I have tried creating a certificate and using this for authentication but either get 'connection refused' or when I added IKE over TCP in the users.c file I now get 'incorrect certificate, check clock' - the clock is correct as is the timezone.

I can't find any troubleshooting documentation (Firewall is a Nokia IP120 with FW-1, VPN-1 NG, FP3)

I guess I need some step by step notes if anyone is familiar with this setup/version of FW-1/VPN-1.

500 points for a successful solution as I need this functionality up and running ASAP

MANY thanks in advance

Chris
0
Comment
Question by:Chris-Moore
  • 10
  • 8
  • 2
20 Comments
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Does SecuRemote work ?
What do your Check Point log files say ?
0
 

Author Comment

by:Chris-Moore
Comment Utility
Is there a SecureRemote for PDA?  

I have SecureClient on my XP laptop and can log in with my Checkpoint username and password account

I tried setting it up like the suggested topology account using a certificate so I can get the site information downloaded/sync'd on the PDA but no go.

I cannot configure my SecureClient (XP) in the same way as the Pocket PC client I get an error cannot connect/contact the Internal CA, this is the same Ceritifcate I generated on the Management station and then sync'd to my PDA.

I don't understand why the PDA client has to be special?!?!?!

HELP!
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
The 6315 isn't on the supported list yet -

http://www.checkpoint.com/techsupport/downloads/docs/securemote/4_1/ce_b0131/SecureClient_for_Pocket_PC_2003.pdf

Also, only PKCS#12 certs are supported, so make sure you are using these.

0
 

Author Comment

by:Chris-Moore
Comment Utility
Well I managed to create an account using a certificate and this allowed me to add the site and authenticate, I left the firewall overnight, came in and tested it and it worked okay.  Now I have the site added to the PDA.  I can now authenticate with the policy server but do not seem to get a client connection to my LAN, there does not seem to be a way to Connect and start up a VPN connection?!?  I saw that the 6315 is not supported specifically but it runs on all the other iPAQs and seems to operate okay now I have authentication working......I can now use the same credentials as I use for SecureClient in XP and get a successful response back...but no evidence of a tunnel.

Have you used this client at all and how should it operate, what should I expect to see/do.....there is no user instructions/manual as such just the release notes which are patchy to say the least when I am trying to configure my firewall and am not an expert by any means!!!!!

Thanks again for your help!
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
If you're using SecureClient, then you need to setup a Desktop Policy for it using the management server.
If SecuRemote, then as long as you have setup rules, and the SecuRemote address pool (eg the IPAQ once it has its tunnel up) is routable to from your LAN, then things should be fine.
I've used both clients, but never with an IPAQ.  I would follow the generic instructions to setup SecuRemote first, then once that's working, setup SecureClient.
0
 

Author Comment

by:Chris-Moore
Comment Utility
If I have a working SecureClient connection on my laptop running XP using my credentials and if I have managed to get the site updated via the 'topology' user should using my credentials from the XP machine allow me to get a tunnel up and running to my site?  It seems not to be the case or I am doing something wrong and I guess this is where I need some guidance??

where can I get SecureRemote for the Pocket PC to try as you suggest, I can only find SecureClient?

Thanks for your patience Tim


Chris
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
The SecuRemote and SecureClient installation packages are the same - however, you select either SecuRemote or SecureClient during the installation process.
Can you go to the advanced tab, enable logging, and send me the logfiles - tim_holman@hotmail.com ?
0
 

Author Comment

by:Chris-Moore
Comment Utility
Hi Tim

I have it cracked I think......its not 100% BUT this is what I am able to do now:

When I restart Secureclient on the iPAQ I can authenticate via GPRS and access one server via IP only - not getting DNS or gateway from VPN-1 like I do from an XP client

I cannot it seems route over the WIFI card so I think this is an incompatibility, I have tried rebinding all adapters but this does not help

Seems I am stuck with GPRS for access to at least one of my servers, WIFI would be nice as it incurs no roaming charges when travelling but I guess this is a PDA and there are more limits than I thought there would be!

I might have to resort to implementing RRAS and setting up a VPN PPTP tunnel across my server to use a Microsoft solution across the board, unless I can implement something similar MS compatible through VPN-1 i.e. more secure!

Thanks for your help Tim, let me know if you can give me any more pointers, if not I'll send you on the points for your great assistance!
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Not sure what to do next really, unless you want to buy me an iPAQ so I can troubleshoot this further ??  ;)
0
 

Author Comment

by:Chris-Moore
Comment Utility
Ha ha!!! Good call!

I guess my last question before throwing the points your way is can I define a VPN tunnel on my FW-1/VPN-1 box that I can access via the PPTP client on a Windows PDA thus not having to use the SecureClient software that will not bind to my WIFI adapter on the iPAQ?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
No...  Check Point doesn't support PPTP...
Although isn't there an IPSEC client you can use for Windows PDA instead ?
0
 

Author Comment

by:Chris-Moore
Comment Utility
You can use IPSEC with L2TP as I found here:

IPsec is generally regarded to be more secure than PPTP. There is a catch though: the IPsec client included with PPC 2003 can only be used in combination with another protocol called L2TP. With the built-in client it is probably not possible to use 'plain' IPsec without L2TP. If you really need plain IPsec (for instance when your VPN server does not support L2TP/IPsec) or when your platform does not support L2TP/IPsec, then you should buy a third-party IPsec client.

Does VPN-1 support this config of L2TP and IPSEC?


0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
0
 

Author Comment

by:Chris-Moore
Comment Utility
Ok, so it supports L2TP, thanks for the link to the docs.  As I already have all my users running via SecureClient, officemode, etc already configured, can I simply add the L2TP support via the tickbox in VPN, remote access and then authenticate with a different user using a created and exported certificate?

Thanks
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
Comment Utility
That should be OK.  Note that you will be able to support multiple simultaneous VPN protocols anyway, so just ticking the box and enabling it will not affect existing IPSEC users and cause any problems.
I would imagine there may be a bit of tinkering around to get the Windows L2TP client working direct with Check Point NG.

There's an older thread here that may help - http://oldfaq.phoneboy.com/gurus/200302/msg00009.html

Plus the L2TP doc @ Check Point should help -

http://secureknowledge.checkpoint.com/pub/sk/docs/public/vpn1/ng/pdf/L2TP_2K.pdf
0
 

Author Comment

by:Chris-Moore
Comment Utility
Thanks Tim, I have not made this work but its probably a tinkering thing so thanks for all the info, I'll try out the FAQs and take it from there

Thanks for your help and useful info!  Points coming your way!
0
 

Expert Comment

by:psimonov
Comment Utility
I have exact same problem that you are and we are even worked with consulting who represent Check pout and here that they say.
Because our Firewall is NG and only one Secure Client that is available for PDA is 4.1. According Checkpoint, there is no Secure Client for NG for at least another year. Existing client is good enough as far your WiFi Access point has TCP/UDP 500 and TCP 2746 open. If you lucky enough and Hotspot there you establish connection configured this way you have to problem to have VPN.
As a solution they recommended any third party alternative, but here you have to pay again.
0
 

Author Comment

by:Chris-Moore
Comment Utility
Thanks psimonov guess that proves at least I am not going mad!!

Going to try the L2TP way to see if I have any luck but from reading this is painful also as you cannot get the certificates imported without a whole loads of utilities/faffing around.

You're probably right though until Checkpoint get their butts in gear and provide an NG workable client we have to pay to find some other software or get support from consultants.  

Less than happy Checkpoint customer here.
0
 

Expert Comment

by:psimonov
Comment Utility
Tell me if you succeed with L2TP and how you gonna configure it on PDA.
0
 

Author Comment

by:Chris-Moore
Comment Utility
ok, will do
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now