Solved

Checkpoint VPN-1 NG FP3, Pocket PC 2003 iPAQ 6315 running latest SecureClient from Checkpoint downloads

Posted on 2004-09-14
20
21,595 Views
Last Modified: 2013-11-16
PDA has an okay WIFI connection to the internet this is tested and confirmed working.

I cannot successfully get my site configured or any access to/through my firewall.  

I have tried creating a certificate and using this for authentication but either get 'connection refused' or when I added IKE over TCP in the users.c file I now get 'incorrect certificate, check clock' - the clock is correct as is the timezone.

I can't find any troubleshooting documentation (Firewall is a Nokia IP120 with FW-1, VPN-1 NG, FP3)

I guess I need some step by step notes if anyone is familiar with this setup/version of FW-1/VPN-1.

500 points for a successful solution as I need this functionality up and running ASAP

MANY thanks in advance

Chris
0
Comment
Question by:Chris-Moore
  • 10
  • 8
  • 2
20 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12062643
Does SecuRemote work ?
What do your Check Point log files say ?
0
 

Author Comment

by:Chris-Moore
ID: 12064362
Is there a SecureRemote for PDA?  

I have SecureClient on my XP laptop and can log in with my Checkpoint username and password account

I tried setting it up like the suggested topology account using a certificate so I can get the site information downloaded/sync'd on the PDA but no go.

I cannot configure my SecureClient (XP) in the same way as the Pocket PC client I get an error cannot connect/contact the Internal CA, this is the same Ceritifcate I generated on the Management station and then sync'd to my PDA.

I don't understand why the PDA client has to be special?!?!?!

HELP!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12072363
The 6315 isn't on the supported list yet -

http://www.checkpoint.com/techsupport/downloads/docs/securemote/4_1/ce_b0131/SecureClient_for_Pocket_PC_2003.pdf

Also, only PKCS#12 certs are supported, so make sure you are using these.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Chris-Moore
ID: 12075975
Well I managed to create an account using a certificate and this allowed me to add the site and authenticate, I left the firewall overnight, came in and tested it and it worked okay.  Now I have the site added to the PDA.  I can now authenticate with the policy server but do not seem to get a client connection to my LAN, there does not seem to be a way to Connect and start up a VPN connection?!?  I saw that the 6315 is not supported specifically but it runs on all the other iPAQs and seems to operate okay now I have authentication working......I can now use the same credentials as I use for SecureClient in XP and get a successful response back...but no evidence of a tunnel.

Have you used this client at all and how should it operate, what should I expect to see/do.....there is no user instructions/manual as such just the release notes which are patchy to say the least when I am trying to configure my firewall and am not an expert by any means!!!!!

Thanks again for your help!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12089403
If you're using SecureClient, then you need to setup a Desktop Policy for it using the management server.
If SecuRemote, then as long as you have setup rules, and the SecuRemote address pool (eg the IPAQ once it has its tunnel up) is routable to from your LAN, then things should be fine.
I've used both clients, but never with an IPAQ.  I would follow the generic instructions to setup SecuRemote first, then once that's working, setup SecureClient.
0
 

Author Comment

by:Chris-Moore
ID: 12104409
If I have a working SecureClient connection on my laptop running XP using my credentials and if I have managed to get the site updated via the 'topology' user should using my credentials from the XP machine allow me to get a tunnel up and running to my site?  It seems not to be the case or I am doing something wrong and I guess this is where I need some guidance??

where can I get SecureRemote for the Pocket PC to try as you suggest, I can only find SecureClient?

Thanks for your patience Tim


Chris
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12142824
The SecuRemote and SecureClient installation packages are the same - however, you select either SecuRemote or SecureClient during the installation process.
Can you go to the advanced tab, enable logging, and send me the logfiles - tim_holman@hotmail.com ?
0
 

Author Comment

by:Chris-Moore
ID: 12143046
Hi Tim

I have it cracked I think......its not 100% BUT this is what I am able to do now:

When I restart Secureclient on the iPAQ I can authenticate via GPRS and access one server via IP only - not getting DNS or gateway from VPN-1 like I do from an XP client

I cannot it seems route over the WIFI card so I think this is an incompatibility, I have tried rebinding all adapters but this does not help

Seems I am stuck with GPRS for access to at least one of my servers, WIFI would be nice as it incurs no roaming charges when travelling but I guess this is a PDA and there are more limits than I thought there would be!

I might have to resort to implementing RRAS and setting up a VPN PPTP tunnel across my server to use a Microsoft solution across the board, unless I can implement something similar MS compatible through VPN-1 i.e. more secure!

Thanks for your help Tim, let me know if you can give me any more pointers, if not I'll send you on the points for your great assistance!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12144626
Not sure what to do next really, unless you want to buy me an iPAQ so I can troubleshoot this further ??  ;)
0
 

Author Comment

by:Chris-Moore
ID: 12144660
Ha ha!!! Good call!

I guess my last question before throwing the points your way is can I define a VPN tunnel on my FW-1/VPN-1 box that I can access via the PPTP client on a Windows PDA thus not having to use the SecureClient software that will not bind to my WIFI adapter on the iPAQ?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12146005
No...  Check Point doesn't support PPTP...
Although isn't there an IPSEC client you can use for Windows PDA instead ?
0
 

Author Comment

by:Chris-Moore
ID: 12146046
You can use IPSEC with L2TP as I found here:

IPsec is generally regarded to be more secure than PPTP. There is a catch though: the IPsec client included with PPC 2003 can only be used in combination with another protocol called L2TP. With the built-in client it is probably not possible to use 'plain' IPsec without L2TP. If you really need plain IPsec (for instance when your VPN server does not support L2TP/IPsec) or when your platform does not support L2TP/IPsec, then you should buy a third-party IPsec client.

Does VPN-1 support this config of L2TP and IPSEC?


0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12150072
0
 

Author Comment

by:Chris-Moore
ID: 12160287
Ok, so it supports L2TP, thanks for the link to the docs.  As I already have all my users running via SecureClient, officemode, etc already configured, can I simply add the L2TP support via the tickbox in VPN, remote access and then authenticate with a different user using a created and exported certificate?

Thanks
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12200029
That should be OK.  Note that you will be able to support multiple simultaneous VPN protocols anyway, so just ticking the box and enabling it will not affect existing IPSEC users and cause any problems.
I would imagine there may be a bit of tinkering around to get the Windows L2TP client working direct with Check Point NG.

There's an older thread here that may help - http://oldfaq.phoneboy.com/gurus/200302/msg00009.html

Plus the L2TP doc @ Check Point should help -

http://secureknowledge.checkpoint.com/pub/sk/docs/public/vpn1/ng/pdf/L2TP_2K.pdf
0
 

Author Comment

by:Chris-Moore
ID: 12200068
Thanks Tim, I have not made this work but its probably a tinkering thing so thanks for all the info, I'll try out the FAQs and take it from there

Thanks for your help and useful info!  Points coming your way!
0
 

Expert Comment

by:psimonov
ID: 12202388
I have exact same problem that you are and we are even worked with consulting who represent Check pout and here that they say.
Because our Firewall is NG and only one Secure Client that is available for PDA is 4.1. According Checkpoint, there is no Secure Client for NG for at least another year. Existing client is good enough as far your WiFi Access point has TCP/UDP 500 and TCP 2746 open. If you lucky enough and Hotspot there you establish connection configured this way you have to problem to have VPN.
As a solution they recommended any third party alternative, but here you have to pay again.
0
 

Author Comment

by:Chris-Moore
ID: 12202430
Thanks psimonov guess that proves at least I am not going mad!!

Going to try the L2TP way to see if I have any luck but from reading this is painful also as you cannot get the certificates imported without a whole loads of utilities/faffing around.

You're probably right though until Checkpoint get their butts in gear and provide an NG workable client we have to pay to find some other software or get support from consultants.  

Less than happy Checkpoint customer here.
0
 

Expert Comment

by:psimonov
ID: 12202912
Tell me if you succeed with L2TP and how you gonna configure it on PDA.
0
 

Author Comment

by:Chris-Moore
ID: 12202951
ok, will do
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question