Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Setting up VPN with Securemote on checkpoint firewall

Posted on 2005-04-18
Medium Priority
Last Modified: 2013-11-16
I have a checkpoint firewall up and runing and have been asked to add a VPN with 6 remote roaming clients. I guess securemote will do the job but I am quoted 3 days consultancy to set up the VPN - seems a lot to me.
We have the secure remote server licences as part of the Checkpiont NG system - where can I get the software, which is free, and can anyone help me with setup and configuration details for this VPN?
Question by:richwj
  • 9
  • 5
  • 5
LVL 30

Expert Comment

by:Duncan Meyers
ID: 13811327

You need to set the Remote Access properties in the Gateway Object
You'll need to set up split-brain DNS
You'll need to set up authentication. Simplest (and cheapest) is to use the firewall as a Certificate Authority. Integrating with Active Directory is quite straight forward, but requires an additional (and expensive I'm told) license.

And you'll need to set up SecuRemote. You can roll it up as a package if you like - it makes rolling it out much simpler.

Yep. Three days is about right. I've recently gone through this exact same exercise so I can help you with problem solving and shortcuts.

Author Comment

ID: 13814036
On the checkpoint firewall - is it a case of setting up another VPN policy or do I have to install additional software, before, behind or next to the firewall ? I have downloaded securemote client software but have not found any server side software to download, any pointers?

Author Comment

ID: 13816173
checkpoint tell me that I do not need any additional software , but have to configure the server - I guess as you have outlined above. I have no experience on this so would appreciate as much assist as you can offer.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

LVL 12

Expert Comment

ID: 13832620
LVL 30

Accepted Solution

Duncan Meyers earned 2000 total points
ID: 13840366
Open SmartDashboard, select Policies -> Global Properties
In the left-hand pane, open up Remote Access.
Under Remote Access, select; update topology every xxx hours
select On SecuRemote/SecureClienbt startup
Authenrication timeout is default
Encrypt DNS traffic
Remainder leave as default (unless you have backup policy servers etc)

Under VPN-Basic
Select: Pre-Shared Secret
Gateways Support IKE over TCP
Enable IP compression for SecureClient
Remaining boxes are unticked.

Under VPN - Advanced:
Encryption Algorithm: 3DES
Data Integrity SHA1
Tick Enforce Encryption Alg. and Data Integ...
Support Diffie-Hellman Groups: Group 2
Use Diffie-Hellman groups: Group 2
When disconnected, traffic to encrypted domain will be sent in clear.

Under Certificates:
Tick Client will verify gateway's certificate against revocation list
Tick Renew users internal CA Certificates

Under Secure Configuration Verification
Untick: Gateway Secure Config Options/Apply Secure Config Verification etc
Upon Verification failure; Accept and log client's connection
Basic Config verification on client's machine
tick Policy is installed on all interfaces
tick Only Tcp/IP protocols are used
Config Violation Notification:
Tick Generate log
tick Notify the user

Smart Directory (LDAP) - untick unless you have the necessary licenses (useful for using Windows 2003 AD as a Certificate Authority)

OK to all that.

Open the Checkpoint  GATEWAY properties:
Under General Properties, tick Firewall and VPN.

In the left-hand panes, select VPN.
In teh right-hand pane, click on Add and select RemoteAccess (this is a default object)

Under VPN Advanced,
tick Support key exchange for subnets
tick Perform and organized shutdown etc

Under Remote Access
Tick Support L2TP etc
Authentication method: Smart Card or other Certificate
Use this Certificate: will be blank until you create a new user
NAT Traversal
Tick Support NAT Traversal etc
Allocated port: VPN1_IPSEC_encapsulation (defaults to this from memory)
Tick Support Visitor mode
Allocated port: https
Allocated IP address: all IPs

Under Office Mode (not necessary to configure this unless you are using SecureClient.)
Allow Office Mode to all users
Office Mode method: Manual
Allocate IP from Network: VPN Users (you must create this network as an object)

Under Authentication
Select the Authentication scheme you wish to use. If you intend to use the firewall-1 as a CA, don't select any of these.
Tick Enable wait mode for Client etc

OK to all that

Select the VPN manager tab
Right-click on the RemoteAccess object and select Properties

Under Participating Gateways, click add and select your Checkpoint Firewall
Under Participant User Groups, click on New and create a User group.

Ok to all that.

Click on the Users tab (if you squint, the icon looks a liitle bit like a user...)

Right click Templates and add a new template. This isn't strictly  necessary, it just makes your life easier when you need to add a VPN user.
Important tabs are:
Groups: add your user group to Belongs to Group
Authetication: Undefined (we are using internal CA)
Encryption: tick IKE, click Edit and and tick Pre-shared key

That'll keep you busy for a while. :-)

Post when you're ready for the next bit (creating users, split-brain DNS so clients resolve LAN DNS names)...  

I'd also strongly recommend that you spend some time at www.checkpoint.com and pull down and read the user manuals. You really will need them.
LVL 30

Expert Comment

by:Duncan Meyers
ID: 13840367
Do consultants suddenly look an attractive option?


Author Comment

ID: 13859904
I appreciate the instructions. I will look at it tomorrow and lt you know how I get on...

Author Comment

ID: 13867569
well that's taken me a few hours to get into it and I am not sure how far I have got.....
I have a few users as part of a group called Remote_User all participating in a Community Remote_Users_Access

A the firewall is active and working with a VPN already configured from anothger office router a  lot of the options were set for me. I tried to add a rule just under a working rule for the remote office VPN link which is working - Rule 9
I duplicated everything and then right click on the source and changed from ANy to my Remote_User group
now if I install the policy it comes up with 3 errors....
Security Policy Verification Warnings
Rule 9 - User Groups are allowed only on Authentication Rules
Failed to generate Security Policy script for rulebase

so does the source want an object defined - this seems to insist on me setting a fixed IP and I do not want to do that...
whatever object option I select for the source want sa fixed Ip except a dynamic object which I can't seem to link to my remote users group.     what do I do now?

LVL 12

Expert Comment

ID: 13881842
This error is not because of the object field..rather you might have not defined the value of "Action"...You need to modify this to"User Auth" will fix the issue..

Author Comment

ID: 13935557
I will be back on this tomorrow pm, where do look for the "Action" ? not that familar with it.
LVL 12

Expert Comment

ID: 13941836
When you open CP you can see the columns "no;source;destination;service;Action;track"...
I am referring to the field "action"...when you right click there yu can select user auth..

Author Comment

ID: 13997333
I set action to user auth and the rule was accepted.. I still cannot connect and have some problems with authentication or certification. I have tried to remove the internal ceertificate and add a new one, the current one seems to be busted. It will not allow me to remove the internal certificate??  
LVL 12

Expert Comment

ID: 14000628
hmm..First ..what the "checkpoing log" shows when you attempt to connect ?
Second ...for the internal certificate you are saying which Certificate.....normally no need to remove it...if you are talking about the Certificate tht CP generates then no issues..

Author Comment

ID: 14077740
The internat_ca certificate seems a problem
I can't view it - it comes up with and error reading th CP database
I can't add another one and I can't delete this to reset it??

Author Comment

ID: 14079559
I created a new firewall gateway object and craeted a new certificate associated to it.
setting the internal and external parameters of the WAN/LAN on this object and replacing the old gateway  - not as simple as it sounds..... 4 hrs later, lots of agro with licences and authentication.

I had to make sure I replaced every instance of the new gateway with the old and bingo - the securemote connection worked.

LVL 30

Expert Comment

by:Duncan Meyers
ID: 14082957
Well done! Its a bit of a marathon isn't it?

And the Checkpoint documentation is just soooooooo good...
LVL 12

Expert Comment

ID: 14091482
Hmm..Went out for a while..couldnt follow up..CP doc and licensing is designed in such a way that only CP guys can understand it.....
Nevermind finally we need to solve the issue..thats all what we are for n ofcourse for our pay checks as well..;)

Author Comment

ID: 14318296
sorry it took so long to clear this one, had to do a lot of work on teh firewall to get it sorted but all that you gave me was very useful so thanks for your help
LVL 30

Expert Comment

by:Duncan Meyers
ID: 14325040
No worries!

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question