Link to home
Start Free TrialLog in
Avatar of richwj
richwj

asked on

Setting up VPN with Securemote on checkpoint firewall

I have a checkpoint firewall up and runing and have been asked to add a VPN with 6 remote roaming clients. I guess securemote will do the job but I am quoted 3 days consultancy to set up the VPN - seems a lot to me.
We have the secure remote server licences as part of the Checkpiont NG system - where can I get the software, which is free, and can anyone help me with setup and configuration details for this VPN?
Avatar of Duncan Meyers
Duncan Meyers
Flag of Australia image

www.checkpoint.com.

You need to set the Remote Access properties in the Gateway Object
You'll need to set up split-brain DNS
You'll need to set up authentication. Simplest (and cheapest) is to use the firewall as a Certificate Authority. Integrating with Active Directory is quite straight forward, but requires an additional (and expensive I'm told) license.

And you'll need to set up SecuRemote. You can roll it up as a package if you like - it makes rolling it out much simpler.

Yep. Three days is about right. I've recently gone through this exact same exercise so I can help you with problem solving and shortcuts.
Avatar of richwj
richwj

ASKER

On the checkpoint firewall - is it a case of setting up another VPN policy or do I have to install additional software, before, behind or next to the firewall ? I have downloaded securemote client software but have not found any server side software to download, any pointers?
Avatar of richwj

ASKER

meyersd
checkpoint tell me that I do not need any additional software , but have to configure the server - I guess as you have outlined above. I have no experience on this so would appreciate as much assist as you can offer.
ASKER CERTIFIED SOLUTION
Avatar of Duncan Meyers
Duncan Meyers
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Do consultants suddenly look an attractive option?

:-)
Avatar of richwj

ASKER

I appreciate the instructions. I will look at it tomorrow and lt you know how I get on...
Avatar of richwj

ASKER

well that's taken me a few hours to get into it and I am not sure how far I have got.....
I have a few users as part of a group called Remote_User all participating in a Community Remote_Users_Access

A the firewall is active and working with a VPN already configured from anothger office router a  lot of the options were set for me. I tried to add a rule just under a working rule for the remote office VPN link which is working - Rule 9
I duplicated everything and then right click on the source and changed from ANy to my Remote_User group
now if I install the policy it comes up with 3 errors....
Security Policy Verification Warnings
Rule 9 - User Groups are allowed only on Authentication Rules
Failed to generate Security Policy script for rulebase

so does the source want an object defined - this seems to insist on me setting a fixed IP and I do not want to do that...
whatever object option I select for the source want sa fixed Ip except a dynamic object which I can't seem to link to my remote users group.     what do I do now?


This error is not because of the object field..rather you might have not defined the value of "Action"...You need to modify this to"User Auth" will fix the issue..
Avatar of richwj

ASKER

I will be back on this tomorrow pm, where do look for the "Action" ? not that familar with it.
When you open CP you can see the columns "no;source;destination;service;Action;track"...
I am referring to the field "action"...when you right click there yu can select user auth..
Avatar of richwj

ASKER

I set action to user auth and the rule was accepted.. I still cannot connect and have some problems with authentication or certification. I have tried to remove the internal ceertificate and add a new one, the current one seems to be busted. It will not allow me to remove the internal certificate??  
hmm..First ..what the "checkpoing log" shows when you attempt to connect ?
Second ...for the internal certificate you are saying which Certificate.....normally no need to remove it...if you are talking about the Certificate tht CP generates then no issues..
Avatar of richwj

ASKER

The internat_ca certificate seems a problem
I can't view it - it comes up with and error reading th CP database
I can't add another one and I can't delete this to reset it??
Avatar of richwj

ASKER

I created a new firewall gateway object and craeted a new certificate associated to it.
setting the internal and external parameters of the WAN/LAN on this object and replacing the old gateway  - not as simple as it sounds..... 4 hrs later, lots of agro with licences and authentication.

I had to make sure I replaced every instance of the new gateway with the old and bingo - the securemote connection worked.

Well done! Its a bit of a marathon isn't it?

And the Checkpoint documentation is just soooooooo good...
Hmm..Went out for a while..couldnt follow up..CP doc and licensing is designed in such a way that only CP guys can understand it.....
Nevermind finally we need to solve the issue..thats all what we are for n ofcourse for our pay checks as well..;)
Avatar of richwj

ASKER

sorry it took so long to clear this one, had to do a lot of work on teh firewall to get it sorted but all that you gave me was very useful so thanks for your help
No worries!