topic Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode in General Topics

Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 09:16:02 GMT

Check Point R81.20
Good afternoon, when you uncheck the box "Allow older clients to connect to this gateway" in the cluster settings in section VPN Clients, L2TP + IPSec is disabled.
The question is, is it possible to somehow limit the standard authentication profile to connect, for example, only local checkpoint users?
Or is there any way to uncheck this box and still have L2TP+IPSec working?

The idea is to leave only the authentication methods we created for connecting via Check Point Endpoint Security VPN, or to limit the standard authentication method to local Check Point users (not domain ones) and to have the ability to connect via L2TP + IPSec

Thanks in advance

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 12:14:56 GMT

Yes, you can control which users authenticate by:

Authentication Method: L2TP/IPsec supports username/password (PAP/EAP-MD5) or certificates. You can configure the gateway to use only the Internal User Database for these credentials.
In SmartConsole, go to:
- Gateway Properties → VPN Clients → Authentication
- Set the authentication scheme to Internal User Database (or create a dedicated group for L2TP users).
This way, domain users (LDAP/RADIUS) won’t be accepted for L2TP/IPsec

***************************

Is there any workaround to uncheck the box and still have L2TP/IPsec?

Unfortunately, no documented workaround exists. The “Allow older clients” flag is tied to enabling legacy protocols like L2TP/IPsec. If you disable it, the gateway enforces modern VPN clients only (Harmony Endpoint / Check Point Mobile)

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 12:26:00 GMT

My situation is that I need L2TP + IPsec, but I also need to disable the standard authentication method, or limit the standard authentication method to local users only. In my case, there is no need to restrict L2TP+IPSec to local users only; this is more a question for the standard authentication method.

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 12:46:51 GMT

Auth itself can be controlled from the screen I attached, which Im sure you have configured?

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 12:49:20 GMT

Yes, I have 3 custom profiles, and users can only connect through them, but at the moment, since this checkbox "Allow older clients to connect to this gateway" is checked, they can choose the standard method and log in using their username and password (without 2FA)

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 13:06:20 GMT

Ok...and if you uncheck that option, then works as expected?

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 13:44:57 GMT

Yes, it is impossible to connect using the standard authentication method, but L2TP+IPSec, which I need, also doesn’t work.

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 13:46:43 GMT

Wait, just to make sure Im not missing anything...are you saying IF that setting is on to allow older clients to connect, user/pass auth does not work?

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 13:48:53 GMT

No, this checkbox works as it should in terms of limiting the default authentication method, I just want to understand if it is possible to limit this default authentication method to connections from local users only.

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 13:50:37 GMT

I dont believe you can, but I could be mistaken...maybe best to confirm with TAC.

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

NikolayNikolay — Thu, 30 Oct 2025 14:07:00 GMT

OK, thank you for help!!!

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

the_rock — Thu, 30 Oct 2025 14:07:56 GMT

No problem!

Re: Allow older clients to connect to this gateway disabling L2TP+IPSec mode

PhoneBoy — Thu, 30 Oct 2025 14:31:22 GMT

Considering L2TP + IPsec support goes back to the days of SecuRemote, I suspect it's considered an "older client" and would be disabled by that option.
Also of note that L2TP requires the use of Legacy Authentication, as noted in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/L2TP-Clients.htm

I suspect what you're trying to do is an RFE.