topic Re: Bypassing MFA when authenticating with vpn certificates in SASE and Remote Access

Bypassing MFA when authenticating with vpn certificates

mistercinux — Fri, 28 Feb 2025 08:18:06 GMT

Hello team,

We recently found that using strongswan with vpn certificate and MFA enabled, we can bypass MFA.

Is there a way to prevent connections with strongswan clients ?

All versions are concerned.

Best regards,

Chris

Re: Bypassing MFA when authenticating with vpn certificates

G_W_Albrecht — Fri, 28 Feb 2025 08:20:05 GMT

Do not give them certificates and rewoke the ones already issued!

Re: Bypassing MFA when authenticating with vpn certificates

mistercinux — Fri, 28 Feb 2025 08:28:35 GMT

Hello G_W_Albrecht

All our users were using certificate authentication, and since we are implementing additional MFA, we configured the gateway to do a push after certificate authentication. if we revoke all certificates we just cut the vpn access of all the remote users.

What we are looking for is a way to prevent non checkpoint clients to connect to the security gateway.

What are the best practices authenticating users for remote access ? I always thought that certificate auth was the best.

Will the usage of CAPI prevent such 3rd party vpn clients to authenticate ?

Re: Bypassing MFA when authenticating with vpn certificates

G_W_Albrecht — Fri, 28 Feb 2025 11:02:47 GMT

Hi,

sorry, maybe i did mix up something - with our CheckPoint deployment, each user gets his own certificate, so what i mentioned above was based on that configuration. Here https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/strongSwan-Client-Support.htm?Highlight=swan you find what has to be enabled on CP GW to enable StrongSwan access, so you can disable access by disabling these - e.g. if StrongSwan connects using aes256-sha1-modp1024 you can disable it on GW.

I would suggest to open SR# with CP TAC to get suggestios how to achieve this in a simple way !

Re: Bypassing MFA when authenticating with vpn certificates

the_rock — Fri, 28 Feb 2025 15:19:51 GMT

I know last time I worked with customer for cert auth for vpn clients, we ended up working with TAC. Its probably your best bet at this point.

Andy

Re: Bypassing MFA when authenticating with vpn certificates

mistercinux — Fri, 28 Feb 2025 15:25:47 GMT

Hi the_Rock,

Thank you for your feedback.
We already worked with tac and they said that it's working as designed.
We'll may stop working with certificats if we do not find a way to prevent strongswan clients to bypass mfa :-(.

Chris

Re: Bypassing MFA when authenticating with vpn certificates

the_rock — Fri, 28 Feb 2025 15:30:28 GMT

I cant say for sure if its expected or not, but I have a gut feeling there must be some way to make this work. We can connect offline if you are allowed to do remote and check it out.

Andy

Re: Bypassing MFA when authenticating with vpn certificates

mistercinux — Fri, 28 Feb 2025 15:48:23 GMT

Hi,

Thanks for your answer. We'll try it and update the case.

Chris

Re: Bypassing MFA when authenticating with vpn certificates

PhoneBoy — Mon, 03 Mar 2025 16:08:07 GMT

There's an option to allow only certain VPN clients to connect in SmartConsole (specifically in Global Properties), but not sure how Strongswan is treated here as it is not explicitly listed.

In any case, you can configure SCV to do some Windows-specific checks.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...
If you need to support Mac clients, you will need to enable macOS support and configure a specific policy with: https://support.checkpoint.com/results/sk/sk182226
If you require SCV, clients that don't support it (like Strongswan) will fail unless you've enabled the option to allow clients without SCV support.

Re: Bypassing MFA when authenticating with vpn certificates

mistercinux — Mon, 03 Mar 2025 16:23:12 GMT

Hi,

Thank you. We'll test this configuration and update this post as soon as we have the results.