Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RyanJohnson
Explorer
Jump to solution

Creating a simple VPN connection (Having a nightmare)

Hi everyone, 

 

I have a CheckPoint 3000 Application running  R80.10 software. 

 

I have been attempting to create a simple VPN setup for the last few weeks and failing miserably. 

 

What I want to achieve. 

I want to be able to have clients use the CheckPoint VPN client software, to connect to my CheckPoint appliance and access the local LAN. 

 

I have followed a number of guides to no avail, I'm hoping someone has set this up on their appliance and can point me in the right direction. 

 

Cheers

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @RyanJohnson,

I think the GAIA portal on port 443 is active on the management server. This means that the site information cannot be loaded over port 443. 

More to used check Point ports read here: R80.x Ports Used for Communication by Various Check Point Modules

Screenshot_20190912-073536_Edge.jpg

Solution:

Put the GAIA portal to a different port for example 4434.

 

➜ CCSM Elite, CCME, CCTE

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
Let's start with some basic questions:

1. There are a couple of different ways to set up VPN. Which precise set(s) of instructions did you follow? Please provide relevant pointers.
2. What sort of clients are you trying to connect? This includes OS of client, version of VPN client you are using, etc.
3. When the client attempts to connect, what exactly happens, step by step? Screenshots would be helpful.
4. What messages do you see in the logs during all this?

The more information you can provide, the more help we can provide.
0 Kudos
RyanJohnson
Explorer

Thanks for your reply.

 

The guide was as follows; This one (Getting started with Remote Access)

 

When I try to connect to the external IP that I have set on the Link Selection on the Checkpoint IpSecVPN, it states that the target isn't responding. 

I assume that I've set something up wrong somewhere, but from what I can see, I have followed the guide. 

 

Steps that I have taken so far; 

  1. Turned on IPSec VPN via Network Security on the Gateway
  2. Set a Statically NATed IP in Link Selection
  3. Turned on Office Mode to all users 
  4. IP addresses are from a Pool configured on the CheckPoint device 
  5. No users have been setup yet

With the above setting, I assumed I'd be able to establish a connection with my NAT IP and then fail on user login, however I cannot connect to the Checkpoint from an external IP.

 

I get this error using the Checkpoint software to connect;

checkpoint.PNG

 

Any pointers would be great, is there a different way I should be creating this, is there another guide I can follow. 

 

Checkpoint is super new to me!

0 Kudos
PhoneBoy
Admin
Admin
Have you done any packet traces (tcpdump, etc) to validate packets from the client are actually reaching the gateway?
It's entirely possible the problem has nothing to do with the configuration steps you've followed.
0 Kudos
Vladimir
Champion
Champion

1. Do you permit HTTPS connections from the Internet to the external interface of your Check Point appliance? If not, enable it.

2. Do you refer to the appliance by its name or IP address? if name, is it publicly resolvable?

3. When you are connecting to the appliance, are you prompted to accept the self-signed certificate? If so and you are accepting it, please examine it to see what it is issued to and if your connection properties on the client actually matching those presented in the cert.

4. Since you are mentioning manually specifying the "Statically NATed IP" in the link selection, this to me indicates that the CP device itself has RFC1918 addresses on its external interface. Do you have that interface defined as "External" in topology? Are you using "Zones" in your rulebase? Does the upstream device filtering the inbound traffic at all (i.e. it is another firewall or a VPN capable device)? If it does, have you configured it to forward IPSec related traffic to the actual private IP of the CP's external interface?

 

0 Kudos
G_W_Albrecht
Legend
Legend

For times when we see such Site creation failed ! error we can look into sk128652: Troubleshooting "site is not responding" Issues

CCSE CCTE CCSM SMB Specialist
G_W_Albrecht
Legend
Legend

Did you follow Remote Access VPN Administration Guide R80.10 ? Because usually it is rather an easy task (using internal users defined in Dashboard, do a Database install and emacs!)...

CCSE CCTE CCSM SMB Specialist
0 Kudos
RyanJohnson
Explorer

Hiya,

 

I did, well I think I did, I must be missing something somewhere. 

 

Checkpoint is rather new to me, but Firewalls and VPN aren't so I'm a tad baffled. 

 

 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @RyanJohnson,

I think the GAIA portal on port 443 is active on the management server. This means that the site information cannot be loaded over port 443. 

More to used check Point ports read here: R80.x Ports Used for Communication by Various Check Point Modules

Screenshot_20190912-073536_Edge.jpg

Solution:

Put the GAIA portal to a different port for example 4434.

 

➜ CCSM Elite, CCME, CCTE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events