This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RyanJohnson
Explorer
‎2019-09-10 04:03 AM
Jump to solution

Creating a simple VPN connection (Having a nightmare)

Hi everyone, 

 

I have a CheckPoint 3000 Application running  R80.10 software. 

 

I have been attempting to create a simple VPN setup for the last few weeks and failing miserably. 

 

What I want to achieve. 

I want to be able to have clients use the CheckPoint VPN client software, to connect to my CheckPoint appliance and access the local LAN. 

 

I have followed a number of guides to no avail, I'm hoping someone has set this up on their appliance and can point me in the right direction. 

 

Cheers

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-11 10:30 PM
Jump to solution

Hi @RyanJohnson,

I think the GAIA portal on port 443 is active on the management server. This means that the site information cannot be loaded over port 443. 

More to used check Point ports read here: R80.x Ports Used for Communication by Various Check Point Modules

Screenshot_20190912-073536_Edge.jpg

Solution:

Put the GAIA portal to a different port for example 4434.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-09-10 04:32 PM
Jump to solution

Let's start with some basic questions:

1. There are a couple of different ways to set up VPN. Which precise set(s) of instructions did you follow? Please provide relevant pointers.
2. What sort of clients are you trying to connect? This includes OS of client, version of VPN client you are using, etc.
3. When the client attempts to connect, what exactly happens, step by step? Screenshots would be helpful.
4. What messages do you see in the logs during all this?

The more information you can provide, the more help we can provide.
0 Kudos
RyanJohnson
Explorer
‎2019-09-11 06:18 AM
In response to PhoneBoy
Jump to solution

Thanks for your reply.

 

The guide was as follows; This one (Getting started with Remote Access)

 

When I try to connect to the external IP that I have set on the Link Selection on the Checkpoint IpSecVPN, it states that the target isn't responding. 

I assume that I've set something up wrong somewhere, but from what I can see, I have followed the guide. 

 

Steps that I have taken so far; 

  1. Turned on IPSec VPN via Network Security on the Gateway
  2. Set a Statically NATed IP in Link Selection
  3. Turned on Office Mode to all users 
  4. IP addresses are from a Pool configured on the CheckPoint device 
  5. No users have been setup yet

With the above setting, I assumed I'd be able to establish a connection with my NAT IP and then fail on user login, however I cannot connect to the Checkpoint from an external IP.

 

I get this error using the Checkpoint software to connect;

checkpoint.PNG

 

Any pointers would be great, is there a different way I should be creating this, is there another guide I can follow. 

 

Checkpoint is super new to me!

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-11 05:15 PM
In response to RyanJohnson
Jump to solution

Have you done any packet traces (tcpdump, etc) to validate packets from the client are actually reaching the gateway?
It's entirely possible the problem has nothing to do with the configuration steps you've followed.
0 Kudos
Vladimir
Champion
Champion
‎2019-09-11 06:48 PM
In response to RyanJohnson
Jump to solution

1. Do you permit HTTPS connections from the Internet to the external interface of your Check Point appliance? If not, enable it.

2. Do you refer to the appliance by its name or IP address? if name, is it publicly resolvable?

3. When you are connecting to the appliance, are you prompted to accept the self-signed certificate? If so and you are accepting it, please examine it to see what it is issued to and if your connection properties on the client actually matching those presented in the cert.

4. Since you are mentioning manually specifying the "Statically NATed IP" in the link selection, this to me indicates that the CP device itself has RFC1918 addresses on its external interface. Do you have that interface defined as "External" in topology? Are you using "Zones" in your rulebase? Does the upstream device filtering the inbound traffic at all (i.e. it is another firewall or a VPN capable device)? If it does, have you configured it to forward IPSec related traffic to the actual private IP of the CP's external interface?

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-12 12:37 AM
In response to RyanJohnson
Jump to solution

For times when we see such Site creation failed ! error we can look into sk128652: Troubleshooting "site is not responding" Issues

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
‎2019-09-11 04:22 AM
Jump to solution

Did you follow Remote Access VPN Administration Guide R80.10 ? Because usually it is rather an easy task (using internal users defined in Dashboard, do a Database install and emacs!)...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RyanJohnson
Explorer
‎2019-09-11 06:23 AM
In response to G_W_Albrecht
Jump to solution

Hiya,

 

I did, well I think I did, I must be missing something somewhere. 

 

Checkpoint is rather new to me, but Firewalls and VPN aren't so I'm a tad baffled. 

 

 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-11 10:30 PM
Jump to solution

Hi @RyanJohnson,

I think the GAIA portal on port 443 is active on the management server. This means that the site information cannot be loaded over port 443. 

More to used check Point ports read here: R80.x Ports Used for Communication by Various Check Point Modules

Screenshot_20190912-073536_Edge.jpg

Solution:

Put the GAIA portal to a different port for example 4434.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events