This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NikolayNikolay
Explorer
Thursday
Jump to solution

Allow older clients to connect to this gateway disabling L2TP+IPSec mode

Check Point R81.20
Good afternoon, when you uncheck the box "Allow older clients to connect to this gateway"  in the cluster settings in section VPN Clients, L2TP + IPSec is disabled. 
The question is, is it possible to somehow limit the standard authentication profile to connect, for example, only local checkpoint users?
Or is there any way to uncheck this box and still have L2TP+IPSec working?

The idea is to leave only the authentication methods we created for connecting via Check Point Endpoint Security VPN, or to limit the standard authentication method to local Check Point users (not domain ones) and to have the ability to connect via L2TP + IPSec

Thanks in advance

0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

I dont believe you can, but I could be mistaken...maybe best to confirm with TAC.

Best,
Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
Thursday
Jump to solution

Considering L2TP + IPsec support goes back to the days of SecuRemote, I suspect it's considered an "older client" and would be disabled by that option.
Also of note that L2TP requires the use of Legacy Authentication, as noted in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

I suspect what you're trying to do is an RFE.

View solution in original post

12 Replies
the_rock
MVP Gold
MVP Gold
Thursday
Jump to solution

Yes, you can control which users authenticate by:

  • Authentication Method: L2TP/IPsec supports username/password (PAP/EAP-MD5) or certificates. You can configure the gateway to use only the Internal User Database for these credentials.
  • In SmartConsole, go to:
    • Gateway Properties → VPN Clients → Authentication
    • Set the authentication scheme to Internal User Database (or create a dedicated group for L2TP users).
  • This way, domain users (LDAP/RADIUS) won’t be accepted for L2TP/IPsec

***************************

Is there any workaround to uncheck the box and still have L2TP/IPsec?

  • Unfortunately, no documented workaround exists. The “Allow older clients” flag is tied to enabling legacy protocols like L2TP/IPsec. If you disable it, the gateway enforces modern VPN clients only (Harmony Endpoint / Check Point Mobile)
Best,
Andy
0 Kudos
NikolayNikolay
Explorer
Thursday
In response to the_rock
Jump to solution

My situation is that I need L2TP + IPsec, but I also need to disable the standard authentication method, or limit the standard authentication method to local users only. In my case, there is no need to restrict L2TP+IPSec to local users only; this is more a question for the standard authentication method.

the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

Auth itself can be controlled from the screen I attached, which Im sure you have configured?

 

Best,
Andy
Preview file
40 KB
NikolayNikolay
Explorer
Thursday
In response to the_rock
Jump to solution

Yes, I have 3 custom profiles, and users can only connect through them, but at the moment, since this checkbox "Allow older clients to connect to this gateway" is checked, they can choose the standard method and log in using their username and password (without 2FA)

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

Ok...and if you uncheck that option, then works as expected?

Best,
Andy
0 Kudos
NikolayNikolay
Explorer
Thursday
In response to the_rock
Jump to solution

Yes, it is impossible to connect using the standard authentication method, but L2TP+IPSec, which I need, also doesn’t work.

the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

Wait, just to make sure Im not missing anything...are you saying IF that setting is on to allow older clients to connect, user/pass auth does not work?

Best,
Andy
0 Kudos
NikolayNikolay
Explorer
Thursday
In response to the_rock
Jump to solution

No, this checkbox works as it should in terms of limiting the default authentication method, I just want to understand if it is possible to limit this default authentication method to connections from local users only.

 

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

I dont believe you can, but I could be mistaken...maybe best to confirm with TAC.

Best,
Andy
0 Kudos
NikolayNikolay
Explorer
Thursday
In response to the_rock
Jump to solution

OK, thank you for help!!!

0 Kudos
the_rock
MVP Gold
MVP Gold
Thursday
In response to NikolayNikolay
Jump to solution

No problem!

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
Thursday
Jump to solution

Considering L2TP + IPsec support goes back to the days of SecuRemote, I suspect it's considered an "older client" and would be disabled by that option.
Also of note that L2TP requires the use of Legacy Authentication, as noted in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

I suspect what you're trying to do is an RFE.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events