Showing results for 
Search instead for 
Did you mean: 
Create a Post
Remote Access Solutions

The place to discuss all of Check Point's Remote Access VPN solutions, including Mobile Access Software Blade, Endpoint Remote Access VPN, SNX, Capsule Connect, and more!

titoabidan inside Remote Access Solutions Thursday
views 104 3

Routes distribution throught vpn ssl extender

Hi all,I'm not sure if this request has been already done,if so please let me know where I can find it.Well here is my situation, I've configured a VPN ssl extender and everything is working fine, endpoints are receiving the ip address that I've established but when I type a route print on the endpoint I see that they're receiving some network ranges from my checkpoint and those are the network ranges that the checkpoint has connected. With this said I have two questions:1- How can I avoid the checkpoint sends those networks to the endpoints?2- How can I propagate the ip address ranges needed to the endpoint's routing tables ? I've looking around and I've found nothing, I'm using the SmartConsole R80.20 to configure everything and my checkpoint is 5000 serie.Any help would be appreciated.
abiodun_ogunwal inside Remote Access Solutions Wednesday
views 139 1


Does R80.30 Mobile blade now support snx access?
GatM inside Remote Access Solutions Wednesday
views 198 5

IKE traffic not processed if source port is other than UDP 500

Since updating to R80.10 (from R77.30) we had stability issues with VPN tunnels to our branch offices where we use different vendor products (Bintec). Updating to R80.20 and R80.30 did not solve the problem. We went though all the basics and removed any inconsequences in configuration on both ends (which weren't an issue when peering with R77.30 or earlier) and tried different configurations with little result.Eventually we discovered the remote router uses different source ports (not UDP 500) when acting as a IKE initiator (or sending IKE sa delete messages). The Check Point ignored these IKE messages (though the rulebase did allow them to be delivered). This resulted in problems in the phase 2 rekeying procedure because IKE SA tables on both ends got out of sync.We fixed this matter by fixing/forcing the source port at the Bintec to UDP 500 with a fix provided by their (very reponsive and cooperative) support center. So you might think now: problem fixed, why raise the issue here?Well, I'm still curious about the  "not our problem, go to Bintec" statement we received from Check Point via our service provider when we raised this issue. I still believe Check Point should've fixed their part of the problem too.When our service provider raised the issue at Check Point the answer was that the sourceport should be 500 no matter what, if a NAT is present is should switch to UDP4500 as described in RFC 3947 chapter 4. End of story, no fix from Check Point.However, investigating the matter and reading RFC3947 I found out that it states the following in chapter 3: Recipients MUST reply back to the source address from the packet (see   [RFC3715], section 2.1, case d).  This means that when the original   responder is doing rekeying or sending notifications to the original   initiator, it MUST send the packets using the same set of port and IP   numbers used when the IKE SA was last used.   For example, when the initiator sends a packet with source and   destination port 500, the NAT may change it to a packet with source   port 12312 and destination port 500.  The responder must be able to   process the packet whose source port is 12312.  It must reply back   with a packet whose source port is 500 and destination port is 12312.   The NAT will then translate this packet to source port 500 and   destination port 500.Reading the above my conclusion is that if Check Point would be compliant with IKE standards it should have responded to the IKE messages coming from source ports other than 500 and the instability shouldn't have occured. It doesn't really matter what the reason is for chosing another sourceport, it should just reply to that port.Can someone please enlighten me why it does not behave in compliance with RFC3947 and will this behaviour be changed in future releases? For this matter I prefer to communicate directly with Check Point rather than through our service provider (they consider the case closed too). As I can imagine other customers may run into this problem when upgrading to R80 too I prefer to keep the answer in public, Thanks! 
Jonathan inside Remote Access Solutions Wednesday
views 107

Mobile Access authentication scheme restriction

Hi,We're using Mobile Access to let employees connect to the office. We use both Checkpoint mobile with certificate and SSL-VPN with a physical token.We implemented a new authentication scheme of Username Password (ldap) + DynamicID (sms) and it's working fine.However, we would like to only allow selected users to be able to use this auth scheme, based on groups from Active Directory.How can we accomplish that? Thanks  
MasterSomy inside Remote Access Solutions Wednesday
views 109

Choose the Machine Authentication Cetificate

Hi,We wanted to test the new Machine Authentication Feature of the Windows VPN Clients.we are currently facing the problem that we get one Certificate enrolled by default by our AD and we have the certificate to authenticate our Client. The Problem is the VPN Client tries to use the auto enrolled one, but it doesn't work. If we delete it is functioning.Is there a method to choose witch one will be used?
PhongNN inside Remote Access Solutions Monday
views 182 2

The issue with DynamicID

Hi everybodyI am trying to configure Remote Access with DynamicID on R80.10 GWI have a URL from SMS server Team to perform GET method to SMS server like this:http://x.x.x.x:8083/VPNOTP/http/sendmsg?api_id=$APIID&user=vpnotp&password=xxx&to=0901441294&text=TestVPNWhen i paste that link to a browser, i get an OTP code to my phone numberBut when I run curl_cli on GW, the SMS server return to 505 Internal ErrorI tried to capture packet, and I saw all field after "api_id=" was missing when run curl_cliIs it due to a link error or is it because I incorrectly executed the syntax?Thank you so much 
Rodrigo_Silva inside Remote Access Solutions Monday
views 2730 15 11

Checkpoint VPN with Microsoft 2-Factor Authentication

Hello everyoneI would like to share with you how I managed to get VPN users to use Microsoft Azure Multi-Factor Authentication.I saw in some posts that this was possible by using MFA Server, but Microsoft stopped offering MFA Server on July 1, 2019.What I needed to do:1 - Office 365 users with MFA enabled.2 - Dedicated NPS Server.All Radius requests made to this server will have MFA directed to Microsoft.3 - NPS extension for Azure MFAThis extension will direct your MFA requests to Microsoft.You can find the installation and download instructions at the link below. user can define which method will be used in the Microsoft portal.I tested the methods below on VPN Clients, Mobile Access and Capsule Workspace and they all worked perfectly.- Notification through mobile app- Verification code from mobile app- Text message to phoneI hope this post helps youGood luck
Soeren_Rothe inside Remote Access Solutions a week ago
views 1461 4 10

C2S - strongSwan (Roadwarrior) and R80.30 - working

******************************WORKING RELEASES:ReleasestrongSwan VersionFedora 315.7.2/K5.3.11-300.fc31      Mint Tumbleweed5.6.4******************************Before you begin, please make sure you have a working Remote Access environment using one of the Check Point Endpoint Clients (Windows / MacOS). This is a guide to connect a Linux VPN Client based on strongSwan to your Check Point environment, using certificates from the InternalCA.----------------------Attention:- You might adjust the MTU settings manually because this is not done by strongSwan- right=%defaultroute does not work for me, I need to enter my Client IP Address- if possible use Libreswan, it works better and easier to configure----------------------Gateway / SmartCenter The first step is to export the Check Point VPN Gateway Certificate from the SmartCenter. Also create a local User in SmartDashboard and export the User p12 Certificate.R80.30 Jumbo Take 76 - Standalone Firewall VPN Object: home-fwVPN Certificate: defaultCertEncryption Domain: 1)Export the Firewall p12 VPN Certificate (home-fw) from the SmartCenter. To check the Certificate name, open the FW object in SmartDashboard - IPSec VPN - Certificate Nickname  (usually defaultCert) Usage: export_p12 -obj <network object> -cert <certobj> -file <filename> -passwd <password> Mgmt# export_p12 -obj home-fw -cert defaultCert -f home-fw.p12 -passwd 123456 A file named "home-fw.p12" will be generated. Copy this over to the Linux VM.2)In the User object create a p12 certificate and copy the file over to the Linux VM. For example: soeren.p12Make sure that this user is part of the Remote Access community, you can check if the connections works with a Check Point VPN Client using Username / PW for example. openSUSE1) Install and configure strongSwan using yast  # sudo yast 2) Now it is time to convert the P12 to PEM files and place them in the correct folder 1) Convert User Certificate # openssl pkcs12 -in soeren.p12 -out soeren.pem -clcerts -nokeys 2) Extract private Key from User Certificate # openssl pkcs12 -in soeren.p12 -out soeren.key.pem -nocerts -nodes 3) Convert Firewall Certificate # openssl pkcs12 -in home-fw.p12 -out home-fw.pem -clcerts -nokeys 4) copy PEM files to /etc/ipsec.d # sudo cp soeren.pem /etc/ipsec.d/certs # sudo cp home-fw.pem /etc/ipsec.d/certs # sudo cp soeren.key.pem /etc/ipsec.d/private 3) enable and start strongSwan.  # systemctl enable strongswan # systemctl start strongswan # systemctl status strongswan # only status information 4) Edit the main configuration file /etc/ipsec.conf # sudo vi /etc/ipsec.conf  # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # charondebug=1 # Add connections here. conn home # Right side is stronSwan - RoadWarrior right= # Client IP Address or try %defaultroute rightcert=soeren.pem # Certificate filename of the user - from /etc/ipsec.d/certs # Left side is Check Point # put here your Gateway IP Address leftsubnet= # put here your company's network range or for any leftcert=home-fw.pem # Certificate filename of the FW - from /etc/ipsec.d/certs leftid= # Check Point responds with the Main IP Address from the FW Object # config type=tunnel keyingtries=3 authby=rsasig ike=aes256-sha1-modp1024 # check if IKE P1 parameters are allowed under Global Prop. - RA esp=aes128-sha1 # check if IKE P2 parameters are allowed ikelifetime=8h # IKE Lifetime 8h for IKE Phase P1 IMPORTANT lifetime=1h # SA Lifetime 1h for IKE Phase P2 IMPORTANT keyexchange=ikev1 # use IKEv1 auto=add ******************************Attention:You need to change "" to the IP Address which is configured as the Main IP Address of the Firewall Object in SmartDashboard. If the IP Address is not correct, the Logfile will show an error like this:received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"IDir '' does not match to 'O=home-fw..22erwk, CN=home-fw VPN Certificate'deleting IKE_SA home[1] between[O=home-fw..22erwk, OU=users, CN=soeren][%any]sending DELETE for IKE_SA home[1]generating INFORMATIONAL_V1 request 2100344439 [ HASH D ]sending packet: from[4500] to[4500] (92 bytes)establishing connection 'home' failedThe meaning of the error: leftid must be "" in this example******************************5) Edit /etc/ipsec.secrets and add the private Key from your User # sudo vi /etc/ipsec.secrets  # # ipsec.secrets # # This file holds the RSA private keys or the PSK preshared secrets for # the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. # : RSA /etc/ipsec.d/private/soeren.key.pem 6) restart strongSwan # sudo ipsec restart 7) Initiate the connection # sudo ipsec up home 8 ) For troubleshooting, always run this after modifying /etc/ipsec.conf # sudo ipsec restart # sudo ipsec up home 9) Troubleshooting command # sudo ipsec statusall 10) Logfile from working setup soeren@linux-4suj:~> sudo ipsec up home initiating Main Mode IKE_SA home[2] to generating ID_PROT request 0 [ SA V V V V V ] sending packet: from[500] to[500] (240 bytes) received packet: from[500] to[500] (124 bytes) parsed ID_PROT response 0 [ SA V V ] received FRAGMENTATION vendor ID received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from[500] to[500] (244 bytes) received packet: from[500] to[500] (432 bytes) parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D NAT-D ] received cert request for unknown ca 'O=home-fw..22erwk' ignoring certificate request without data local host is behind NAT, sending keep alives remote host is behind NAT authentication of 'O=home-fw..22erwk, OU=users, CN=soeren' (myself) successful sending end entity cert "O=home-fw..22erwk, OU=users, CN=soeren" generating ID_PROT request 0 [ ID CERT SIG N(INITIAL_CONTACT) ] sending packet: from[4500] to[4500] (988 bytes) received packet: from[4500] to[4500] (940 bytes) parsed ID_PROT response 0 [ ID CERT SIG V ] received DPD vendor ID received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate" no issuer certificate found for "O=home-fw..22erwk, CN=home-fw VPN Certificate" issuer is "O=home-fw..22erwk" using trusted certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate" authentication of '' with RSA_EMSA_PKCS1_NULL successful IKE_SA home[2] established between[O=home-fw..22erwk, OU=users, CN=soeren][] scheduling reauthentication in 28150s maximum IKE_SA lifetime 28690s generating QUICK_MODE request 2852597160 [ HASH SA No ID ID ] sending packet: from[4500] to[4500] (204 bytes) received packet: from[4500] to[4500] (172 bytes) parsed QUICK_MODE response 2852597160 [ HASH SA No ID ID ] CHILD_SA home{2} established with SPIs c9f7a279_i dc7aff75_o and TS === generating QUICK_MODE request 2852597160 [ HASH ] sending packet: from[4500] to[4500] (60 bytes) connection 'home' established successfully *Note openSUSE*- perform a reboot if there is no output by running the "ipsec" commands.- after a reboot run "# sudo ipsec restart", otherwise an error show up like described belowFor example: soeren@linux-guki:~> sudo ipsec up home initiating Main Mode IKE_SA home[1] to no private key found for '' configuration uses unsupported authentication tried to checkin and delete nonexisting IKE_SA establishing connection 'home' failed soeren@linux-guki:~> sudo ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.6.0 IPsec [starter]... soeren@linux-guki:~> sudo ipsec up home initiating Main Mode IKE_SA home[1] to generating ID_PROT request 0 [ SA V V V V V ] sending packet: from[500] to[500] (240 bytes) received packet: from[500] to[500] (124 bytes) then it works...    MTU SIZEFind out the Interface Name and actual MTU size soeren@linux-4suj:/etc> ip link show | grep mtu 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 Establish the VPN connection and find out the max MTU size soeren@linux-4suj:/etc> ping -c 3 -M do -s 1500 PING ( 1500(1528) bytes of data. ping: local error: message too long, mtu=1422 ping: local error: message too long, mtu=1422 ping: local error: message too long, mtu=1422 In this example the max MTU size is: 1394 (+28 = 1422) soeren@linux-4suj:/etc> sudo ip link set ens33 mtu 1394 Re-establish the VPN connection. # sudo ipsec restart # sudo ipesc up home 
peter_schumache inside Remote Access Solutions 2 weeks ago
views 192 2

Secure user access to out of band firewall

We have a 1550 firewall in front of some out of band switches. We want a secure access to these OOB equipment in case of a disater. Mobile access blade is NOT supported by the 1550 models, just the IPSec VPN.What szenarios would be possible here? I'm considering the following:Site-to-Site VPN to the azure cloud, which holds a jump host accessible from the InternetAccess rule for ssh and/or https with user authentication (2 factor)Some Windows 10 client which requires no mobile access license 
PhongNN inside Remote Access Solutions 2 weeks ago
views 187 3

How many tunnel for one user ?

Hi everybodyI have an issue like this:My VPN pool is i try to use Endpoint VPN to connect, the message is appear:"Connection Failed: You cannot receive an Office Mode IP address at this time. Try to connect again. If the problem persists, contact your administrator." I checked on Smartview Monitor, the concurrent users are 168, but the Log in Smartview Tracker is IP Pool fullCould anyone explain it to me ?Thank you so muchRegards
rajesh_s inside Remote Access Solutions 2 weeks ago
views 11469 9

Remote access vpn connecting issue

I configure remote access vpn on R77.30, When i try to connect to remote access vpn, ending up with error Site not responding, Any idea what could  be the issue?.
Jeff_Gao inside Remote Access Solutions 2 weeks ago
views 191 3

Connect Failed:Site is not responding

DearAs follow,I try to connect  vpn in computer,but failed. prompt "Connect Failed:Site is not responding"I try to renew certitication,but still no work,i try to with serveal computers,same the result.But it is working by mobile phone with capsule,pls help,thanks! 
Jeroen_Deckers inside Remote Access Solutions 2 weeks ago
views 165 2

Office mode ip after renegotiation when remote session expired

Hello,I have some remote users that are having issues with some applications after the renegotiation when the remote session is expired. They receive another office mode ip and this causes some issues with certain applications.Is there a setting/solution where they can keep the same office mode ip?
Tom_Hamburg inside Remote Access Solutions 2 weeks ago
views 168

Version update - authentification preferences

Hi community, we are planning to update Checkpoint Client Mobile from version 98.61.303 to 98.61.1404. This is done via central software management and will be sent out as a package via Matrix42. In our company we use hardware token as well as SMS token. So not to screw with the settings we will have to check each clients’ configuration and apply this to the update file we send out to the client. Site configuration is already done. Unfortunately we are not able to identify where the settings for the preferred authentication method are saved. We have the trac.config in mind. But having run a file watcher over the file and changing from SMS token to hardware token didn’t cause a change in the file. Can you please give us a hint on which value it is and where it is located? Many thanks in advance and best regards, Tom
TW inside Remote Access Solutions 2 weeks ago
views 154 3

Checkpoint 5200 VPN - connect to subnetwork of the network

5200 is the FW of network Anetwork B connects with network A and browses internet via network AWorkstations at local network A add a route to assess network BNow a remote workstation uses secure remote to connect with network ANo problem at all but how can the remote workstation connect with network Bsimply add a route at the remote workstation is not workedroute to network B has been added at FW5200