Re: 2FA and L2TP/IPSEC under Linux

ronzo · ‎2020-08-17

Is there any way to connect to an enterprise VPN using L2TP over IPSEC in combination with 2 factor authentication under a recent Linux Desktop Distribution like Ubuntu?

Ubuntu provides the package network-manager-l2tp-gnome that could work but I still do not manage to etablish a connection because there seems to be no 2FA handling.

Anyone has such a setup working?

_Val_ · ‎2020-08-17

We support use of strongSwan (Roadwarrier) and Libreswan 3.23, but not sure about 2FA

ronzo · ‎2020-08-17

Thanks for your quick reply. I do consider myself as capable of configuring Libreswan but I do need to know if there is a chance for the 2FA (SMS token) part.

PhoneBoy · ‎2020-08-17

You would need to be able to enter the password in one go (fixed password plus your MFA code) if it were to work at all.
There is no handling for multi-stage authentication that I'm aware of.
I would approach your local Check Point office with your precise requirements.

ronzo · ‎2020-08-17

What a pity. What we are using is multi-stage authentication as the token comes with a cell phone text message after having entered a password.

Are there any future plans for providing a CheckPoint Linux solution to cover this scenario? At least for Ubuntu and Fedora?

PhoneBoy · ‎2020-08-17

There are no plans to develop a native Linux VPN client.
Formal support for StrongSWAN is planned for R81 and I can’t say if it will include MFA support.
Recommend getting involved in the Production EA.

Existing formal support is limited to a customer release on R80.30.
The links Val provides above are community-developed instructions.

Soeren_Rothe · ‎2020-11-26

Using the Plugin L2TP with NetworkManager works also with 2FA. Make sure you use the latest Plugin version.

Configuration see here: https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/m-p/48860#M1494

I just verified it, I have a FreeIPA Server connected to the Check Point using LDAPS. On the FreeIPA all users have a password and OTP (it is included in FreeIPA). It also works if you have RSA Token or any Radius Connection combined with Active Directory etc.

But it won't work with SMS, or if you get the SMS before you initiate the connection which is very unlikely.

ronzo · ‎2020-11-26

Unfortunately, we are using text messages (SMS) as the second factor. So this won't work for me.

We also try to use certificate based VPN connections with device certificates. The problem here is that our Checkpoint VPN teams knowledge is very limited when it comes to details.

There are many questions left such as:

General questions:

Do we use certificates for both? The VPN (ipsec) connection itself and L2TP?
Would the most recent Fedora release be sufficient to establish a VPN connection or does one of the components (Network Manager L2TP plugin, Strongswan, ???) lack something?
In order to debug would it not be better to use StrongSwan cli instead of l2tp-network-manager-gnome?
I read something about the VPN gateway certificate. That I need it whenever I do not use the official Checkpoint client. True?

L2TP Questions:

What is the Remote ID?
What the hell do i put in the phase 1 and phase 2 algorithm field?
Which lifetimes should I set?
Which checkboxes should be set?
Which L2TP-PPP options should be set?

Can I extract answers to these questions from the Windows or Android Checkpoint client? What do I need from our Checkpoint VPN team?

Soeren_Rothe · ‎2020-11-26

With L2TP over IPSec I don't use any Certificates at all.

General questions:

Do we use certificates for both? The VPN (ipsec) connection itself and L2TP?
- No Certificates at all.
Would the most recent Fedora release be sufficient to establish a VPN connection or does one of the components (Network Manager L2TP plugin, Strongswan, ???) lack something?
- Can you tell me the Network Manager L2TP Plugin Version? Should be greater than 1.7.2
- StrongSwan works too, but the documentation I wrote in Checkmates uses Libreswan and L2TP. Try Libreswan.
In order to debug would it not be better to use StrongSwan cli instead of l2tp-network-manager-gnome?
- Of course, but you can also check the logs. L2TP and IPSec is very complicated to run on cli. I don't recommend it, see here: https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-L2TP-over-IPSEC-Linux-VPN-with-R80-30-work...
I read something about the VPN gateway certificate. That I need it whenever I do not use the official Checkpoint client. True?
- For L2TP over IPSec you don't need it.

L2TP Questions:

What is the Remote ID?
- This is the Main IP of the Gateway, this works for me
What the hell do i put in the phase 1 and phase 2 algorithm field?
- Make sure this is enabled on the GW. This is an example for Libreswan
  - Phase1: AES256-SHA256 and DH14
    - aes256-sha256-modp2048
  - Phase2: AES128-SHA256 (no PFS)
    - aes128-sha256
Which lifetimes should I set?
- Phase1: 8h (depends on the settings of the GW, see Global Properties - Remote Access - Endpoint Connect - Re-Authentication every: 720m)
- Phase2: 1h
Which checkboxes should be set?
- Disable PFS must be checked
Which L2TP-PPP options should be set?
- enable PAP,
- disable CHAP,MSCHAP, MSCHAPv2, EAP
- leave the rest

For the Check Point configuration you can check here:
https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-L2TP-over-IPSEC-Linux-VPN-with-R80-30-work...

For L2TP Configuration with Network Manager, see here:

https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/m-p/48860#M1494