This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ronzo
Explorer
‎2020-08-17 04:50 AM

2FA and L2TP/IPSEC under Linux

Is there any way to connect to an enterprise VPN using L2TP over IPSEC in combination with 2 factor authentication under a recent Linux Desktop Distribution like Ubuntu?

Ubuntu provides the package network-manager-l2tp-gnome that could work but I still do not manage to etablish a connection because there seems to be no 2FA handling.

Anyone has such a setup working?

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2020-08-17 05:44 AM

We support use of strongSwan (Roadwarrier) and Libreswan 3.23, but not sure about 2FA

0 Kudos
ronzo
Explorer
‎2020-08-17 05:52 AM
In response to _Val_

Thanks for your quick reply. I do consider myself as capable of configuring Libreswan but I do need to know if there is a chance for the 2FA (SMS token) part.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-17 08:33 AM
In response to ronzo

You would need to be able to enter the password in one go (fixed password plus your MFA code) if it were to work at all.
There is no handling for multi-stage authentication that I'm aware of.
I would approach your local Check Point office with your precise requirements.

0 Kudos
ronzo
Explorer
‎2020-08-17 08:43 AM
In response to PhoneBoy

What a pity. What we are using is multi-stage authentication as the token comes with a cell phone text message after having entered a password.

Are there any future plans for providing a CheckPoint Linux solution to cover this scenario? At least for Ubuntu and Fedora?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-17 11:29 AM
In response to ronzo

There are no plans to develop a native Linux VPN client.
Formal support for StrongSWAN is planned for R81 and I can’t say if it will include MFA support.
Recommend getting involved in the Production EA.

Existing formal support is limited to a customer release on R80.30.
The links Val provides above are community-developed instructions. 

0 Kudos
Soeren_Rothe
Collaborator
‎2020-11-26 05:21 AM

Using the Plugin L2TP with NetworkManager works also with 2FA. Make sure you use the latest Plugin version.

Configuration see here: https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/m-p/48860#M1494

I just verified it, I have a FreeIPA Server connected to the Check Point using LDAPS. On the FreeIPA all users have a password and OTP (it is included in FreeIPA). It also works if you have RSA Token or any Radius Connection combined with Active Directory etc.

But it won't work with SMS, or if you get the SMS before you initiate the connection which is very unlikely.

0 Kudos
ronzo
Explorer
‎2020-11-26 05:53 AM
In response to Soeren_Rothe

Unfortunately, we are using text messages (SMS) as the second factor. So this won't work for me.

We also try to use certificate based VPN connections with device certificates. The problem here is that our Checkpoint VPN teams knowledge is very limited when it comes to details.

There are many questions left such as:

General questions:

  • Do we use certificates for both? The VPN (ipsec) connection itself and L2TP?
  • Would the most recent Fedora release be sufficient to establish a VPN connection or does one of the components (Network Manager L2TP plugin, Strongswan, ???) lack something?
  • In order to debug would it not be better to use StrongSwan cli instead of l2tp-network-manager-gnome?
  • I read something about the VPN gateway certificate. That I need it whenever I do not use the official Checkpoint client. True?

L2TP Questions:

  • What is the Remote ID?
  • What the hell do i put in the phase 1 and phase 2 algorithm field?
  • Which lifetimes should I set?
  • Which checkboxes should be set?
  • Which L2TP-PPP options should be set?

Can I extract answers to these questions from the Windows or Android Checkpoint client? What do I need from our Checkpoint VPN team?

Preview file
57 KB
Preview file
68 KB
Preview file
106 KB
0 Kudos
Soeren_Rothe
Collaborator
‎2020-11-26 06:19 AM
In response to ronzo

With L2TP over IPSec I don't use any Certificates at all. 

General questions:

  • Do we use certificates for both? The VPN (ipsec) connection itself and L2TP?
    • No Certificates at all.
  • Would the most recent Fedora release be sufficient to establish a VPN connection or does one of the components (Network Manager L2TP plugin, Strongswan, ???) lack something?
    • Can you tell me the Network Manager L2TP Plugin Version? Should be greater than 1.7.2
    • StrongSwan works too, but the documentation I wrote in Checkmates uses Libreswan and L2TP. Try Libreswan.
  • In order to debug would it not be better to use StrongSwan cli instead of l2tp-network-manager-gnome?
  • I read something about the VPN gateway certificate. That I need it whenever I do not use the official Checkpoint client. True?
    • For L2TP over IPSec you don't need it.

L2TP Questions:

  • What is the Remote ID?
    • This is the Main IP of the Gateway, this works for me
  • What the hell do i put in the phase 1 and phase 2 algorithm field?
    • Make sure this is enabled on the GW. This is an example for Libreswan
      • Phase1: AES256-SHA256 and DH14
        • aes256-sha256-modp2048
      • Phase2: AES128-SHA256 (no PFS)
        • aes128-sha256
  • Which lifetimes should I set?
    • Phase1: 8h (depends on the settings of the GW, see Global Properties - Remote Access - Endpoint Connect - Re-Authentication every: 720m)
    • Phase2: 1h
  • Which checkboxes should be set?
    • Disable PFS must be checked
  • Which L2TP-PPP options should be set?
    • enable PAP,
    • disable CHAP,MSCHAP, MSCHAPv2, EAP
    • leave the rest 

For the Check Point configuration you can check here:
https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-L2TP-over-IPSEC-Linux-VPN-with-R80-30-work...

For L2TP Configuration with Network Manager, see here:

https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/m-p/48860#M1494 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events