Hello G_W_Albrecht

All our users were using certificate authentication, and since we are implementing additional MFA, we configured the gateway to do a push after certificate authentication. if we revoke all certificates we just cut the vpn access of all the remote users. 

What we are looking for is a way to prevent non checkpoint clients to connect to the security gateway.

What are the best practices authenticating users for remote access ? I always thought that certificate auth was the best.

Will the usage of CAPI prevent such 3rd party vpn clients to authenticate ?

Hi,

sorry, maybe i did mix up something - with our CheckPoint deployment, each user gets his own certificate, so what i mentioned above was based on that configuration. Here https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... you find what has to be enabled on CP GW to enable StrongSwan access, so you can disable access by disabling these - e.g. if StrongSwan connects using aes256-sha1-modp1024 you can disable it on GW.

I would suggest to open SR# with CP TAC to get suggestios how to achieve this in a simple way !

Hi, 

Thanks for your answer. We'll try it and update the case. 

Chris

Hi the_Rock,

Thank you for your feedback. 
We already worked with tac and they said that it's working as designed.
We'll may stop working with certificats if we do not find a way to prevent strongswan clients to bypass mfa :-(.

Chris

I cant say for sure if its expected or not, but I have a gut feeling there must be some way to make this work. We can connect offline if you are allowed to do remote and check it out.

Andy

Hi, 

Thank you. We'll test this configuration and update this post as soon as we have the results.