This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jan9358
Participant
‎2023-07-07 02:56 AM
Jump to solution

How to use IKE over TCP?

Hello everyone,

a few days ago, we changed our remote access authentication method from username/password to certificate+username/password.
For 95% of our users, everything is working fine. But some other users can't connect to the VPN anymore. The Endpoint Connect client asks the user for his certificate, and then runs in a timeout.

We were already able to find the problem: After asking for the certificate, the Endpoint Client sends a 7000 Byte IKE packet over UDP/4500 to the gateway. According to the MTU of 1500, the packet is fragmented into 5 pieces. 
In the packet captures, you can see that this packet never arrives at the VPN Gateway, because it gets lost on its way. 

The exact same issue is addressed in the R81 Remote Access VPN Administration Guide: 
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

The guide says, the solution in this case is IKE over TCP, so there are no fragmented UDP packets, but a regular TCP session instead.

My question here is: How can we use this feature? 

Until now, I couldn't find any article describing how to activate IKE over TCP. I just found some commands for 1500 embedded appliances, but not for regular Gaia R81.10. 


VPN Gateway is VSX R81.10 JHF T66.
Endpoint Connect Client is E87.20 on Windows 10.


Thank you in advance!

0 Kudos
1 Solution

Accepted Solutions
jan9358
Participant
‎2023-07-10 06:24 AM
Jump to solution

Thanks for your replys everyone!

The solution to our problem was somewhere in the middle:

Indeed, the checkbox for "Gateway supports IKE over TCP" in the Global Properties seems to be vanished in R81.10 and R81.20. The Visitor Mode was the solution here, but in a different kind than we expected. 

Enabling the Visitor Mode seems to change the complete authentication process when establishing the VPN connection. Before enabling the Visitor Mode, the authentication was completely done via UDP, and therefore resulted in multiple fragmented packets because of the ceritificate authentication.
After enabling Visitor Mode, the authentication/Main Mode is done via TCP/443, but the Quick Mode is then done via UDP again.

This was basically the same thing I was trying to accomplish by enabling IKE over TCP.

View solution in original post

6 Replies
Timothy_Hall
Champion Champion
Champion
‎2023-07-07 06:46 AM
Jump to solution

IKE over TCP 500 was originally introduced to permit VPN connectivity through crappy low-end router/firewall devices that did not properly track the state of UDP "connections" and would not allow IKE replies on UDP 500 back through them.  Pretty much all of these devices out there these days can track state for UDP sessions now.

If you'd like to use it, first you'll need to turn on support for it under Global Properties...Remote Access...VPN Authentication...Gateways Support IKE over TCP and reinstall policy; you may need to refresh the site for the VPN client as well.  However I believe if a Check Point VPN client senses that IKE UDP 500 connectivity is not working correctly, it will try the slightly newer Visitor Mode first which essentially tunnels IKE via TCP 443 which should always be allowed. 

You'll need to ensure that Support Visitor Mode is checked on the gateway object under VPN Clients...Remote Access; once again you may need to refresh the VPN site after installing policy to ensure the VPN client knows that this alternative connectivity mode is available.  Visitor Mode is probably the better solution here vs. IKE over TCP 500, as port 443 should always be allowed; can't recall exactly which alternative method the VPN client will prefer or if the VPN client can be influenced to use one or the other.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Tobias_Moritz
Advisor
‎2023-07-07 07:00 AM
Jump to solution

Have you checked, if the option is enabled in Global Properties?

SmartConsole -> Global Properties -> Remote Access -> VPN - Authentication -> IKE over TCP -> Gateways support IKE over TCP?

Back in the days when we used Check Point Remote Access, our solution for users behind some ISP or router who struggles with the udp/4500 datagrams but not blocking them totally (e.g tunnel gets interrupted after some minutes) was to force the VPN client to use visitor mode (which just uses tcp/443).

Because there was no option in client for that (not sure if this changed in recent versions), we ended up offering a small self-service tool which enables or disables a local client firewall rule which blocks udp/4500 to gateway. Quite a bad hack, but it was a rock solid solution for the affected users.

the_rock
Legend
Legend
‎2023-07-07 07:43 AM
In response to Tobias_Moritz
Jump to solution

I cant seem to find that option in global properties even in R81.20...

jan9358
Participant
‎2023-07-10 06:24 AM
Jump to solution

Thanks for your replys everyone!

The solution to our problem was somewhere in the middle:

Indeed, the checkbox for "Gateway supports IKE over TCP" in the Global Properties seems to be vanished in R81.10 and R81.20. The Visitor Mode was the solution here, but in a different kind than we expected. 

Enabling the Visitor Mode seems to change the complete authentication process when establishing the VPN connection. Before enabling the Visitor Mode, the authentication was completely done via UDP, and therefore resulted in multiple fragmented packets because of the ceritificate authentication.
After enabling Visitor Mode, the authentication/Main Mode is done via TCP/443, but the Quick Mode is then done via UDP again.

This was basically the same thing I was trying to accomplish by enabling IKE over TCP.

the_rock
Legend
Legend
‎2023-07-10 08:04 AM
In response to jan9358
Jump to solution

So all is good now?

Andy

0 Kudos
jan9358
Participant
‎2023-07-11 11:08 PM
In response to the_rock
Jump to solution

Yes, it seems so, at least there are no more complaints from our users. Most of the affected users already confirmed that they are now able to connect again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events