Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Perry_McGrew
Contributor
Jump to solution

R81.10 L2TP config

Need to vent a bit... 😉  We've grown pretty frustrated with CP's VPN clients.   The issues surrounding needing Local Admin to install or upgrade SNX/SSL client or the Standalone Endpoint VPN client on corporate PCs that live OUTSIDE our internal LAN / Domain is really a PITA to manage.  We turned to using the Check Point Capsule VPN from the MS Store as it does not need Local Admin privileges to install and pretty easy for our very non-technical healthcare providers to configure with just a phone call.   

We have run into issues with the Capsule Client -- won't register in our DNS and Split Tunneling does not seem to work.   We want Internet traffic to go out the user's local Internet.   So I contact TAC over all the VPN Client issues.   

I've read the SK about using MSIEXEC to install SNX/SSL.   This requires we do this for every remote PC we have -- which is really not plausible.   And when we upgrade to R81.20, we can be sure that the SNX version will change.  Yes, I know how to modify slim_ver and snx_ver files to suppress upgrade.   However, I was just informed by TAC that SNX/SSL does NOT support Win 11 yet -- with no date yet for official support.   Well that explained the Install error "30" I was getting on my Win 11 Laptop (I have Local Admin rights).  I asked if there was an SK on it and was pointed to the Generic SK and told if the OS is not specifically listed, it is not supported.  

The Endpoint Standalone VPN client.  Same general issues as SNX/SSL in that we'd have to reach out individually to install or update on the Remote PCs.  It has a way to create a package with all the necessary settings for the user.  I have the manual but quite haven't gotten it figured out.   Even our old CP SE, couldn't figure it out!   I miss the old method of using ORCA to modify the MSI's variables!  Plus it was inferred that this client may not officially support Win11. 

Back the Capsule Client in the MS store - which works on Win 11.   Yes, I gather it is a shell wrapped around native Windows IPsec connectivity support.  Regarding the issues mentioned above, we talked to Microsoft support, they say its Check Point responsibility.  Check Point TAC says talk to Microsoft.  I hate to side with Microsoft, but it is branded as a Check Point product - so Check Point TAC should be able to support it.  Would love to figure out a way to incorporate it into our corporate PC image.  

So we thought about trying L2TP,   So I bring up sk63324.  The screen shots look nothing like what we see in R81.10.  I searched thru all the VPN settings on our GW and the RemoteAccess Community.   I can't find anywhere where the L2TP PSK would be entered.  We do have Radius and DUO config'd for 2FA or any VPN connection.  We use OfficeMode IPs.  So I am not sure if that suppresses some of the setting options shown in the SK.  It seems that the sk should at least be updated.

So I am looking for hints on the L2TP setup in hopes it fixes some of the above issues regarding split-tunnel, client DNS registrations.

Thanks for "listening"!

Perry

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Lots to unpack here but I'll address some key points in the interest of timeliness. 

Also depending on your user experience objectives Harmony Connect Remote Access options (Application Access or VPNaaS) might be worth evaluating.

 

Windows 11

Win11 is supported from E85.40 (Endpoint Security VPN) and above, refer: sk115192 / sk175451

Split tunnel support was enhanced in E86.20 and above per sk167000 / sk176853

 

L2TP 

Note this isn't located in the Gateway properties - navigate as follows:

Menu > Global Properties > Remote Access > VPN - Authentication

L2TP.png

(Please be aware L2TP isn't generally recommended for security reasons).

CCSM R77/R80/ELITE

View solution in original post

4 Replies
Chris_Atkinson
Employee Employee
Employee

Lots to unpack here but I'll address some key points in the interest of timeliness. 

Also depending on your user experience objectives Harmony Connect Remote Access options (Application Access or VPNaaS) might be worth evaluating.

 

Windows 11

Win11 is supported from E85.40 (Endpoint Security VPN) and above, refer: sk115192 / sk175451

Split tunnel support was enhanced in E86.20 and above per sk167000 / sk176853

 

L2TP 

Note this isn't located in the Gateway properties - navigate as follows:

Menu > Global Properties > Remote Access > VPN - Authentication

L2TP.png

(Please be aware L2TP isn't generally recommended for security reasons).

CCSM R77/R80/ELITE
Perry_McGrew
Contributor

Chris,

Thanks for the answer ... and reading thru my rant!  I found L2TP was set per the screenshot.   I knew we had tried it a long time ago.  I agree it is not deemed secure and I am not pushing to implement.   It was a request from my boss (CIO) due to the frustration(s) over CP's VPN client(s) issues.   He now has requested me to look into other vendor client VPN solutions.   I have reached out to our CP SE and our VAR to see if there is a reasonable solution.   I had a look & demo of Harmony early on and it did not seem to address what we were looking for / needed and licensing model - cost was prohibitive for us, 

0 Kudos
Bob_Zimmerman
Authority
Authority

What's the security argument against L2TP-over-IPSec?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes not to be confused with barebones L2TP of course, it's generalized and not specific to Check Point.

The SK itself sights historic client side vulnerabilities with Android.

Many implementations are also talked about as having hard coded or mass distributed PSK and or fallback to weak alternatives upon failure scenarios.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events