This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kris_Jurka
Explorer
‎2018-07-12 03:50 PM

730 Remote Access VPN: Show/Configure Encryption

Is there a way to determine the settings used (or ideally configure them) for the remote access VPN in a 730 appliance.  That is to see the encryption/authentication/dhgroup/pfs/.. settings at either the client end in endpoint security or on the server?

Right now it seems like it's completely a black box and I've gotten some questions about whether we are meeting certain standards and haven't found any way to answer.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2018-07-13 02:36 AM

There's a couple settings you can change in the advanced settings:

When you create a Site-to-Site VPN you can see some other settings.

Which, even if you can't configure, should give you an idea of what's supported.

What exact settings are you interested in?

0 Kudos
Kris_Jurka
Explorer
‎2018-07-13 08:02 AM
In response to PhoneBoy

Well I want to know and potentially configure how clients are connecting.  Supposing I had a requirement not to use 3DES for encryption or MD5 for authentication for IPSEC remote access clients.  I don't see any way to verify that or configure that.  The options you've shown have some limited control over SSL, but I don't see any for IPSEC beyond IKEv1/v2.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-13 08:48 AM
In response to Kris_Jurka

Generally we'll offer all of the above and the client will connect with the strongest supported option between the two.

I believe you can use vpn tu on the CLI to see how clients are connected currently.

Will have to check and see if there's a way to configure what's offered.

0 Kudos
Kris_Jurka
Explorer
‎2018-07-13 12:18 PM

"vpn tu" does not appear to show any of that information:

> vpn tu

**********     Select Option     **********

(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users

(Q)             Quit

*******************************************

1

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. IKE SA <f433b35763e193c9,ad88db390b67a16a>:

2

Peer  172.16.10.132, user md5 4d1ec04c938f7451:

        1. SPI's related to IKE SA <f433b35763e193c9,ad88db390b67a16a>:
        INBOUND:
                1. 0xd70c4ede
        OUTBOUND:
                1. 0x70b7338c

Trying "vpn shell" appears not to work:

> vpn shell tunnels/show/IPSec/all
 arrange_objects: Not supported

I also tried looking in the log files for both the appliance and the Endpoint Security product, but was unable to find anything informative in their either.  Is there a particular log file that would log what settings were used to establish the connection?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-13 03:33 PM
In response to Kris_Jurka

This information can definitely be found in logs when managing the 1400 series appliances with central management.

I am checking with R&D on these locally managed appliances.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top