This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Carl_Stainton
Explorer
‎2017-06-20 08:25 AM

Checkpoint R600 appliance L2TP pass through

I am using a Checkpoint R600 appliance and wish to override the built in handling of l2tp traffic and forward to an internal vpn server. Has  anyone done this ? I've set up forwarding rules but they are overridden by the internal services for IKE and IKE traversal.

Thanks for any advice, Carl

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2017-06-20 02:38 PM

Actually, the 600 has an L2TP endpoint on it your clients can connect to--see sk101466.

Make sure the relevant options are disabled.

0 Kudos
Carl_Stainton
Explorer
‎2017-06-20 02:44 PM
In response to PhoneBoy

Thanks Dameon, but we want to do pass through as the Active Directory authentication doesn’t work with our OpenLDAP (though it does work on the internal destination).

0 Kudos
PhoneBoy
Admin
Admin
‎2017-06-20 02:55 PM
In response to Carl_Stainton

Understood.

What I'm saying is if these options are enabled, it definitely won't work Smiley Happy

How are you attempting to configure L2TP passthrough?

Can you post screenshots of the rules you're attempting to use?

0 Kudos
Carl_Stainton
Explorer
‎2017-06-20 03:01 PM
In response to PhoneBoy

I can't screenshot at the moment as not in work. The remote access vpn is disabled at the admin interface, and just to be doubly sure, I've ran "vpn drv off" from clish.

The passthrough is attempted via an access policy forwarding udp ports 500,1701 and 4500 on to the internal destination.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-06-20 03:05 PM
In response to Carl_Stainton

Understood.

I will have to check with someone in R&D to see if this is possible or not.

0 Kudos
Carl_Stainton
Explorer
‎2017-06-20 03:12 PM
In response to PhoneBoy

Thanks - if the passthrough is not possible, I would be also be content to use the UTM VPN endpoint if we could link to the users and groups we've already defined under our ldap server, though sadly it seems just Active Directory is supported.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-06-21 06:25 AM
In response to Carl_Stainton

To disable the implied rules around L2TP, a code change may be required.

Please open a support ticket, who will be able to investigate with R&D.

Also possible support may be able to assist in getting the 600 to talk to a generic LDAP server instead of Active Directory.

0 Kudos
Carl_Stainton
Explorer
‎2017-06-22 03:21 AM
In response to PhoneBoy

Thanks Dameon, I appear to have to get support through the reseller which is particularly onerous. I tinkered with the possibility of using the routers own endpoint and maintaining a temporary user database for those in need, but even the default office mode routing seems screwy. I suppose some additional configuration is required there. Naively I thought routing everything in the office mode default 172.16.10.0.x via the gateway at 172.16.0.1 would work but no DNS was supplied to my test client and even reaching LAN resources by ip was not possible.

0 Kudos
Carl_Stainton
Explorer
‎2017-06-22 04:55 AM
In response to PhoneBoy

Hi Dameon,

Further bit of info, some of the IPSEC IKE stuff is making it to the internal endpoint, it is the L2TP connection that fails. Reading up on some similar cases with other equipment they have to add a nat-network entry of the form 0.0.0.0/0

Now I just need to know where to add this in expert mode I think.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-06-22 10:34 AM
In response to Carl_Stainton

You don't create NAT rules in Expert mode, but you can create them through the CLI.

It wouldn't operate any differently than doing it through the WebUI.

In any case, "any" is equivalent to 0.0.0.0/0, or you might have to create a range object to cover 0.0.0.1-255.255.255.255. 

0 Kudos
Carl_Stainton
Explorer
‎2017-06-20 03:07 PM

I should also add the logs show that when attempting a connection in this scenario, I get entries referencing the VPN and also IKE and IKE traversal rather than any forwarding going on.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events