Members Login
Username 
 
Password 
    Remember Me  
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> General VPN Setup Questions.
Post Info TOPIC: General VPN Setup Questions.
Westy


Status: Offline
Posts: 9
Date:
General VPN Setup Questions.
Permalink  

I've got a copy of Phoneboy's latest book for reference, Essential Check Point Firewall-1 NG.  I need to setup a Client to Site VPN so telecommuters can access a Windows 2000 network. I have a site to site VPN up and running, so I have a Gateway created.


Should I create a new gateway for the Client to Site VPN so I don't have to change any of the settings on the current Gateway?  Or should I stick with just one Gateway and modify it?  I want to keep things simple and I don't want to break what I have working.


How do you ensure your gateway object has the Policy Server package loaded and enabled?


How do you create a Desktop Security policy?


 


 



__________________
raulico


Status: Offline
Posts: 61
Date:
Permalink  

i suppose you want to use secureremote or secureclient, so you have to create a user-database and a secureclient-remote user group, and a rule to permit acces from outside after authentication procedure.


create a usergroup, check for sc/sr license (sr is free and you can create license from www.checkpoint) and create 2 rules with:


first rule


source: any


destination: firewall object


service: fw1_topo;ike udp;ike tcp


action: accept


 


second rule


source: secure-remote user group


destination: the servers(or network) you want to use/browse from outside


service: the services that servers-group need to use to access them


action: client encrypt(both intersect with database)


on global properties check on remote access->encrypt dns traffic


after check on vpn basic the ike over tcp and pre-shared secret if you want to use a password, i suggest you a certificates.


and in vpn advanced enforce encryption algorithm to all users.


i hope this can help you.


ciao


Raoul Ferro



__________________
Westy


Status: Offline
Posts: 9
Date:
Permalink  

Thanks Raoul, I'll give it a go.

__________________
Westy


Status: Offline
Posts: 9
Date:
Permalink  

Ok, for the second rule, I don't have the option Client Encrypt, I have Client Authenticate.  Which I chose to use. However, I'm still having the same problem. I've always been able to authenticate and get connected and at least see our domain. I can see the connection packets in the log files pass through the firewall and the external DNS server.  What I can't do is see the Windows 2000 servers I need to hit.  I can see the packets being dropped in the log by the (any any rule) when they try to pass through the internal DNS servers.  I added the internal DNS servers to the Destination column, but no luck.  Suggestions anyone?



__________________
Westy


Status: Offline
Posts: 9
Date:
Permalink  

OK, I'm still plugging away.  It seems the real problem is that I'm not getting an IP address from my DHCP server.  I'm connecting to my ISP via a dial-up connection.  Then using SecureRemote to connect to the firewall.


If your using SecureRemote do you still need to create a Desktop Security policy?


Can you use Office Mode with SecureRemote or is this option only available with SecureClient?


 



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> General VPN Setup Questions.
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard