Securid with L2tp and ngx

[moalmoe]

Hi,

I have set up an ngx r62 fw running on splat.
Created the generic external profile and is authenticating through securid using an rsa ace server.
That part is working great..
I also have a local FW-user that is using a normal FW username/password authentication method, that is also working as expected.

The question is.....can Microsoft Ipsec client (l2tp) be used to connect to the FW, using securid as authentication ??

Tried it with the local FW user, creating the certificate in the user properties for that user in ngx and then importing it on the XP PC. Using MD5-challenge with the FW username/password it worked great.
But there is no way I can create a certificate using the generic profile as I can see. Is this even possible ??

[moalmoe]

Got it working actually.

I used the certificate generated by another FW-user for the machine to machine connection (probably OK since this is just for the part between the client PC and the firewall).
Then I set up the L2TP client on the XP PC to use PAP as security, then everything worked as it should.
Is it OK to use just PAP or should I change this somehow ??

Thanks..

[cqliuke]

Hi moalmoe,

Can you tell me how to configure Microsoft Ipsec client (l2tp) ?

I can't configure it successfull.

thanks.

[Phayder]

HI cqliuke,

Pay attention on Microsoft VPN, if you dont have version R55, you can not use Automatic NAT on the rules, because GRE is not passing the NAT.

Best Regards,
Phayder

[moalmoe]

Quote:

Originally Posted by cqliuke

Hi moalmoe,

Can you tell me how to configure Microsoft Ipsec client (l2tp) ?

I can't configure it successfull.

thanks.

I used a whitepaper found on the Checkpoint support pages to set it up...

[Jay_D]

Hi,

I was able to configure L2TP VPN with a shared secret. I also tried using a certificate and that worked fine too.
I have other users with SecureClient authenticating with SecurID.

However I cannot make this L2TP VPN client to work with SecurID. I have the impression it only works when you use the pre-shared secret located in the encryption tab (select IKE, then authentication tab) and not when you select an authentication method in the authentication tab directly under the user.

But you say you did get this to work with SecurID....so I am very interested in finding out how you did this... I am using R60 but I don't think this makes a difference.

Kind regards,
Jeroen.