PDA

View Full Version : RemoteAccess Configuration issues -- NGX/R60_HFA01.



justin.knox
2005-10-17, 11:45
Hi. I'm a relative newb to Check Point, the last time I did any work with it was pre-4.1. Here's my issue:

I'm in the process of a pilot roll-out of Check Point Express NGX. I'm doing this as a distributed deployment, management server is running as a virtual machine in VMware: Windows Server 2003, SP1. The enforcement module is an IP260 appliance from Nokia, running IPSO 3.9 Build 041.

I've installed R60 via the wrapper .tgz on the appliance, and I've had no trouble establishing SIC and managing my rulebase, in fact I've got that all working fine. However, I've added a rule to permit RemoteAccess users in. I've got a test user configured for preshared secret _and_ certificate, and when I use SecuRemote to attempt connection to the gateway from the internet segment of the pilot, I get an error in SmartView Tracker indicating the enforcement point has no key for IKE (phase 1 I'm betting here). The SecuRemote client also gets told that the gateway has no certificate for IKE and cannot connect (can't even complete creation of the site).

SmartView Tracker does show a successful, permitted Topology request just before this error, so I am sure there's no connectivity issues here. I've got a ticket opened with support, and we've gotten this far (before I was receiving an error stating that the user was not correctly configured).

Am I missing something? Is there anything that needs to be done via Voyager or CLISH that SmartCenter does not handle?
I've already got a request to purchase most of the recent books recommended by the group. I've also got a budget request for training, unfortunately my deadline is closer than both of those dates.

any help is appreciated

justin.knox
2005-10-17, 14:20
I solved my own problem:
prior to applying HFA 01, when I clicked on the View button on my firewall object's VPN tab, I got an empty message box. After applying HFA 01, when doing the same I get a message box indicating that the certificate could not be read from the database.
I removed the firewall object from the RemoteAccess VPN community, and unchecked the public key authentication method in the Traditional VPN Configuration options. I then clicked Remove to remove the certificate from the firewall object, confirmed the selection and clicked OK. I then installed my policy to the firewall

Then, I re-opened my firewall object for editing, clicked Create on the VPN tab, and created a new certificate. I clicked OK, and installed the policy.

Finally, I went back into the VPN tab, re-enabled the public key authentication method, and added the firewall back to the remote access community. Clicked OK, installed policy.

I can now connect to my gateway via SecuRemote.
props go to this link:
http://msgs.securepoint.com/cgi-bin/get/fw1-0309/196/1.html