Friday, 2 August 2013

Check Point - Linux Remote Access VPN with Shrew VPN client

A few years back I tried to get any sort of VPN client working on Ubuntu that would connect to a Check Point firewall. SSL Network Extender (SNX) works but requires additional configuration on the gateway, so I gave up.

Between then and now, Shrew Soft VPN client has added support for Check Point firewalls and works pretty well. I found the client crashed intermittently when setting up the profiles but after that the tunnel seemed stable. I've tested it on Ubuntu 12 and 13 (on 13 you have to compile from source as it's not in the Apt repositories yet) and both work ok.

The client is pretty straightforward to setup - once you know which options to use of course!

Hostname / IP address - IP or DNS name for your firewall
Auto Configuration - Leave this at 'ike config pull'.
Local Host - If you're using office mode with DHCP addresses, this will take care of picking up the address once the tunnel is up.

Client and name resolution tabs - leave these settings as default.
Authentication - assuming you haven't changed any of your remote access settings, Hybrid RSA + XAuth is what you need.
Authentication method:
Local Identity - User Fully Qualified Domain Name (make sure you leave the value blank however)
Remote Identity - Any
Credentials -> Server Certificate Authority File - This needs to be the Check Point internal CA certificate that issues the VPN certificate for your gateway. Setting it to 'any' doesn't appear to work.


Phase 2

Policy - Leave policy generation set to 'auto' and untick the following two boxes.
Then, make sure you add in all of the remote networks you want to access over the tunnel and the software will add in the correct routes for your remote resources. 

Then you're all set to connect!

No comments:

Post a Comment