In This Section: |
For some organizations there are clear benefits to be gained by using the Microsoft IPsec client for remote access to internal network, rather than the more feature rich and secure Check Point SecuRemote / Endpoint Security.
Reasons for using the Microsoft L2TP IPsec client include the fact that it is an inherent part of all Windows operating systems, as well as Mac OS X and iOS, does not require an additional client to be installed, and is free.
Check Point Security Gateways can create VPNs with a number of third party IPsec clients. This explanation focuses on the Microsoft IPsec / L2TP client.
You can access a private network through the Internet by using a virtual private network (VPN) connection with the Layer Two Tunneling Protocol (L2TP). L2TP is an industry-standard Internet tunneling protocol.
Creating a Remote Access environment for users with Microsoft IPsec / L2TP clients is based on the same principles as those used for setting up Check Point Remote Access Clients. Make sure that you understand how to configure Remote Access VPN before you begin to configure Remote Access for Microsoft IPsec / L2TP clients.
To allow the user at the Microsoft IPsec / L2TP client to access a network resource protected by a Security Gateway, a VPN tunnel is established between the Microsoft IPsec / L2TP client and the Security Gateway, as shown below.
The process of the VPN establishment is transparent to the user, and works as follows:
Note - this option is less secure, since pre-shared key is shared among all L2TP clients.
Only authenticated machine can establish a connection.
When using an IPsec / L2TP client, it is not possible to connect to organization and to the outside world at the same time.
This is because when the client is connected to the Security Gateway, all traffic that leaves the client is sent to the Security Gateway, and is encrypted, whether or not it is intended to reach the protected network behind the Security Gateway. The Security Gateway then drops all encrypted traffic that is not destined for the encryption domain of the Security Gateway.
In order to use Microsoft IPsec / L2TP clients, the Security Gateway must be set up for remote access. The setup is very similar to that required for remote access using Check Point Remote Access Clients, and involves creating a Remote Access community that includes the Security Gateways and the user groups.
An additional requirement is to configure the Security Gateway to supply addresses to the clients by means of the Office Mode feature.
Certain settings related to L2TP authentication can be configured globally for Security Gateways of version R71 and higher. These setting are configured in the global properties configuration section of the SmartDashboard.
All L2TP clients can be configured to use a Pre-shared key for IKE in addition to the standard user authentication.
Note - IKE Security Association created for L2TP cannot be used for regular IPsec traffic. |
There are two methods used to authenticate an L2TP connection:
L2TP clients can use any of the following Authentication schemes to establish a connection:
Using a username and password verifies that a user is who they claim to be. All users must be part of the Remote Access community and be configured for Office Mode.
During the process of establishing the L2TP connection, two sets of authentication are performed. First, the client machine and the Security Gateway authenticate each other's identity using certificates. Then, the user at the client machine and the Security Gateway authenticate each other using either certificates or a pre-shared secret.
The Microsoft IPsec / L2TP client keeps separate certificates for IKE authentication of the client machine, and for user authentication.
On the Security Gateway, if certificates are used for user authentication, then the Security Gateway can use the same certificate or different certificates for user authentication and for the IKE authentication.
Certificates for both clients and users can be issued by the same CA or a different CA. The users and the client machines are defined separately as users in SmartDashboard.
Certificates can be issued by:
The Microsoft IPsec / L2TP client machine needs a certificate to authenticate itself to the Security Gateway during IKE negotiation.
The computer account (we call it the machine account) must use PKI and must be in the Remote Access community. It is not affected by the authentication scheme in the Remote Access tab in the GUI. It may or may not be a good idea to use the same certificate (and "machine" user) for all clients. You can use an internal CA certificate with no problem for this user. It makes no difference if the authentication tab is defined or not.
The user account is more important, because that is the basis for rule matches and logs. This may use either MD5-challenge (passwords) or certificates. If you choose MD5-challenge, the certificate selection in the remote access tab is irrelevant. As for the user definition, it makes no difference how, if at all, the authentication tab is defined. The password is always the shared secret defined in the encryption tab. Note that this behavior differs from that of SecureClient, where passwords in the authentication tab override shared secrets from the encryption tab.
The client machine administrator must install the certificate in the machine certificate store.
Connecting with Microsoft IPsec / L2TP clients requires that every user be authenticated. Users can be authenticated with:
The user certificate can be easily added to the user certificate store. If the user certificate is on a Smart Card, plugging it into the client machine will automatically place the certificate into the certificate store.
It is possible to make sure that PKI certificates are used only for a defined purpose. A certificate can have one or more purposes, such as "client authentication", "server authentication", "IPsec" and "email signing". Purposes appear in the Extended Key Usage extension in the certificate.
The certificates used for IKE authentication do not need any purposes. For the user authentication, the Microsoft IPsec / L2TP client requires that
Most CAs (including the ICA) do not specify such purposes by default. This means that the CA that issues certificates for IPsec / L2TP clients must be configured to issue certificates with the appropriate purposes (in the Extended Key Usage extension).
It is possible to configure the ICA on the Security Management Server so that the certificates it issues will have these purposes. For OPSEC certified CAs, it is possible to configure the Security Management Server to create a certificate request that includes purposes (in the Extended Key Usage extension).
It is also possible to configure the Microsoft IPsec / L2TP clients so that they do not validate the Security Gateway certificate during the L2TP negotiation. This is not a security problem because the client has already verified the Security Gateway certificate during IKE negotiation.
Check Point Endpoint Security VPN is much more than a personal firewall. It is a complete desktop security solution that allows the administrator to define a full desktop security policy for the client. IPsec / L2TP clients are more basic remote clients, and for some organizations may provide an adequate set of capabilities.
Establishing a Remote Access VPN for Microsoft IPsec / L2TP clients requires configuration to be performed both on the Security Gateway and on the client machine. The configuration is the same as setting up Check Point Remote Access Clients, with a few additional steps.
High-level workflow to create a Remote Access deployment:
Configure the network to use VPN connections for Remote Access.
Using the MMC, the certificate can be seen in the certificate store for the "Local Computer".
Using the MMC, the certificate can be seen in the certificate store for the "current user".
Once the Client machine's certificate and the user's certificate have been properly distributed, set up the L2TP connection profile.
To configure the L2TP profile:
L2TP_connection
.To complete the L2TP connection configuration:
If you select Use extensible Authentication protocols: Choose either MD5-challenge, or Smart Card or other Certificates (encryption enabled). Make the same choice as made on the Security Gateway.
If you select Allow these protocols: Choose Unencrypted password (PAP).
A CA that issues certificates for IPsec/L2TP clients must be configured to issue certificates with the appropriate purposes.
Alternatively, the Microsoft IPsec/L2TP Client can be set to not require the "Server Authentication" purpose on the Security Gateway certificate.
If using an OPSEC certified CA to issue certificates, use the dbedit command line (see skI3301) or the GuiDBedit Tool (see sk13009) to change the value of the global property cert_req_ext_key_usage to 1. This will cause the Security Management Server to request a certificate that has purposes (Extended Key Usage extension) in the certificate.
The following procedure tells the Microsoft IPsec/L2TP Client not to require the "Server Authentication" purpose on the Security Gateway certificate.
Note - The client validates all aspects of the Security Gateway certificate, during IKE authentication, other than the "Server Authentication" purpose.
The L2TP protocol is defined in RFC 2661. Encryption of L2TP using IPsec is described in RFC 3193. For information about the L2TP protocol and the Microsoft IPsec/L2TP client, see the Network and Dial Up Connections Help in Windows for your version.