Configuring Remote Access VPN

In This Section: Defining a Remote Access Community Configuring the Security Gateway for a Remote Access Community Defining Access Control Rules Enabling a User Certificate Enabling Hybrid Mode and Methods of Authentication Using a Pre-Shared Secret Configuring RADIUS Objects Modifying Encryption Properties for Remote Access VPN

This section includes procedures and explanations for configuring Remote Access VPN. For configuration specific to Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote, see the Remote Access Clients Administration Guide.

Defining a Remote Access Community

To define the VPN Remote Access community and its participants:

1. From the Objects Bar, click VPN Communities.
2. Double-click RemoteAccess.

   The Remote Access window opens.

3. On the Participating Gateways page, click the Add button and select the Security Gateways that are in the Remote Access Community.
4. On the Participating User Groups page, click the Add button and select the group that contains the Remote Access users.
5. Click OK.
6. Publish the changes.

Configuring the Security Gateway for a Remote Access Community

Make sure that the VPN Software Blade is enabled before you configure the Remote Access community.

To configure the Security Gateway for Remote Access:

1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click IPsec VPN.

   The page shows the VPN communities that the Security Gateway is participating.

3. To add the Security Gateway to a community:
   1. Click Add.
   2. Select the community.
   3. Click OK.
4. From the navigation tree, click Network Management > VPN Domain.
5. Configure the VPN Domain.
6. Configure the settings for Visitor Mode.
7. From the navigation tree, click VPN Clients > Office Mode.
8. Configure the settings for Office Mode.

   Note - Office Mode support is mandatory on the Security Gateway side.

9. Click OK and publish the changes.

Defining Access Control Rules

Access control is a layer of security not connected with VPN. The existence of a remote access community does not mean that members of that community have free automatic access to the network. Appropriate rules need to be created in the Access Control Policy Rule Base blocking or allowing specific services.

1. Create a rule in the Security Access Control Rule Base that deals with remote access connections.
2. Right-click the cell in the VPN column, and select Specific VPN Communities.
3. Click the add button for each community that you are adding to the rule.
4. Close the VPN community window.
5. Define Services & Applications and Actions.
6. Publish the changes and install the policy.

   For example, to allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:

Source	Destination	VPN	Service	Action	Track
Any	SMTP_SRV	Remote_Access_ Community	SMTP	Accept	Log

Enabling a User Certificate

To enable a user certificate:

1. In R80 SmartConsole, from the Objects Bar click Users > Users.
2. Create a new user or double-click an existing user.

   The User Properties window opens.

3. From the navigation tree, click Encryption.
4. Click Edit.

   The IKE Phase 2 Properties window opens.

5. Click the Authentication tab and make sure that Public key is selected.
6. Click OK.
7. Publish the changes.

For Internally Managed Users

When a user is deleted, their certificate is automatically revoked. Certificates can be disabled or revoked at any time.

If the certificate is already active or was not completed by the user, you can revoke it by clicking Revoke in the Certificates tab of the User Properties window.

Enabling Hybrid Mode and Methods of Authentication

Hybrid mode allows the Security Gateway and remote access client to use different methods of authentication.

To enable Hybrid Mode:

1. From Menu, click Global Properties.
2. From the navigation tree, click Remote Access > VPN Authentication.
3. In the Support authentication methods section, click Support Legacy Authentication for SC (hybrid mode), L2TP (PAP), and Nokia clients (CRACK).
4. Click OK.
5. Publish the changes.

Defining User Authentication Methods in Hybrid Mode

To define the Hybrid Mode authentication for a user:

1. From the Objects Bar, double-click the user.

   The User Properties window opens.

2. From the navigation tree, click Authentication.
3. Select the Authentication Scheme.
4. Configure the necessary settings.
5. Click OK.
6. Publish the changes.
7. Give these credentials to the user.

Using a Pre-Shared Secret

When using pre-shared secrets, the remote user and Security Gateway authenticate each other by verifying that the other party knows the shared secret: the user's password.

To enable authentication with pre-shared secrets:

1. From Menu, click Global Properties.
2. From the navigation tree, click Remote Access >VPN Authentication.
3. In the Support authentication methods section, select Pre-Shared Secret (For SecuRemote / SecureClient users).
4. Click OK.
5. Configure the Authentication settings for each applicable user:
   1. From the Objects Bar, double-click the user.

      The User Properties window opens.

   2. From the navigation tree, click Encryption.
   3. Select IKE and click Edit.

      The IKE Phase 2 Properties window opens.

   4. From the Authentication tab, click Password (Pre-Shared Secret).
   5. Enter and Confirm the Password (Pre-shared secret).
   6. Click OK.
6. Publish the changes.
7. Give the password to the user.

Configuring RADIUS Objects

To create a new RADIUS host object:

1. In R80 SmartConsole, the Objects tab, click New > Host.

   The New Host window opens.

2. Enter the Object Name and the IP Address of the new RADIUS host object, and click OK.
3. Publish the changes.

To configure the RADIUS server object settings:

1. In R80 SmartConsole, the Objects tab, click New > More > Server > More > RADIUS.

   The RADIUS Server Properties window opens.

2. Configure new server properties:
   • Enter the Name of the RADIUS server object.
   • Select the RADIUS Host object.
   • Select the Service - RADIUS (on port 1645) or NEW-RADIUS (on port 1812 service).

     Note - The default setting is RADIUS, but the RADIUS standards group recommends using NEW-RADIUS, because port 1645 can conflict with the datametrics service running on the same port.

   • Enter the Shared Secret that you configured on the RADIUS server
   • Select the version - RADIUS Ver. 1.0 Compatible (RFC 2138 compliant) or RADIUS Ver. 2.0 Compatible (RFC 2865 compliant)
   • Select the peer authentication Protocol - PAP or MS-CHAP v2
   • If you use more than one RADIUS authentication server, select the Priority
3. Click OK.
4. Publish the changes.

To configure a Security Gateway to use RADIUS authentication:

1. In R80 SmartConsole, go to the Gateways & Servers view, right-click a Security Gateway object and select Edit.
2. In the gateway property window that opens, select Other > Legacy Authentication.
3. In the Enabled Authentication Schemes section, select RADIUS.
4. Click OK.

To define a RADIUS user group:

1. In R80 SmartConsole, the Objects tab, click New > More > Users > User Group.

   The New User Group window opens.

2. Enter the name of the group in this format: RAD_<group_name>.

   Make sure the group is empty.

3. Click OK.
4. Publish the changes and install the policy.

To configure RADIUS authentication settings for users:

1. Create new user profiles -
   • For users with Security Gateway user accounts - in R80 SmartConsole, go to the Objects tab and click New > More > User > User.
   • For users without Security Gateway user accounts, open the SmartDashboard - go to Users > External User Profile > New External User Profile > Match all users (or Match by domain). If you support more than one external authentication scheme, set up External User Profiles with the Match By Domain setting.

   The User Properties window opens.

2. In the General Properties tab, configure these settings:
   • Enter a User Name for the RADIUS server. (When configuring Match all users as an External User Profile, the name "generic*" is automatically assigned)
   • Set the Expiration Date.
3. In the Authentication tab, configure these settings:
   • Select RADIUS from the Authentication Scheme drop-down list
   • From the Select a RADIUS Server or Group of Servers drop-down menu, select the RADIUS object that you configured earlier
4. Click OK.

To complete the RADIUS authentication configuration:

1. In R80 SmartConsole, create the required Access Control rules to allow access to users authenticated through the RADIUS server.
2. Verify that communication between the firewall and the server is not NATed in the Address Translation Rule Base.
3. Save the changes.
4. Close all R80 SmartConsole windows.
5. On the Security Management Server, use GuiDBedit to change the value of the add_radius_groups attribute from false to true.
6. Save and then close GuiDBedit.
7. Open R80 SmartConsole.
8. Install the policy.
9. On the RADIUS server, edit the RADIUS users to include a class RADIUS attribute on the users Return list that corresponds to the user group that they access.

To use a different attribute instead of the class attribute:

1. Close all R80 SmartConsole windows and clients.
2. On the Security Gateway, use GuiDBedit to modify the value of the firewall_properties attribute radius_groups_attr to the new RADIUS attribute.
3. Save.
4. Close GuiDBedit.
5. Open R80 SmartConsole.
6. Install the policy.
7. On the RADIUS server, make sure that you use the same RADIUS attribute on users' Return lists that corresponds to the Firewall user group that they access.

Modifying Encryption Properties for Remote Access VPN

The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.

To modify the user encryption properties globally:

1. From Menu, click Global Properties.
2. From the navigation tree, click Remote Access > VPN- Authentication and Encryption.
3. From the Encryption algorithms section, click Edit.

   The Encryption Properties window opens.

4. In the IKE Security Association (Phase 1) tab, configure the applicable settings:
   • Support encryption algorithms - Select the encryption algorithms that will be supported with remote hosts.
   • Use encryption algorithms - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more than one encryption algorithm to use, the algorithm selected in this field will be used.
   • Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
   • Use Data Integrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
   • Support Diffie-Hellman groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
   • Use Diffie-Hellman group - SecureClient users utilize the Diffie-Hellman group selected in this field.
5. Click OK and publish the changes.

To configure encryption policies for specified users:

1. Open Global Properties, and click Remote Access > Authentication and Encryption.
2. From the Encryption algorithms section, click Edit.
3. In the Encryption Properties window, click the IPSEC Security Association (Phase 2) tab.
4. Clear Enforce Encryption Algorithm and Data Integrity on all users.
5. Click OK and close the Global Properties window.
6. For each user:
   1. From the Objects Bar, double-click the user.
   2. From the navigation tree, click Encryption.
   3. Click Edit.

      The IKE Phase 2 Properties window is displayed.

   4. Click the Encryption tab.
   5. Click Defined below.
   6. Configure the Encryption Algorithm and Data Integrity.
   7. Click OK and close the User Properties window.
7. Publish the changes and install the policy.