Active7 years, 7 months ago
A log, alert, or user defined action can be issued when the VPN tunnel is down. Permanent tunnels can only be established between Check Point gateways. The configuration of Permanent tunnels takes place on the community level and: can be specified for an entire community. This option sets every VPN tunnel in the community as permanent.
To connect to a customers network, I had to install
Check point VPN-1 secure client
.Version information:
VPN-1 SecureClient NGX R60 HFA2 (Build001)
The tool block all incoming traffic to my computer. (Which is fine by me as long as I'm connected to the remote site but even if the VPN connection is inactive, my computer cannot be connected to (e.g. for a VNC session of a co-worker within our corporate net).
I have already tried:
- Disable windows firewall (also the service completely)
- disable/stop the Check Point VPN-1 Securemote service + its watchdog service
- (the stuff Paul proposed in his answer, see in the comments there)
I cannot use [Check Point Tray Icon] -> [Tools] -> [Disable Security policy] as that is grayed out.
How can I FULLY disable this thing?
I have full admin access on my machine (how else could I disable my firewall (service!) and the CP Windows service.
This is a Win XP sp3 machine.
To reiterate: I do not mind the tool blocking what it wants while it is active but it also fully blocks inbound connections while it is not active -- even while its Windos Service isn't even running! (Note that the Check Point diagnostic utility does show in its log the dropped inbound packets.)
Another clarification: The tool does not block outgoing traffic, that is I can browse the net, check mails, etc. even while it is active just fine. However it does block all inbound connections (essentially like Windows firewall would do by default, dropping all inbound packets).
I can only assume I've either missed another service of this or it has installed a device driver or root kit of some sorts to enforce its so called security policy while it is not even in use.
Martin
MartinMartin1,22655 gold badges2828 silver badges5050 bronze badges
2 Answers
Which version of the client is this? Versions later than R65 get increasingly difficult to control the security policy. And The 7x series will block incoming traffic no matter what.
You can do this from the command line with
However, this requires the usersc.c file to be changed, so that it contains:
But this may not work of course. My solution to this is to install the bastid thing into a VM and access it via the console.
PaulPaul50.1k1414 gold badges124124 silver badges153153 bronze badges
I'm working on Windows server and this problem cuts off RDP connections from the users as well. We found the way to disable it anyway.
Hopefully, SecureClient NGX R60 HFA 3 with support for Windows 7 32bit is running okay on Windows server so WinXP should work well.
For 'Disabling Security Policy' option, it would be automatically enabled again when you logon VPN network successfully. Well, it can be disabled manually by the command like:
C:/>C:Program FilesCheckPointSecuRemotebinscc.exe sp off
Actually, you can automate this by creating a scheduled task to run the above command, say, for every 5 minutes, in order to keep the security policy disabled. The catch is that we need to initiate remote desktop connection to the server which may have SecureClient turned On (also with security policy which blocks RDP connections). This command turns off the security policy and allow RDP user to login remotely.
Ken PegaKen Pega
Not the answer you're looking for? Browse other questions tagged windowsvpncheckpoint or ask your own question.
Tunnel Management
In This Section: |
Overview of Tunnel Management
A Virtual Private Network (VPN) provides a secure connection, typically over the Internet. VPNs accomplish this by creating an encrypted tunnel that provides the same security available as in a private network. This allows workers who are in the field or working at home to securely connect to a remote corporate server and also allows companies to securely connect to branch offices and other companies over the Internet. The VPN tunnel guarantees:
- authenticity, by using standard authentication methods.
- privacy, by encrypting data.
- integrity, by using standard integrity assurance methods.
Types of tunnels and the number of tunnels can be managed with the following features:
- Permanent Tunnels - This feature keeps VPN tunnels active allowing real-time monitoring capabilities.
- VPN Tunnel Sharing - This feature provides greater interoperability and scalability between Security Gateways. It also controls the number of VPN tunnels created between peer Security Gateways.
The status of all VPN tunnels can be viewed in SmartView Monitor. For more information on monitoring see the Monitoring Tunnels chapter in the R77SmartView Monitor Administration Guide.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay.
Each VPN tunnel in the community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if the VPN tunnel is down, then a log, alert, or user defined action, can be issued. A VPN tunnel is monitored by periodically sending 'tunnel test' packets. As long as responses to the packets are received the VPN tunnel is considered 'up.' If no response is received within a given time period, the VPN tunnel is considered 'down.' Permanent Tunnels can only be established between Check Point Security Gateways. The configuration of Permanent Tunnels takes place on the community level and:
- Can be specified for an entire community. This option sets every VPN tunnel in the community as permanent.
- Can be specified for a specific Security Gateway. Use this option to configure specific Security Gateways to have permanent tunnels.
- Can be specified for a single VPN tunnel. This feature allows configuring specific tunnels between specific Security Gateways as permanent.
Permanent Tunnels in a MEP Environment
In a Multiple Entry Point (MEP) environment, VPN tunnels that are active are rerouted from the predefined primary Security Gateway to the backup Security Gateway if the primary Security Gateway becomes unavailable. When a Permanent Tunnel is configured between Security Gateways in a MEP environment where RIM is enabled, the satellite Security Gateways see the center Security Gateways as 'unified.' As a result, the connection will not fail but will fail over to another center Security Gateway on a newly created permanent tunnel. For more information on MEP see Multiple Entry Point VPNs.
In this scenario:
- Host 1, residing behind Security Gateway S1, is communicating through a Permanent Tunnel with Host 2, residing behind Security Gateway M1.
- M1 and M2 are in a MEPed environment.
- M1 and M2 are in a MEP environment with Route Injection Mechanism (RIM) enabled.
- M1 is the Primary Security Gateway and M2 is the Backup Security Gateway.
In this case, should Security Gateway M1 become unavailable, the connection would continue through a newly created permanent tunnel between S1 and M2.
Tunnel Testing for Permanent Tunnels
Check Point uses a proprietary protocol to test if VPN tunnels are active, and supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways, and uses UDP port 18234. Check Point tunnel testing protocol does not support 3rd party Security Gateways.
Dead Peer Detection
In addition to Tunnel Testing, Dead Peer Detection (DPD) is a different method to test if VPN tunnels are active. Dead Peer Detection does support 3rd party Security Gateways and supports permanent tunnels with interoperable devices based on IKEv1/IKEv2 DPD (IKEv1 DPD is based on RFC 3706). It uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.
The tunnel testing mechanism is the recommended keepalive mechanism for Check Point to Check Point VPN gateways because it is based on IPsec traffic and requires an IPsec established tunnel. DPD is based on IKE encryption keys only.
DPD has two modes:
- DPD responder mode - Requires an R77.10 or higher gateway managed by an R77 or higher management server.
- Permanent tunnel mode based on DPD - Requires an R77.10 or higher gateway managed by an R77.10 or higher management.
DPD Responder Mode
In this mode the Check Point gateway sends the IKEv1 DPD Vendor ID to peers, from which the DPD Vendor ID was received.
To enable DPD Responder Mode:
- Run on each gateway:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1
- Enable the keep_IKE_SAs property in SmartDashboard to prevent a problem, where the Check Point gateway deletes IKE SAs:
- In SmartDashboard, go to Global Properties > SmartDashboard Customization > AdvancedConfiguration > VPN advanced properties > VPN IKE properties.
- Change keep_IKE_SAs to true.
To disable DPD Responder Mode:
- Run on each gateway:
ckp_regedit -d SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload
Note - Enable the keep_IKE_SAs property in SmartDashboard to prevent a problem, where the Check Point gateway deletes IKE SAs. The DPD mechanism is based on IKE SA keys. In some situations, the Check Point gateway deletes IKE SAs and a peer, usually a 3rd Party gateway, sends DPD requests without response and concludes that the Check Point gateway is down. The peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point gateway to be dropped by the remote peer.
Permanent Tunnel Mode Based on DPD
DPD can monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnels are supported.
To configure DPD for a permanent tunnel, the permanent tunnel must be in the VPN community. After you configure the permanent tunnel, configure Permanent Tunnel mode Based on DPD. There are different possibilities for permanent tunnel mode:
- tunnel_test (default) - The permanent tunnel is monitored by tunnel test (as in earlier versions). It works between Check Point gateways only. Keepalive packets are always sent.
- dpd - The active DPD mode. A peer receives DPD requests at regular intervals (10 seconds). DPD requests are only sent when there is no traffic from the peer.
- passive - The passive DPD mode. Peers do not send DPD requests to this peer. Tunnels with passive peers are monitored only if there is IPsec traffic and incoming DPD requests. Note: To use this mode for only some gateways, enable the
forceSendDPDPayload
registry key on Check Point remote peers.
To enable DPD monitoring:
On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).
- In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
- For the Value, select a permanent tunnel mode.
- Save all the changes.
- Install policy on the gateways.
Optional Configuration
- IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.Edit the property in GuiDBedit Tool (see sk13009) > Network Objects > network_objects > <gateway Name> > VPN.
- Delete IKE SAs for dead peer - Based on RFC 3706, a VPN gateway has to delete IKE SAs from a dead peer. This functionality is enabled, by default.To disable this feature, set the DPD_DONT_DEL_SA environment variable to 0:
- To do this temporarily, run:
cpstop
export DPD_DONT_DEL_SA=0
cpstart
- To do this permanently:
- Add this line to the
$CPDIR/tmp/.CPprofile.sh file
:
DPD_DONT_DEL_SA=0 ; export DPD_DONT_DEL_SA- Reboot
Note - To re-enable the feature, remove the DPD_DONT_DEL_SA environment variable. - Add this line to the
- To do this temporarily, run:
VPN Tunnel Sharing
Tunnel test is a proprietary Check Point protocol used to see if VPN tunnels are active. Tunnel testing requires two Security Gateways and uses UDP port 18234. Third party gateways do not support tunnel testing.
VPN Tunnel Sharing provides interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways. There are three available settings:
- One VPN tunnel per each pair of hosts
- One VPN tunnel per subnet pair
- One VPN tunnel per Security Gateway pair
Configuring Tunnel Features
To configure Tunnel Management options, proceed as follows:
- In SmartDashboard, click Manage > VPN Communities. The VPN Communities windowwill appear.
- Select the community (star or meshed) to be configured and click Edit.
- Click Tunnel Management.The Tunnel Management window is displayed.
- for Permanent Tunnels, see Permanent Tunnels.
- for Tracking, see Tracking Options.
- for VPN Tunnel Sharing, see VPN Tunnel Sharing.
Permanent Tunnels
In the Community Properties window on the Tunnel Management page, select Set Permanent Tunnels andthe following Permanent Tunnel modes are then made available:
- On all tunnels in the community
- On all tunnels of specific Security Gateways
- On specific tunnels in the community
To configure all tunnels as permanent, select On all tunnels in the community. Clear this option to terminate all Permanent Tunnels in the community.
To configure on all tunnels of specific Security Gateways:
- Select On all tunnels of specific Security Gateways and click Select Security Gateways.The Select Security Gateways window is displayed.To terminate Permanent Tunnels connected to a specific Security Gateway, highlight the Security Gateway and click Remove.
- To configure the Tracking options for a specific Security Gateway, highlight a Security Gateway and click on Security Gateway Tunnels Properties.
To configure on specific tunnels in the community:
- Select On specific tunnels in the community and click Select Permanent Tunnels.The Select Permanent Tunnels window opens.
- Click in the cell that intersects the Security Gateways where a permanent tunnel is required.
- Click Selected Tunnel Properties and the Tunnel Properties window is displayed.To terminate the Permanent Tunnel between these two Security Gateways, clear Set these tunnels to be permanent tunnels.
- Click OK.
Advanced Permanent Tunnel Configuration
In SmartDashboard:
- Click Policy > Global Properties.The Global Properties window is displayed.
- Select SmartDashboard Customization from the properties list.
- In the Advanced Configuration section, click Configure.The Advanced configuration window is displayed.
- Click VPN Advanced Properties > Tunnel Management to view thefive attributes that may be configured to customize the amount of tunnel tests sent and the intervals in which they are sent:
- life_sign_timeout - Designate the amount of time the tunnel test runs without a response before the peer host is declared 'down.'
- life_sign_transmitter_interval - Set the time between tunnel tests.
- life_sign_retransmissions_count - When a tunnel test does not receive a reply, another test is resent to confirm that the peer is 'down.' The Life Sign Retransmission Count is set to how many times the tunnel test is resent without receiving a response.
- life_sign_retransmissions_interval - Set the time between the tunnel tests that are resent after it does not receive a response from the peer.
- cluster_status_polling_interval - (Relevant for HA Clusters only) - Set the time between tunnel tests between a primary Security Gateway and a backup Security Gateway. The tunnel test is sent by the backup Security Gateway. When there is no reply, the backup Security Gateway will become active.
Tracking Options
Several types of alerts can be configured to keep administrators up to date on the status of the VPN tunnels. The Tracking settings can be configured on the Tunnel Management page of the Community Properties screen for all VPN tunnels or they can be set individually when configuring the permanent tunnels themselves. The different options are Log, Popup Alert, Mail Alert, SNMP Trap Alert, and User Defined Alert. Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively.
Terminating Permanent Tunnels
Once a Permanent Tunnel is no longer required, the tunnel can be shut down. Permanent Tunnels are shut down by deselecting the configuration options to make them active and re-installing the policy.
VPN Tunnel Sharing
For a VPN community, the configuration is set on the Tunnel Management page of the Community Properties window.
For a specific Security Gateway, the configuration is set on the VPN Advanced page of the Security Gateway properties window.
VPN Tunnel Sharing provides greater interoperability and scalability by controlling the number of VPN tunnels created between peer Security Gateways. Configuration of VPN Tunnel Sharing can be set on both the VPN community and Security Gateway object.
- One VPN Tunnel per each pair of hosts - A VPN tunnel is created for every session initiated between every pair of hosts.
- One VPN Tunnel per subnet pair- Once a VPN tunnel has been opened between two subnets, subsequent sessions between the same subnets will share the same VPN tunnel. This is the default setting and is compliant with the IPsec industry standard.
- One VPN Tunnel per Security Gateway pair- One VPN tunnel is created between peer Security Gateways and shared by all hosts behind each peer Security Gateway.
In case of a conflict between the tunnel properties of a VPN community and a Security Gateway object that is a member of that same community, the 'stricter' setting is followed. For example, a Security Gateway that was set to One VPN Tunnel per each pair of hosts and a community that was set to One VPN Tunnel per subnet pair, would follow One VPN Tunnel per each pair of hosts.