FOAK:Checkpoint VPN

Are there any budding experts on Checkpoint VPN's?

I have been using R60 NGX and found it doesn't tend to like Boingo Free WiFi
software very much.
It will connect the WiFi over non-VPN as long as you like, but once VPN is
active, it will only keep the connection (WiFi) up for a while, and then for
some reason force disconnects it.

I believe the Diagnostic might reveal more info why, but not totally sure if
messages in there were relevant. There were plenty of messages that on
recollection mentions local IP address vs "Office mode" causing an
encryption failure.
I am just wondering if the VPN has enough of encryption errors of a
particular type (due to WiFi and VPN combo), and perhaps then decides the
active security policy must kill the connection (thinking its like a dial
up, which it ain't).

Of course the VPN connection cannot even name a WiFi connection to bind to
the particular connection (or this one can't, lets be clear), so the VPN is
running over the usual "LAN". So its not like a specific named connection is
set in the software, by me at least.

I traced the settings causing the problem (and fixed it) by removing enabled
settings for NAT-T, Connectivity enhancements and Hub Routing mode - which
found to be in force I tried on an earlier R56 "clean install" and found it
to not reproduce the problem. I mirrored the settings in R60 (which was
deployed with an existing policy however hence the new settings) and found
it then worked.

The question is, no one can tell me what those settings do and we don't have
a direct Checkpoint support contract. We have a european centre that does
but I may struggle to get them to answer the problem. I also doubt the
company would fund NGX certification.
I have the solution, I am just not totally sure what the problem is. Or
something.

 

Uh, I've just done the NGX cert, but we're not using it yet. I did the
accelerated course, which didn't even cover the VPN enhancements, cock
up by Checkpoint - nothing new there then.

This needs fixing, are you using office mode?

Unfortunately for you, Checkpoint have really messed with the VPNs in
R60, adding such features as virtual tunnel interfaces, route based VPNs
and other gubbins. There's *masses* of stuff in the manuals about this,
but I'd suggest googling - phoneboy is a good start, as is cpug.org. If
you set VPN_DEBUG to 1 you can check ike.elg and vpnd.elg for errors,
there's also srinfo if you're using SecureClient (but you may need to
download it).

All our VPNs (on R55) are site to site, so I don't have much direct
experience with remote access stuff.

 

I'm not at work, so ukrm doesn't have my undivided attention at the
moment.

 

Thanks Mike

I checked and R56 however is no different. It seems if you JUST tick the hub
mode, it screws that particular software causing those disconnects (but no
other WiFi software, strangely). Turn off that Hub mode, and its fine.
I have been advised that Hub mode is "necessary" for infrastructure security
which is a bit of a pain, we can stick with this workaround without telling
them and risk it or check out other s/w. No answers as to what it is or how
to troubleshoot it though.

Shame, as Boingo (besides being US specific) is quite a good (free) product.

I tried Mcafee wireless security which when I tried it before did not work.
It seems to be ok now though. The interface is a little shite. Free though
(their WPA product anyway, they do a managed secure product at cost).

Also PCTEL Sugue, which was quite interesting, works (although misidentified
a point as WEP when it was in fact WPA, but manually configures fine). A set
of completely unnecessary skins for it too which are quite mental. Not free,
$19.95.

So I think I have it under control, but no clue really to solving the
problem. Its a bit of a pain when I have already created my own userguide to
using WiFi that centres around Boingo, which otherwise is an ideal, most
user-friendly WiFi product I have seen (it just allows connect/disconnect
and leaves the technical bullshit graphs and monitors out the equation -
ideal for a userbase).

The main reason for selecting a hardware independant model is because of a
mixed platform of hardware/software base by the way, otherwise internal
stuff would be the way to go.

 

This is complete speculation:-

I don't know if this will help or not but as I understand it Hub Mode
forces all traffic to go over the VPN to the central firewall. Once
there
it is subjected to the rules applied there and forwarded if
appropriate.

So for example once the VPN is up ordinary web browsing
goes via the central site.

Perhaps Boingo uses some communications that is being
blocked by the central site? Even if it is not being blocked
the central site will be NATting it to its address which may
confuse Boingo. Or maybe Boingo cannot accept that traffic
coming in from its internet side when they expect to see it
coming from the direction of your PC?

I would guess that a load of corporates will use similar VPN
confgurations and Boingo should fix it if they want that
market.

When you have hub mode off, traffic not heading for the LAN
at the central site just goes directly off over the internet.

I would start there anyway.

You could always run a packet sniffer on the laptop and
see what traffic it is sending and if it is getting
the expected responses.

Luckily;-) SecureClient comes with one.

[Ctrl]C to stop it.

If you press no buttons (i.e. create no network traffic) then
just maybe you will get to see something intresting such
as your PC trying to check-in with Boingo and getting no response.

Thing is that without a lot of network knowledge interpreting
such a dump is pretty tough.

if you did

srfw monitor > some-file.txt

[Ctrl]C to stop it.

you could look at it at your leisure.

Post it on the web and I could have a look.

Stop the trace as soon as the Boingo connection drops.

If you can't tell when it drops do a ping in another window to
say www.google.com and stop the trace as soon the ping fails.

The critical thing is to create no extraneous network traffic
/at all/ so that the packets that we are interested in are
as obvious as possible and to stop the trace as soon as
the connection fails such that the problem should be at the
end of the trace. Kill off anything that is creating
network traffic that you do not need.

Finally, you could do a similar exercise with the VPN
down,or not in hub mode, and compare the results.

Good luck.

 

Cheers. Its possible but I have found a lesser desirable solution by testing
out another alternative, platform independant solution.
In this case, the McAfee Wireless Security (with WPA) does a reasonable job
(although I have had some inconsistency with a T41, particularly on
manipulating the power setting for wifi - even if I close their application
down). Worked very well on Toshiba Tecra S-2 though. It doesn't "detect"
when the Radio is down like Boingo, though.
I need to further this and make sure its up to the job.

I could try what you suggested but I might need to check through the log to
make sure I am not giving away any security related information that could
compromise our network.
I wonder whether this would help actually lead to a solution as well, but
anyway can't hurt to examine.
PS I think the utility you refer to MIGHT be the SecureClient "Diagnosis"
tool /Logs (seen when in Connect mode), which I have already used. But I
might be wrong....

Another client I tried was the PCTel client but it was a bit naff, US
specific and even more unreliable with the VPN client, but great WMPlayer
style "Skins" lol.
Odyssey works very well and we could get this internally but the
infrastructure for it has not been laid out yet, and no guarantee for when
it will.

The Boingo client is free and great for our needs generally speaking and
also designed BY a HotSpot vendor, which is somewhat the point.
I think the stuff designed by IT guys/ hardware manufacturers has gone off
at a tangent and lost the plot, in terms of simplicity of use.
For instance Toshiba Config-Free, if poorly used alongside their Auto-switch
mode can leave a load of network adapters in a "disabled" state !
Fortunately, XP provides the Zero-Config which is pretty basic and useful,
but what about 2000 clients ?

But being outside of the US, we aren't even allowed to be subscribers of
Boingo anyway (cross-competitivity with TheCloud you see) and I wonder
whether we would get much support.
I did bang a question in to them but naff all back so far.....which probably
explains their point of view.