The PhoneBoy Blog

FireWall-1 FAQ: How do I use L2TP Clients with FireWall-1?

Last Modified: 23 Feb 2004

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Configuring FireWall-1 NG FP3 and above to work with L2TP clients is fairly straightforward. Ensure that Office Mode is set up. Additionally, make sure that the L2TP-specific options are configured accordingly. If MD5 Challenge is used, make sure that users that will be using MD5 Challenge are configured with IKE Pre-Shared secrets. The IKE Pre-Shared secret will be the password the user enters when prompted by the client. In your rulebase, ensure that the L2TP service is permitted to the firewall.

Each machine requires it’s own certificate. The Check Point documentation is unclear how one goes about creating a certificate for these machines, though it seems to suggest two different users be created – one for the machine and one for the user. In practice, you only need one user and one certificate, though you end up needing to install it in two different locations if you use certificate-based authentication, only one with MD5 Challenge.

Before any client certificates are issued, an adjustment needs to be made to how FireWall-1 generates certificates. This is necessary, as Windows require that specific attributes be set in the certificates, and FireWall-1 does not set these by default. On the management console, if using the Internal CA to generate L2TP certificates, perform the following steps:

1. Type cpstop.

2. Edit $FWDIR/conf/InternalCA.C and add the following lines:

    :ike_cert_extended_key_usage (1)
    :user_cert_extended_key_usage (2)
   

   
   The first line tells the Internal CA to generate IKE certificates for gateways with the “server authentication” purpose. The second line says to generate user-certificates with the “client authentication” purpose.

3. Type cpstart.

If you’re using an OPSEC CA instead, log into the management station with dbedit (or use GUIdbedit) and issue the following commands:

    dbedit> modify properties firewall_properties cert_req_ext_key_usage 1
    dbedit> update properties firewall_properties

Now restart the management console with cprestart.

Client certificates can be issued with the correct attributes. Go into the appropriate user(s), generate and save the certificate to your local system. You will then have to somehow give the certificate and the associated passphrase to the end user. The end user will then install this certificate into their platform. To install the certificate into Windows 2000 and XP:

1. Log into the desired platform as a user with local administrator privileges.
2. Copy the certificate onto the desired platform into a known location. For the purposes of these steps, we will assume the certificate file is copied to the path c:datafish.p12.
3. From the command prompt, or from File, Run, run the command mmc, i.e. the Microsoft Management Console.
4. From the console menu, select Add/Remove Snap-in.
5. In the “Add/Remove Snap-in” window, click on Add.
6. In the “Add Standalone Snap-in” window, select Certificates and click on Add.
7. In the “Certificates Snap-in” window, select “Computer Account” and click on Next.
8. In the “Select Computer” window, select “Local Computer” and click on the Finish button. If you are using MD5 Challenge for authentication, skip to step 11.
9. In the “Add/Remove Snap-in” window, click on Add.
10. In the “Add Standalone Snap-in” window, select “My user account” and click on Finish.
11. Click on Close in the “Add Standalone Snap-in” window
12. Click on Close in the “Add/Remove Snap-in” window.
13. Double-click on “Certificates (Local Computer)” and you will see a list of certificate types in the “Logical Store Name” frame.
14. Double-click on “Personal” in the “Logical Store Name” frame. That frame should be replaced with one called “Object Type.”
15. Right-click in the “Object Type” frame and select “All Tasks,” then “Import.”
16. Click on “Next” in the resulting “Certificate Import Wizard” screen.
17. Specify the path to the certificate file, which in this case is c:datafish.p12
18. In the next screen, type in the passphrase used by the administrator to protect the certificate. Check the “Mark Private Key as Exportable” checkbox. Click on Next.
19. When prompted for a certificate store, select “Automatically…” then click on Next, then Finish. Click on “Ok” in the dialog that notifies you the import was successful. If you are using MD5 Challenge for authentication, skip to step 22.
20. Double-click on “Certificates – Current User” and you will see a list of certificate types in the “Logical Store Name” frame.
21. Repeat steps 14 thru 19.
22. From the “Console” menu, select “Save.”
23. Specify a file with a .msc extension, e.g. Console1.msc. Click Save.
24. Exit the Microsoft Management Client.

The client will now have the ability to utilize the certificate for authenticating the L2TP session. The next step is to ensure the “IPSec policy agent” is running, which can easily be checked by typing the command net start “IPSEC Policy Agent” into a command prompt and see if it says it is already started. If it is, chances are its enabled by default as well. If this command starts up the IPSEC Policy Agent, you will need to go into the Services (under the Administrative Tools section of the Control Panel) and set the IPSEC Policy Agent to start automatically.

Now you will create a new connection for the L2TP connection. Perform the following steps.

1. Right-click “My Network places” on the Windows desktop and choose “Properties.” The “Network and Dial-up Connections” window should be display.
2. Double-click on the “Make New Connection” icon and click Next.
3. Choose “Connect to a private network through the Internet” and click Next.
4. Choose whether or not to dial-up an initial connection. You would do this if you needed to use dial-up to establish an Internet connection.
5. Enter the gateway’s DNS resolvable name or IP address and click Next.
6. Choose whether you wish to make this connection available to all users or not and click Next.
7. Enter a name for this connection and click on Finish.
8. Right-click on the connection icon just created and select “Properties.”
9. Click on the Networking tab. Specify the VPN server type as L2TP.
10. Click on the Security tab, choose “Advanced” security options and click on “Settings.”
11. Under “Logon Security,” select “Use Extensible Authentication Protocol (EAP).” Under the pulldown, select Certificate or MD5 Challenge depending on what was specified on the gateway.
12. If certificates was chosen, click on Properties and certificate. Uncheck “Validate Server Certificate” unless you wish to export the Internal CA key and import it into the workstation. Click Ok.
13. Click “Ok” twice.

Now your client should be able to connect using this new network connection profile. When it is activated, you will either enter your username and IKE pre-shared secret or select your certificate and click Ok. Assuming everything was configured correctly, the connection should come up.

NOTE: FireWall-1 does not appear to support L2TP clients behind NAT devices, or at least the Microsoft L2TP client doesn’t appear to work in this manner. Since I originally wrote this document, Microsoft came up with a patch to their L2TP client that will allow support over NAT. Refer to article id 818043.