To all:
I have the following
question:
Is it
possible to have a user authenticate via SecurID to download the topology using
SecuRemote Hybrid mode for IKE?
I have the
following config:
Two Nokia
IP650s running Nokia IPSO 3.3 with CheckPoint 4.1 SP2.
1 Sun Ultra-2
running Solaris 2.6 and CheckPoint FW-1 4.1 SP2 (Management
station).
For testing I
have created a group called test_vpn and added one internal machine to it. I
have modified the primary FW object and added this group as the encryption
domain (FW -> VPN tab -> Domain). I have checked the box for exportable
for SecuRemote. I have checked IKE under the "Encryption Schemes defined" and if
you edit IKE the following are set:
CAST,3DES,MD5,SHA1,VPN-1 & FireWall-1 authentication for SecuRemote (Hybid
Mode), Supports aggresive mode, Support keys exchange for subnets. Pre-shared
secret and public key signature boxes are not set.
I have
created a user (for this example named tvpn) with the authentication set to
SecurID (User Properties -> Authentication tab). In User Properties ->
Encryption tab under "Client Encryption methods" IKE is checked (FWZ is not). If
you go to "Edit" the IKE properties I have unchecked the Password and Public Key
boxes; under the Encryption tab (for IKE) I have left everything as the default
(Encryption + Data Integrity (ESP), SHA1, 3DES).
I have added
a rule to my rulebase that reads as the following:
Src
Dst
Service Action
Track
tvpn@Any
primary FW FW1_topo
Client Encrypt Acct.
FW1_topo is the default service defined for port
264.
Number 1 is the PC that I am trying to test on is
on a DSL circuit using DHCP and NAT using EnterNet300 (Amertech stuff) which
seems to run fine. I can get out to the Internet including our site without any
problems.
Number 2: When entering the site info. I enter the
external IP addr. of the primary FW (I currently do know if it makes a
difference whether you use the external addr. of the FW or use the addr. of the
Mgmt. station); when I am prompted to enter a username/password (when the
SecuRemote pop-up) comes up I enter the tvpn username that I set up for testing
along with the PIN/number in SecurID.
I see the entry in the FW logs but on the DSL PC I
get a pop-up indicating Authentication failed. In the FW logs the first thing
that I notice is that the entry is logged by rule 0 and not against the Client
Encrypt rule for the Topology download. In the info field I get a reason
of:
Refused Topology request. Authentication scheme not
allowed for user.
I have also gone to the CheckPoint site a printed
off the document dated September 6, 2000 titled "Hybrid Mode IKE for SecuRemote
Authenication". I have followed the steps and set up the Internal CA without any
problems.
Does what I am trying to do not work this way. Do I
have to set up a dummy user to allow FW-1 password auth to download topologies
and then set up another rule for the SecurID auth for the actual
VPN?
Any insight to this would be greatly appreciated.
TIA.
P.S. Sorry for the length but I am hoping that the
detail will help the old lightbulb shine a little brighter. :) Right now I am a
little miffed.
|