In this document, we’ll be discussing the things to do step by step for establishing your Check Point Secure Client VPN connections by using USB based Aladdin eToken smart card and related PKI client. eToken Pro 32k is used within the said case. Platforms that I observed where the implementation runs free of problems are Windows XP and Vista 32-bit.

Before handling eToken PKI client, we’ll begin with installing Check Point Secure Client on a PC/laptop which has any kind of active internet connection. A static IP address is not a requirement for the installation processes. Launch Check Point Secure Client software setup wizard by using the corresponding msi package. I employed VPN-1_SecureClient_NGX_R60_HFA_02_Supplement_3_630002002.msi in this setup and I want to note that I didn’t encounter any problems to access R65 firewall version using this client version.

We continue without changing the default installation directory;

Next, we select VPN-1 Secure Client

and we start the installation;

We accept to continue by clicking click “Yes” if we come accross any Microsoft Driver Signature warning while Check Point Secure Client drivers are being installed and we complete the installation;

Before jumping to next step, we must restart our system when we’re prompted for it right after the completion of setup wizard.

We double click PKI Client-x32-4.55.msi package (this was the final release when this post was being written) and install eToken PKI client with its default settings (Next > Next > …) after our system is restarted. We give a second restart to our system after completing PKI client installation even if we’re not prompted for it. We plug our eToken into one of USB ports when our system comes back and wait for eToken drivers to be automatically configured and installed. If we don’t remember the PIN code of our eToken or if our eToken device is a brand new one, we right click the icon of freshly installed PKI client on task bar before continuing the installation and follow Open eToken Properties -> Advanced tabs then select “Initialize” on our eToken name under Tokens & Readers to format and give a new password. But don’t forget that initialization will delete any certificates inside the token if they exist!

Then by right clicking Check Point VPN-1 Secure Client icon on task bar,

we open the Settings menu and move to Certificates tab menu. We use Create Certificate button to generate a new certificate via our CP firewall which is the Certificate Authority (CA) in such situation;

As we want to store our certificate on our eToken device, we continue by selecting Store on a hardware or software token (CAPI) option inside the window that will appear.

We go ahead by selecting eToken Base Cryptographic Provider;

In the following window, we enter the interface IP address of our firewall which we will be connecting through a VPN inside the Site IP address/Name field. User that will establish a VPN connection (in this case it is you) have to acquire a Registration Key in order to request the related certificate that was prepared previously on firewall for you. If you’re not the administrator of the firewall, authorized person must generate it and declare you by a secure method. If you do have access rights to reach and mange your firewall, you can generate this key by using Check Point Management GUI (Smart Dashborad). In order to accomplish this, follow the Manage ->Users and Administrators… menu and enter the properties of related user by using Edit button. Create the key within Certificates tab menu as shown below.

Time granted for requesting the certificate is 30 days. If it is not taken untill the end of this duration, the certificate will be revoked.

Registration key is a unique key that is created to request and download the certificate from the firewall for once only. When the installation of the certificate is succeeded, it is disposed by the firewall and can not be reused again so you do not have to keep it in your records. If installation fails, it is not necessary to generate a new key because it can be used repeatedly untill you get the certificate.

The registration key and IP address below are examples. In order to resume the thread, you have to enter your own actual key and firewall IP address to appropriate fields;

When prompted, we enter the PIN code for eToken which we’ve determined before;

Error message that we’ll encounter is going to be the one below if we enter a wrong registration key in prior step;

If there is no problem, the certificate shall be downloaded and stored inside eToken. Hereafter we can prepare Secure Client for a VPN connection. We open Settings window by right clicking Check Point VPN-1 Secure Client icon on task bar and use New > Site option that is placed under Connections tab menu. We go ahead by filling “Server Address or Name” and “Display Name” fields in Site Wizard window.

We mark the Certificate option inside the Authentication Method window;

We continue by selecting the certificate definition that starts with “CN=<your username>” like CN=YourUser,OU=users,… at Certificate: pull down menu.

We proceed with marking “Advanced” option inside Select Connectivity Settings window and select Perform IKE over TCP connectivity enhancement option;

We enter eToken PIN code again when prompted. A connection will be made, then a validation window will appear if our PIN is correct and the certificate is valid. CA fingerprint of the firewall is blanked out below on security purpose. Following this window, a final one will come out regarding the completion of the setup process.

When we save the data and quit the wizard, our firewall and eToken will become ready to authenticate via the certificate we’ve acquired. As of now, we can establish a VPN connection to our firewall site by only entering PIN code of our eToken. We’re able to do it by pluging eToken into a USB port, right clicking the icon of Check Point VPN-1 Secure Client on task bar and selecting Connect option whenever we want.

Through this ad-hoc installation and subsequent VPN connetion, you may access the systems inside your office network that you have proper authorization rules defined in firewall rule base. Whilst using any existing type of internet connection (ADSL, 3G, Wi-Fi, … ), you will neither need a password authentication nor a static IP address engagement from wherever you’re…

Certainly as long as you have your eToken with you.

Related Posts

  No related posts.