Pages

Tuesday, October 26, 2010

Check Point VPN-Client (SecureClient) connectivity issue

Our company's head-office is running a Check Point UTM-1 firewall cluster at the perimeter. Recently we encountered a strange SecureClient behaviour in some internal users. The scenario is like this.
Some of the staff members want to establish Remote Access VPN connections with another Check Point gateway. When they use an ADSL connection or a HSPA connection they can connect to that particular gateway but when they try to establish the same connection through our perimeter Check Point gateway the connection fails stating,

"Negotiation with gateway xxxx at site x.x.x.x has failed. Received notification: invalid id information"

When we observed the firewall logs (using SmartView Tracker) we observed that the IKE connection was sent to one of the interfaces of our Check Point gateway, which should not be the case.

The problem was, once the site is created in the VPN client, it automatically downloads the topology information and stores it in the userc.C file in the SecuRemote/database directory. It also stores the interface addresses of the remote gateway.
When I observed the file I saw that some of the interface IPs of the remote gateway are the exact same as our firewall interface IPs. So the vpn-client tries to connect to one of the internal IPs and eventually ends up by trying to terminate the connection in our gateway.

When I searched in the Check Point usercenter I found the following article sk26189.
It seems that the Remote Gateway is running an older version of Check Point.
So as for the article the change should be done at the Remote Gateway's object_5.0.C file, so that the gateway interface information is not downloaded to the client.

Now there's a problem. We cannot do the changes in the remote gateway. So how to overcome this.

I edited the userc.C file manually and located the interface information of the remote gateway and deleted all the interface information (not the whole topology information). Then restarted the VPN-client.

After that the Remote-Access-VPN got connected successfully. :)

1 comment:

alfred03white said...

Thanks for sharing information. I am glad that the issue was solved. Well, I am also in need of the china vpn service specifically for my android phone. Do you know about any good VPN in China for the android users? If yes, please recommend.