Dreez's
PKI Single Sign-On Project

VPN FAQ

Revision Control

Date

 Modifications
2/1/2001 Initial
   
   
   

Contact Dreez: mje@secev.com

Overview

This section contains is a list of bugs that I find as I work my project. Hopefully I'll be able to resolve most of these issues.

FAQ

  1. User's can't authenticate, client can't exchange keys - General Answer

    Check:

        - Clocks on all computers should be in sync
        - Certificate times should synch with clocks (not expired or not valid yet)
        - CRL machine is pingable from firewall and you can telnet to port 80 from firewall
        - You are issuing "User" certificates that can encrypt and digitally sign (see Dreez types of certs)
        - The user name matches exactly, see user authentication
        - Ensure license keys and encryption types all match up
        - Ensure client software is capable of supporting strong encryption type

    the certificates field by field to make sure you have the right dates, serial numbers. Many
    times the certificate on the client is different from the certificate on the server or the Root CA is different or the times are wrong.

  2. User fails authentication, but I have them in database?

    Ensure the user's name as appears in the "cn=" matches character for character what matches in the username database. In the following case its "endrizzi", all lower case. Look out for spaces.

     

  3. During testing, user authenticates fine but encryption isn't happening?

    This is actually a general Secure Client bug not related to PKI. 

    When Secure Client is attached to the directly connected net of the external segment of the firewall, all the authentication works fine, but packets destined for the internal network don't seem to be encrypting. If you look at a sniffer, the packets are heading for the Internet in the clear and are not encrypting. Bad.

    If the client is on a remote net, no problem.

    If you change the default gateway to point to the firewall, things start to work, but then ICMP redirects are sent to the client and Secure Client drops them and it all falls apart again.

    No solution known. 


  4. Error message something like - Wrong type of certificate or Wrong usage fields

    Make sure you are using a "User template" certificate with the following attributes displayed below. Sometimes people use a "EFS" certificate which is only used for Encrypted File System, and does not have the proper usage bits to be used for digital signatures.











  5. CRLs don't work.

    CRLs are useless WRT VPNs. Your access control is done through AD.  If a user quits, disable their account or remove them from AD or take out their VPN login name, or remove them from the VPN group. 

    Just make sure you can telnet to port 80 from the firewall to the CRL machine.

  6. How can I build VPN groups in AD??

    Within normal Active Directory, build a group for VPN users and add all the people you want to VPN authenticate into that group:

Then in the ACM (Account Management Tool) from Checkpoint, search for that group:

 

17: Creating templates

I think it can be done, but haven't taken time to look into it. I think one has to created the right class structure so that the fw1templates can populate the directory under the right containers. Right now it wants to put them into the "users" container and I don't think that's right.

Home | Services | Training | Support | Contact Us | Search

Copyright 2006, Security Evolution, Inc.