VPN Edge (Sofaware) FAQ
Latest firmware version: 6.5.43 (10/18/2006)
Other links:
sofaware support
Questions:
1) I downloaded a bad policy from the Check Point service
center and lost connectivity. How do I clear the Service Center policy?
2) I tried to enable NAT and the Edge is ARPing for client
addresses, causing MAC address conflicts.
3) What is libsw and what do I do with the files from the Check
Point web site?
4) I got an error when installing my VPN Edge policy: "Wrong Update version in policy"
5) How can I use RADIUS to authenticate my AD users
to access a wireless Edge network?
Answers
In the web GUI, go to Services > Connect. Uncheck "Connect to a
different Service Center" and go through the wizard. When you are
done disconnecting, the remote policy should be gone, and you can reconnect to
get a new policy.
There is a bug in older firmware that causes this. Upgrade
to at least 5.0.73.
The libsw files are configuration compatibility files Check
Point NG/NGX requires to talk to an Edge device with later versions of
5+ firmware. You must use them to update files on your
Management station in the following directory:
- For NG: $FWDIR/CPfwbc-41/libsw directory (on Windows,
this is %FWDIR%\FW1_4.1_BC\libsw).
- For NGX: $FWDIR/FW1_EDGE_BC/libsw
The files can be obtained from the Check Point web site in the
same location as the updated firmware.
Extract the libsw directory from the archive. BACKUP the
old libsw and rename or remove it. Replace libsw with the
files in the libsw archive. Install your policy (you should
not need to restart the management station). You can verify
the install by checking the logs of the management station, or in
the web GUI of the Edge, go to Setup > Tools > Diagnostics to
verify the policy and installation time.
More details can be found in the Check Point Knowledge
Base if you have access.
The libsw files on the management station need to be
updated. See "What is libsw"
question on how to perform this upgrade.
We are going to use three components here:
- A VPN Edge -W series running firmware 6.0.76
- A wireless laptop with an Intel 2915ABG built in NIC (driver
version 10.5.0.0)
- A Windows 2000 Domain Controller with included IAS RADIUS
service installed
- First, on the DC, make sure the service is running, and then
add the VPN Edge as a RADIUS client under "Clients"
folder. Assign the IP address of the Edge that will be
seen from the IAS server, and enter the shared secret to encrypt
to the Edge (at this point, secret is arbitrary, but remember it
for later since we must type it on the Edge).
- Next, modify the IAS Remote Access Policy. By default,
there is a policy called "Allow access if dial-in permission is enabled".
Right click on the policy and go to Properties > Edit Profile
> Authentication tab. Make sure Protected EAP is
enabled.
- Finally, in order to authenticate against AD accounts, you
must register IAS with AD. To do this, right click the
"Internet Authentication Service (local)" icon and
choose "Register service in Active Directory".
That should about do it for IAS.
- Now go to the VPN Edge device. In order to set up the
wireless network, we must first define the RADIUS server.
In the main menu, go to "Users > RADIUS" tab.
Enter the IP address of the IAS server, the port (defaults to
1812), and the secret from step 1. Check the "HotSpot
Access" checkbox at the bottom of the page.
- Now go to "Network > My Network tab > Edit WLAN".
Settings should look something like what is shown below.
Assign IP addresses, SSID, Mode, and Security should be set to
"WPA: RADIUS authentication, encryption".
- Finally, go to your laptop client and configure the Wireless
network with the Microsoft Wireless Zero Configuration software
that is part of XP (this supports almost all wireless NIC
cards). Define the SSID and encryption type (WPA, TKIP) on
the Association tab, then under the authentication tab, enable
802.1x and choose type of Protected EAP. You should be
able to connect now.
Home |
Services |
Training |
Support |
Contact Us |
Search
Copyright 2006, Security Evolution, Inc.
