Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Enabling Check Point VPN-1® Support for the Apple® iPhone™

Enabling Check Point VPN-1 Support for the Apple iPhone

When deploying any device for corporate use, IT faces the challenge of safeguarding the traffic in and out of the private network. Check Point VPN-1, the market-leading security gateway with firewall, VPN, and intrusion prevention, supports the embedded iPhone L2TP client, giving customers IPsec virtual private network (VPN) access to corporate servers. Customers can receive email and utilize company resources without the need for additional software on the iPhone.

Benefits

  • Easy, secure remote access for iPhone users
    End users can use their iPhones to securely access corporate networks, enabling them to get the information needed for their jobs
  • Simple Configuration
    iPhone usage can be enabled with 3 easy steps, with minimal IT configuration of end user phones
  • No Client Installation
    IT departments can provide iPhone access without incurring the cost of installing and maintaining additional client software

Enabling iPhone support at the gateway

There are two ways to enable secure iPhone connectivity on your Check Point VPN-1 gateway:

  1. VPN-1 NGX R65 HFA 30 Hot Fix Accumulator Update, or
  2. VPN-1 NGX R65 HFA 02 L2TP Supplement Installation Procedure as described below

VPN-1 NGX R65 HFA 30 Hot Fix Accumulator Update

Note:For fully detailed instructions, visit the Check Point Support Center, search for "VPN-1 R65 HFA 30 Release Notes" and download the file for instructions on installing HFA 30.

VPN-1 NGX R65 HFA 02 L2TP Supplement Installation Procedure

Note: For fully detailed instructions, please download the VPN-1 NGX R65 HFA 02 L2TP Supplement Release Notes.

Note: These installation instructions are intended for use with a gateway that is already part of a remote access community with previously defined remote access rules. If your gateway is not already set up, please refer to Chapter 14 in the VPN Administration Guide and follow the instructions in the VPN for Remote Access Configuration section.

Instruction steps

  1. Download and install the VPN-1 NGX R65 HFA 2 L2TP Supplement or VPN-1 NGX R65 HFA 30, as necessary for your existing deployment
  2. Configure your VPN-1 gateway for iPhone VPN access
  3. Configure the iPhone VPN client for remote access

Step 1: Download and Install the R65 HFA 2 L2TP Supplement (procedure for administrators only)

Backup VPN-1 gateway directories
Before starting the update, it is important to back up critical files on the gateway. The following directories should be backed up:

  • $FWDIR/bin
  • $FWDIR/lib
  • $FWDIR/boot/modules

Download applicable supplement
Once the files are backed up, visit the Check Point Support Center search for iPhone and download the appropriate file for the operating system of the gateway being updated.

The table below details the filenames for each Operating System. Customers should login to their Usercenter Account in order to download the appropriate files. If you do not already have an account with us, you may Create an Account.

Operating System File Name
SecurePlatform/Linux VPN-1_R65_HFA_02_L2TP_Supplement.linux.tgz
Solaris VPN-1_R65_HFA_02_L2TP_Supplement.solaris.tgz
Windows VPN-1_R65_HFA_02_L2TP_Supplement.windows.tgz
IPSO VPN-1_R65_HFA_02_L2TP_Supplement.ipso.tgz

Install the supplement on your VPN-1 gateway
Extract the downloaded file and run the executable that is contained within it. Execute a CPSTOP and CPSTART command on the gateway following installation. After completing this step, please move to Step 2.

Step 2: Configure your VPN-1 gateway for iPhone VPN access (procedure for administrators only)

After installing the L2TP supplement, administrators must configure the Gateway Properties of the gateway providing access (see Fig.1):

  • Find the name of the appropriate VPN-1 gateway in the Objects Tree of SmartDashboard. For example, in the picture below, the gateway name is 'Corporate-gw'.
  • Right-click on it and choose Edit. This will bring up the Gateway Properties.
  • Choose Remote Access from the left hand tree.
  • Check the box for Support L2TP (relevant only when Office Mode is active). Below this, make sure the appropriate authentication method is chosen.

Figure 1

Note: L2TP support requires that Office Mode is activated. To activate, choose Office Mode from the Remote Access tree and select Allow Office Mode to All Users (see Fig. 2). For more details on configuring Office Mode, please see Chapter 15 of the VPN Administration Guide.

Figure 2

  • Verify that support for legacy authentication is enabled:
    Global Properties -> Remote Access -> VPN – Basic

Figure 2

Note: In order to maintain information confidentiality between your VPN-1 gateway and an iPhone, administrators must maintain a shared secret password. The shared secret password is placed in the l2tp.conf file, which can be found in the $FWDIR/conf directory on the gateway providing iPhone remote access. If the l2tp.conf file is not found, create it as an empty text file using the appropriate text editor for your operating system. Place the shared secret in the file and then save it in the $FWDIR/conf directory. The shared secret password should be at least 8 characters long and contain a mixture of numerals and letters and must be an ASCII string.

The gateway is now configured for iPhone VPN access. Administrators should now provide iPhone users with the information in Step 3 to configure their iPhones.

Step 3: Configure the iPhone VPN client for remote access (procedure for iPhone end users)

Before starting, please get the following information from your network administrator:

  • The IP address or the DNS name of the VPN-1 gateway
  • Your appropriate user name for VPN access
  • The global shared secret for information confidentiality

You may now configure your iPhone for remote access:

  1. Go to the home screen on your iPhone.
  2. From there, go to Settings > General > Network > VPN > Settings.
  3. Enter the IP address or DNS name for Server, the user name for Account, and the shared secret for Secret (see Fig. 3). The DNS name or IP address is of the VPN-1 server you would like to connect to.

Figure 3

Your iPhone is now configured to access your corporate network!

To use the iPhone VPN, go to Settings and move the VPN switch to On (see Fig. 4).

Figure 4

When the password screen appears, you will need to authenticate using the password supplied by your administrator (see Fig. 5).  Generally, it will be the same password used to access the network remotely from your laptop, or it could be a one-time password from a token such as a SecurID token. If someone would like to use the one time password, one should insert the PIN code and the password together at the password field and keep the RSA SecureID field (from Figure 3) OFF.

You should now have remote access to your network.

Figure 5