Android / iPhone / Windows - L2TP VPN Setup FAQ (Checkpoint R70)

Checkpoint Configuration

Prerequisites
1. A functional remote access VPN
2. Office Mode (for all users)
3. Remote access user (using a checkpoint password scheme)

In other words, if you currently have a set of remote access workers connecting using secure remote/client with office mode. The following guide should work!

1. Enable "Gateway support IKE over TCP"
Global Properties > Remote Access > VPN Basic

2. Enable "L2TP Support"
Firewall Object > Remote Access


3. Choose "MD5-Challenge" authentication
Firewall Object > Remote Access

4. Shared Secret (The tricky part)

a. Create a empty file called "l2tp.conf"
b. type in plain text a shared secret into the above file. There are no config items or tags, the file should only contain a single line of plain text.
e.g. mysharedsecret1234

c. Copy l2tp.conf to your Firewall "Gateway" (not the management station)

E.g. $FWDIR/conf/
this would resolve to the following if you are using a NOKIA gateway
/var/opt/CPsuite-R70/fw1/conf

5. Add UDP L2TP to your rulebase
You should have an existing "Any VPN" rule for your existing remote access users

Source > any
Destination > Firewall Object
VPN > any traffic
Service > L2TP (UDP)
Action > accept

6. Install the FW policy.


Android Configuration

1. Go to Settings -> Wireless & Networks -> VPN Settings
2. Tap Add VPN
3. Tap L2TP/IPSec PSK VPN
4. Set a VPN name (My Office VPN)
5. Set VPN Server to either DNS or IP of your firewall
6. Set IPSec pre-shared key (used in the l2tp.conf)
7. Tap the Menu Key, Tap Save

iPhone Configuration

1. From your iPhone home screen, go to Settings > General > Network > VPN > Settings
2. Server: Enter your VPN-1 server FQDN (DNS name) or IP address
3. Account: Enter you checkpoint username and password
4. RSA Secure ID: Off
5. Password: Ask Every Time
6. Secret: Enter the IPSec pre-shared key (used in the l2tp.conf)
7. Send all Traffic: On


Windows XP Configuration

1. Select Start > Settings > Control Panel > Network Connections > New Connection Wizard
2. Select “Connect to the network at my workplace”, click next
3. Select “Virtual Private Network Connection”, click next
4. Enter a Company Name “My Company”, click next
5. Select “Do not dial the initial connection”, click next
6. This setting could be used to invoke a 3G connection before the VPN connection
7. Enter the Host name or IP Address “”, click next
8. Select “Do not use my smart card”, click next
9. Select “Anyone’s use” if this is to be used by anyone who logs onto the laptop
10. Select the option to “Add a shortcut to this connection to my desktop”, click Finish
11. A Pop-up Window is displayed. “Connect My Company” Select “Properties”
12. Select the “Networking” tab
13. Change “Type of VPN” to “L2TP IPSec VPN”
14. Select the “Security” tab
15. Select “Advanced (custom settings)” Default is set to “Typical (recommended settings)”
16. Click “Settings”
17. Leave “Data Encryption” set as default “Require Encryption (disconnect if server declines)”
18. Select “Use Extensible Authentication Protocol (EAP)” and Change the Dropdown Box to “MD5-Challenge”
19. Select “OK” to save changes
20. Select “IPSec Settings”
21. Tick “Use pre-shared key for authentication” Enter the pre shared key
22. Click “OK” to save settings


Checkpoint Logs
This is what you should see in a working setup.
Depending on the connecting client, the logs will look different. Highlighted in Bold below.

iPhone
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )
10. Key Install (IKE: Informational Exchange Received Delete IPSEC-SA from Peer: SPIs: *********)

Windows XP
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )

Android
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. key Install (IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1))
6. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
7. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
8. Login (VPN internal Source connected to gateway)
9. UDP L2TP > Accept
10. Login (Session: PPP: Authenticated by FireWall-1 Password auth_method: Password Authentication Protocol (PAP) machine: om_method: IP pools assigned_IP: )

Reference :
Checkpoint L2TP Supplement Release Notes
http://www.checkpoint.com/iphone/downloads/release-notes.pdf