configure Nokia Mobile VPN

Nokia Mobile VPN
How to Configure Nokia
Mobile VPN
For Check Point NGX with Challenge-
Response Authentication

Table of Contents
Introduction...................................................................................................................................................................................... 3
Configuring remote client access using challenge-response authentication............................................................................ 4
General settings............................................................................................................................................................................ 4
Configure a new user group and a new user ............................................................................................................................ 5
Configure a VPN remote-access community.............................................................................................................................. 9
Export INTERNAL_CA certificate .................................................................................................................................................11
Configure VPN remote-access firewall rules............................................................................................................................13
Configuring Office Mode ............................................................................................................................................................16
Policy creation with the Policy Tool using exported CA certificate...........................................................................................21

Introduction
This best-practices document describes how to configure Nokia Mobile VPN Client manually (without a separate device
management product) using a challenge-response authentication method in the Check Point NGX R65 environments.
For more details on how to use Nokia Mobile VPN Client, error code documents, and the policy format document, please
go to http://www.nokiaforbusiness.com/ > Security products > Nokia Mobile VPN > Resources.
The assumption is that Check Point NGX, Check Point SmartDashboard, and Mobile VPN Client have been installed, and
all post-installation tasks have been completed before continuing with the steps listed below. After completing these
steps, remember to save the configurations before exiting the tool.

Configuring remote client access using
challenge-response authentication
General settings
First, the administrator must activate VPN and enable Nokia Mobile VPN Client-specific features in Check Point NGX.
Start by right-clicking on the gateway object and click Edit. The gateway’s General Properties dialog box will open.
Under Check Point Products, place a check mark on the VPN item. Click OK to close the dialog.

Click on the Policy menu and select Global Properties; the Global Properties dialog will open.
In the Global Properties dialog, navigate to the Remote Access -> VPN Basic item in the tree pane. Make sure that
”Support Legacy Authentication for SC (hybrid mode)” and ”Support remote access VPN using Nokia clients” are
enabled. Click OK to close the dialog.
Configure a new user group and a new user
The next task is to create a new user group and add a user to that group.

Create a new user group by going to User Groups and selecting New Group.
Give a name to the new group and press OK.

Go to the Users tab. Right-click on the Users icon and select New User and then Default.
In the Log-in Name text box, enter a log-in name for the new user.
Move to the Groups tab. Select the Cr_users group and click Add to bring it to the Belongs to Groups list.

Move to the Authentication tab. From the Authentication Scheme list, select Check Point Password.
Move to the Encryption tab. Make sure that there is a check mark in the IKE item. Click Edit.
Clear the Public Key if it is enabled. Click OK to close all dialogs.

Configure a VPN remote-access community
Now the administrator needs to add the Cr_users group to the RemoteAccess VPN community.
Open the Manage menu and select VPN Communities.
Select RemoteAccess and click Edit.
Click Participating Gateways and click Add to select the gateway.

Select the gateway and click OK.
Go to the Participant User Groups and click Add.
Select Cr_users and click OK.

Export INTERNAL_CA certificate
A CA certificate is needed by Nokia Mobile VPN Client when doing challenge-response authentication.
Open the Manage menu; select Servers and OPSEC.
Select ”internal_ca” and click Edit.
Go to the Local SmartCenter Server tab and click Save As. A dialog will open.

Enter a suitable file name and select the location for saving the internal CA certificate. This file is needed for the Mobile
VPN Client and its policy.

Configure VPN remote-access firewall rules
Add and edit a couple of firewall rules. In the screenshot above, a few network objects are already defined but they are
not referred to in the following firewall rule examples. By default, ”Any” is used to describe any network, whether
source or destination.
Here is a sample of some completed firewall rules for VPN use. The first and last rules are optional. They are here to
Filter out the clutter of log entries and provide a clean and secure Cleanup that will block any traffic not matching the
second rule. The second rule is the important one.
Edit the Source field of the VPN rule by right-clicking it and select Add Users Access.

Select the Cr_users group; make sure the Location is set to ”No restriction.” Click OK to close the dialog.
Right-click the VPN field and select Edit Cell.
Select ”Only connections encrypted in specific VPN Communities.” Click Add.

Select RemoteAccess and click OK.
Click OK to close the dialog.

Configuring Office Mode
To get an internal address for Nokia Mobile VPN Client, Office Mode must be activated in the Check Point gateway.
Follow these steps.
Select Manage from the main menu and click Network Objects.
Select New… -> Network.

In the Network Properties dialog, add a name to the Office Mode IP pool, define the actual IP address for that pool, and
press OK.
To add DNS server address, click New.
Then select “Node” -> “Host…”

Enter the name of the DNS server object and it’s IP address.
This will be handed out to VPN client when internal addressing is used, enabling internal network DNS resolution.
Click OK to close the Host Node dialog. Both of the network objects appear in the list.
Click OK to close the Network Objects dialog.
Select the gateway, do a right-click, and select Edit.

From the gateway configuration window, select Remote Access -> Office Mode. Click “Allow Office Mode to all users.”
Then select the Manual office mode method, select the Office Mode pool that was created in the previous step.
Click “Optional Parameters…” button.
Enable Primary DNS Server by placing a check mark there and in the pull-down menu, select the previously created DNS
server host object.

In the IP Lease Duration, enter the amount in minutes that the client internal addresses are valid before they are
renewed. This could be for example 60 minutes.
Click OK to close the dialog IP Pool Optional Parameters dialog..
Click OK to close the Check Point gateway properties dialog.

Policy creation with the Policy Tool using
exported CA certificate
It is time to configure the Nokia Mobile VPN Client to match the VPN policy that was created in Check Point NGX. Start
Nokia VPN Client Policy Tool and press the Load Template button. Select Check_Point_NGX_R65_crack.pol policy from the
Check Point directory. Then add the correct VPN gateway address and get a path to the CA certificate. Make sure that
the Format in the Certificate Authority selection is set to BIN. The identity value field can be left empty.
Export the VPN policy by pressing the Generate VPN Policy button. Store Check_Point_NGX_R65_crack.vpn to your PC;
consult the Nokia Mobile VPN Client User’s Guide, Chapter 6.1, for details on how to install the given policy file to your
device.

Legal Notice
Reproduction, transfer, distribution or storage of part or all of the contents in this document in any form without the prior written
permission of Nokia is prohibited.
Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Other product and company names
mentioned herein may be trademarks or tradenames of their respective owners.
Nokia operates a policy of continuous development. Nokia reserves the right to make changes and improvements to any of the
products described in this document without prior notice.
Under no circumstances shall Nokia be responsible for any loss of data or income or any special, incidental, consequential or indirect
damages howsoever caused.
The contents of this document are provided “as is”. Except as required by applicable law, no warranties of any kind, either express or
implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation
to the accuracy, reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any time
without prior notice.
Work together. Smarter.
Nokia Nokia Inc. Inc. 102 Corporate Park Drive, White Plains, NY 10604 USA
Americas Americas Tel: 1 877 997 9199 • Email: usa@nokiaforbusiness.com
Asia Asia Pacific Pacific Tel: +65 6588 33 64 • Email: asia@nokiaforbusiness.com
Europe Europe France +33 170 708 166 • UK +44 161 601 8908 • Email: europe@nokiaforbusiness.com
Middle Middle Middle East East and and Africa Africa Dubai +971 4 3697600 • Email: mea@nokiaforbusiness.com
www.nokiaforbusiness.com
© 2008 Nokia. All rights reserved. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation. Other trademarks mentioned are the property of their respective owners.
Nokia operates a policy of continuous development, therefore, reserves the right to make changes and improvements to any of the products described in this document without prior notice.