Check Point VPN-1 – How to Disable Security Policy

vpnwindows

To connect to a customers network, I had to install Check point VPN-1 secure client.

Version information:

VPN-1 SecureClient NGX R60 HFA2 (Build001)

The tool block all incoming traffic to my computer. (Which is fine by me as long as I'm connected to the remote site but even if the VPN connection is inactive, my computer cannot be connected to (e.g. for a VNC session of a co-worker within our corporate net).

I have already tried:

Disable windows firewall (also the service completely)
disable/stop the Check Point VPN-1 Securemote service + its watchdog service
(the stuff Paul proposed in his answer, see in the comments there)

I cannot use [Check Point Tray Icon] -> [Tools] -> [Disable Security policy] as that is grayed out.

How can I FULLY disable this thing?

I have full admin access on my machine (how else could I disable my firewall (service!) and the CP Windows service.

This is a Win XP sp3 machine.

To reiterate: I do not mind the tool blocking what it wants while it is active but it also fully blocks inbound connections while it is not active — even while its Windos Service isn't even running! (Note that the Check Point diagnostic utility does show in its log the dropped inbound packets.)

Another clarification: The tool does not block outgoing traffic, that is I can browse the net, check mails, etc. even while it is active just fine. However it does block all inbound connections (essentially like Windows firewall would do by default, dropping all inbound packets).

I can only assume I've either missed another service of this or it has installed a device driver or root kit of some sorts to enforce its so called security policy while it is not even in use.

Best Answer

Which version of the client is this? Versions later than R65 get increasingly difficult to control the security policy. And The 7x series will block incoming traffic no matter what.

You can do this from the command line with

scc sp off

However, this requires the usersc.c file to be changed, so that it contains:

api_manual_slan_control=true

But this may not work of course. My solution to this is to install the bastid thing into a VM and access it via the console.

Getting the script

Download the script and save it somewhere as checkpoint.sh
Open a terminal and cd into the same directory of the checkpoint.sh file
Make the script executable with: chmod 755 checkpoint.sh

Use the script

Open a terminal and cd into the same directory of the checkpoint.sh file

From now on you can use sudo ./checkpoint.sh to turn on/off the checkpoint endpoint VPN service (including the firewall).

Below a copy of the script:

#!/bin/bash
#
# The reason of creating this script is that Endpoint Security VPN installs it's own application firewall kext cpfw.kext
# which prevents for example PPTP connections from this computer, which is not appropriate if you need subj connection just
# from time to time
#
# Usage: ./checkpoint.sh
#
# The script checks if Enpoint Security VPN is running. If it is, then it shuts it down, if it is not, it fires it up.
# Or, make an Automator action and paste the script.
# You will need sudo power, of course
#
# To prevent Endpoint Security VPN from starting automatically whenever you restart your Mac, edit this file:
# `/Library/LaunchAgents/com.checkpoint.eps.gui.plist`
# And change the values of `RunAtLoad` and `KeepAlive` to `false`
# [Source](https://superuser.com/questions/885273)

SERVICE='Endpoint_Security_VPN'

if pgrep $SERVICE > /dev/null
then
    # $SERVICE is running. Shut it down
    [ -f /Library/LaunchDaemons/com.checkpoint.epc.service.plist ] && sudo launchctl unload /Library/LaunchDaemons/com.checkpoint.epc.service.plist
    [ -d /Library/Extensions/cpfw.kext ] && sudo kextunload /Library/Extensions/cpfw.kext
    [ -d '/Applications/Check Point Firewall.app' ] && open -W -n -a '/Applications/Check Point Firewall.app' --args --disable
    killall $SERVICE
else
    # $SERVICE is not running. Fire it up
    [ -f /Library/LaunchDaemons/com.checkpoint.epc.service.plist ] && sudo launchctl load /Library/LaunchDaemons/com.checkpoint.epc.service.plist
    [ -d /Library/Extensions/cpfw.kext ] && sudo kextload /Library/Extensions/cpfw.kext
    [ -d '/Applications/Check Point Firewall.app' ] && open -W -n -a '/Applications/Check Point Firewall.app' --args --enable
    [ -d '/Applications/Endpoint Security VPN.app' ] && open '/Applications/Endpoint Security VPN.app'
fi

Policy routing for OpenVPN server & client on the same router

To make all packets sent by an interface with IP address 192.168.1.2 use a custom routing table no_vpn_provider, you can simply use

ip rule add from 192.168.1.2 table no_vpn_provider priority 2

as I did in attempt 1). The problem is that by default an OpenVPN server doesn't bind to any specific IP address, so the above rule won't have any effect (https://serverfault.com/a/228258).

To bind your OpenVPN server to the IP address 192.168.1.2, just add this line to its configuration file and you're good to go

local 192.168.1.2

NOTE If you create the rule and the custom routing table with ip, they will be erased every time you reboot the router. Depending on your openvpn configuration, the custom routing table may also get modified every time you restart openvpn. You can write scripts that re-create the rule and the custom routing table whenever it's needed.

Best Answer

Related Solutions

Networking – Disable Checkpoint Endpoint Security Policy

Getting the script

Use the script

Policy routing for OpenVPN server & client on the same router

Related Question