Hi
I'm currently developing (well, it's mostly done and we're about to go
productive) an application that amongst other things dynamically builds up
VPN connections using Checkpoint's SecureClient software. It has a cli
interface via scc.exe.
However, if the site I'm trying to connect to uses SecurID to authenticate
users, using the commandline mode can be a futile exercise. If the token is
in regular mode, all goes well. However, if for some reason the token is in
next token or next passcode mode, the commandline version does not ask for
the next token / passcode. It just aborts with the following message:
C:\Program Files\CheckPoint\SecuRemote\bin>scc c -p nxo
Checking network connectivity...
Preparing connection...
Connecting to gateway...
IKE negotiation failed
Connection failed
Connect failed
Trying to get some more status information does also not help me at all:
C:\Program Files\CheckPoint\SecuRemote\bin>scc s
VPN-1 is disconnected
Connection error 4: Connection failed
Details: Negotiation with gateway fwklocluster at site nxo has failed.
Access denied - wrong user name or password
This is the same error as if I select the wrong username or give the wrong
token. Then I switch SecureClient back to connect mode, I try to connect,
and in the connect window I get an info message "Please respond to the
prompt below" and the Prompt is "next PASSCODE". Then I wait for the next
passcode to appear on my token, I enter it, and I'm all set. Absent that
message in the commandline version, I'm screwed as I'm never told. Once the
tokencode changes, it's already too late as now once again you'd have to
enter first the current passcode, then the next passcode, and all within one
60 second period. Also, trying to connect with the current passcode, then
upon failure immediately trying again with the next passcode (this is
possible when using a Soft Token), does also not yield success.. apparently
the connection has to stay open and the next passcode has to be sent
immediately or you're out of luck.
I've been searching the knowledge base and read through all the
documentation I could find on SecureClient (is there no administrators
guide? I'm still looking for a comprehensive detailed document on
administrating SecureClient and all the parameters that can be put into the
configuration (*.c) files)) but I did not find anything on this issue. Is
the commandline version unable to provide that information? If so, is this
on the todo list, being a rather important roadblock when using scc.exe with
SecurID authentication?
Regards
Stephan Steiner
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
