Scribd Logo
Upload

Welcome to Scribd!

  • Connect To SecureClient VPN From Linux

    Uploaded by

    raufthegreat
    246 views2 pages
    This document provides instructions for connecting to a CheckPoint VPN using Hybrid Authentication with OpenSwan on Linux. It involves: 1) Downloading and patching OpenSwan, compiling and installing it. 2) Obtaining the firewall certificate from the CheckPoint management server and converting it. 3) Extracting the RSA key and constructing an ipsec.conf file with the key, VPN addresses, and authentication settings. 4) Starting the OpenSwan VPN with some limitations around reauthentication timing and lack of support for Office Mode.

    Original Description:

    Original Title

    Connect to SecureClient VPN from Linux

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for connecting to a CheckPoint VPN using Hybrid Authentication with OpenSwan on Linux. It involves: 1) Downloading and patching OpenSwan, compiling and installing it. 2) Obtaining the firewall certificate from the CheckPoint management server and converting it. 3) Extracting the RSA key and constructing an ipsec.conf file with the key, VPN addresses, and authentication settings. 4) Starting the OpenSwan VPN with some limitations around reauthentication timing and lack of support for Office Mode.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    246 views2 pages

    Connect To SecureClient VPN From Linux

    Uploaded by

    raufthegreat
    This document provides instructions for connecting to a CheckPoint VPN using Hybrid Authentication with OpenSwan on Linux. It involves: 1) Downloading and patching OpenSwan, compiling and installing it. 2) Obtaining the firewall certificate from the CheckPoint management server and converting it. 3) Extracting the RSA key and constructing an ipsec.conf file with the key, VPN addresses, and authentication settings. 4) Starting the OpenSwan VPN with some limitations around reauthentication timing and lack of support for Office Mode.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 2

    This document describes how to connect to 

    CheckPoint VPN using Hybrid Authentication i.e. the same way


    SecureClient does.

    1. Download OpenSwan
    2. Download the patch openswan-2.4.0-SecureClient.diff section and apply it
    3. Compile and install software following OpenSwan documentation
    4. Obtain firewall certificate using following procedure:

    XXX: following has been tested for VPN-1 on UNIX only, please report if it's different for other
    platforms

    a. Log to your firewall console and export certificate:


    b. fwm exportcert -obj FW-OBJECT-NAME -cert default_cert -file cacert.pkcs7 -pem
    -withroot
    where FW-OBJECT-NAME is the dashboard firewall object name and default_cert if either
    firewall object name or literally: default_cert or defaultCert depending on your
    configuration. If you have problem finding its name see into $FWDIR/conf/objects_5_0.C for
    section:
    :certificates (
    : (zorro
    :AdminInfo (
    (...)
    )
    )
    )
    where zorro is the name of the certificate.

    c. Copy the file cacert.pkcs7 to your linux box and convert it to PEM:
    d. openssl pkcs7 -in cacert.pkcs7 -print_certs > certs.pem
    Yes, openssl is required.

    5. Once you have firewall certificates in PEM format pick out the RSA key:
    a. Edit the resulting certs.pem file, there should be two certificates in it. Save them to
    separate file, the first one (root CA) to /etc/ipsec.d/cacerts/rootca.pem and the second
    one (firewall cert) under firewall.pem in your working directory. (I'm not absolutely sure
    that the first cert is CA cert always, so you may verify the header, which for root CA should
    look like this:
    b. subject=/O=checkpoint.intranet.example.com..p9bkhs
    and for firewall one like this:
    subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
    Note the CN= part)

    c. Now go to your openswan source directory then follow to debian/fswcert and type:
    d. make
    e. make install
    .

    f. Construct the remote rightrsasigkey part for ipsec.conf picking the key


    from firewall.pem certificate file:
    g. ipsec fswcert --cert --right firewall.pem
    Yes, rightrsasigkey is our firewall RSA key :)

    6. Construct ipsec.conf file using acquired rightrsasigkey, be sure to use rightid=@! not the output
    of above command. The sample ipsec.conf is here:
    7.
    8. conn sc
    9. leftid=@!
    10. left=1.1.1.MyIP(it might be %defaultroute too ;)
    11. leftxauthclient=yes
    12. right=50.50.50.CheckPoint-IP
    13. rightsubnet=192.168.0.0/16
    14. rightrsasigkey=0x2E6A0CC18077BEB56462C62DB4BC9C... <= we got it earlier
    15. rightxauthserver=yes
    16. ikelifetime=8h
    17. rekey=no
    18. cpsc=yes
    19.
    Check twice for errors!!!

    20. Now follow usual procedure to start openswan VPN.

    Please note, that there are certain things that don't work!:

    1. There is is a timing issue. If your CP side requests reauthentication it doesn't work (yet?). You
    have to shut down the tunnel and brig it up again reauthenticating (it's specially true for SecureID
    authentication). We encourage you to set rekey=no and ikelifetime=8h so the Linux side does not
    requests for rekeying.
    2. CP Office Mode is not supported. That would require some serious OpenSwan modifications. If you
    figure out how to deal with it send us a patch :)

    You might also like