Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] FreeS/WAN w/ Checkpoint

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Sat Jul 20 2002 - 08:46:43 CEST

Next message: Markus Koellner: "[Users] Re: Re: Re: Bintec X1200 vs. Freeswan + X.509"
Previous message: Jacco de Leeuw: "Re: [Users] Re: MS L2TP/IPSec VPN client configuration issue?"
In reply to: SkyLeach: "[Users] FreeS/WAN w/ Checkpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The Checkpoint firewall is sending you a certificate request (CR).
Plain FreeS/WAN doesn't like this and aborts the negotiation. You
must upgrade your FreeS/WAN with the X.509 patch found at

http://www.strongsec.com/freeswan/

You will then be able to work with X.509 certificates.

Regards

Andreas

SkyLeach wrote:
> I know almost nothing about security so forgive the ignorance of this
> question...
>
> I am pioneering linux in my organisation and I am trying to get FreeS/WAN
> installed on my laptop so I can vpn to my remote server farm. The server
> farm is using 1024 bit encryption with IPSEC and 3DES on a Checkpoint
> Firewall running on RedHat 7.3. According to my "security" co-worker the
> firewall is using X.509 certificates, but this is not guanteed.
>
> Also of note is that I get warnings about ipchains (I am running iptables).
> Is this a bad idea/unsupported?
>
> I keep getting the message: "message ignored because it contains an payload
> type (ISAKMP_NEXT_CR) unexpected in this message" when I do the ipsec auto
> --up myconfig command.
>
> After setting up ipsec.conf this is what it looks like (secret keys removed).
>
> ipsec verify output:
>
> Version check and ipsec on-path [OK]
> Checking for KLIPS support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Checking if IPchains has port 500 hole (all) ipchains: Protocol
> not available [BLOCKED]
> Checking if IPchains has port 500 hole (default) ipchains: Protocol
> not available [BLOCKED]
> Checking if IPchains has port 500 hole (eth0) ipchains: Protocol
> not available [BLOCKED]
> Checking if IPchains has port 500 hole (ipsec0) ipchains: Protocol
> not available [BLOCKED]
> Checking if IPchains has port 500 hole (lo) ipchains: Protocol
> not available [BLOCKED]
> DNS checks.
> Looking for forward key for skyleach_lt [FAILED]
> Does the machine have at least one non-private address [OK]
>
> Like I said, I'm pretty knew to linux and security so forgive any obvious
> ignorance.
>

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Markus Koellner: "[Users] Re: Re: Re: Bintec X1200 vs. Freeswan + X.509"
Previous message: Jacco de Leeuw: "Re: [Users] Re: MS L2TP/IPSec VPN client configuration issue?"
In reply to: SkyLeach: "[Users] FreeS/WAN w/ Checkpoint"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:24 CEST