From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Mon Aug 19 2002 - 17:11:12 CEST
Three of my students at the Zurich University of Applied Sciences in
Winterthur wrote a HOWTO describing step-by-step the configuration
of a tunnel connection between a FreeS/WAN gateway and Check Point
VPN-1 NG on a Windows 2000 box. The documentation can be downloaded
from
http://http://home.zhwin.ch/~sna/PA/PAK2_2002_Sna01_A.pdf
The size of the PDF file is 1.5 Mbytes since it contains a lot of
screen snapshots. As an alternative AERAsec has a HTML-based HOWTO
under the link
http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html
Important: Check Point VPN-1 sends as its ID an IPV4_ADDR_ID.
Therefore the IP address of the Check Point box must be contained
as a subjectAltName in the certificate. We were not able to coax
VPN-1 into sending its Distinguished Name or a FQDN.
Regards
Andreas
Reimer, Fred wrote:
> Hello all,
>
> I've made some progress on getting FreeS/WAN with the x509 patch (Linux) to
> work with a Check Point VPN-1 NG FP-2 (Solaris) box. It was not working
> with shared secrets because there was NAT between the Linux and Solaris
> boxes. Without the match up in the IP address there was no way for the
> Solaris box to know what VPN device out on the Internet to match up and
> compare shared secrets with. So, I decide to go all the way and incorporate
> x509 certificates.
>
> On NG FP-2 Check Point totally redid the way you setup VPNs. They now have
> an "interoperable device" section where you can setup -- interoperable
> devices. I thought this was a perfect fit for the FreeS/WAN Linux box, so
> that's where I set it up. I also create a separate CA on our RSA SecurID
> ACE/Server (thinking that it's a security server so would be the perfect
> place to put it). I added a new certificate authority in the VPN-1 GUI and
> imported the caCert.pem file that openssl produced. On the interoperable
> device object I setup the authentication method to be certificates, and they
> have a dialog that allows you to accept certificates from "any" CA, the
> internal CA that comes with NG (but can't create certs for devices, only
> "users" hence the separate openssl CA), or a specific other CA that you
> created. Also, you can specify a match requirement for the cert as the
> username, IP address (which is taken from the interoperable device object I
> suppose), or "DN".
>
> On the Linux FreeS/WAN box (running Debian 3.0 /w a custom kernel), the
> patching and compile went fine. I imported the caCert.pem CA certificate
> from the RSA CA I created into /etc/ipsec.d/cacerts, the host certificate I
> created into /etc/ipsec.d, and the host key into /etc/ipsec.d/private.
>
> When I attempted to connect I kept getting a "no proposal chosen" back from
> the Check Point box. Looking at the firewall logs it was saying that it
> couldn't find a matching user for the CA (The scheme IKE is not defined for
> user scheme). It listed as the username the complete certificate ID, such
> as "Email=fwr_at_ga.prestige.net,CN=Fred Reimer,..." I attempted to change the
> cert match to the IP address of the device. When I did this the firewall
> then said that it "peer gateway 68.67.126.98 scheme: IKE IKE: Main Mode
> Cannot construct a valid certificate chain from peer certificates" and "
> scheme: IKE IKE: Main Mode Sent Notification: invalid certificate." On the
> Linux box I get a "invalid certificate" notification in the barf.
>
> So, can anyone educate me on how to setup the Check Point box to recognize
> the certificate from the Linux FreeS/WAN box, or otherwise give any pointers
> on how to get these two boxes to cooperate???
>
> Thanks,
>
> Fred Reimer
> Eclipsys Corporation
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Tue Aug 20 2002 - 03:19:49 CEST