RE: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2

From: Reimer, Fred (Fred.Reimer_at_Eclipsys.com)
Date: Tue Aug 20 2002 - 18:37:46 CEST

O.K., it's getting weird...

I had a hunch that the reason the firewall wasn't matching on the email
address was because openssl was using Email=fwr_at_ga.prestige.net instead of
E=fwr_at_ga.prestige.net. I don't even know if the E= form is acceptable, but
I read somewhere, possibly on the x509 patch site, that both E= and Email=
are for email addresses and though that the firewall might be broken and
only searching for the E= label. Anyhow, I changed openssl source,
recompiled, created a new cert/key for the Linux box and restarted ipsec.
Now if comes up with a "PAYLOAD-MALFORMED" message from the firewall. BUT
-- I'm not so sure that it is because of this change. I did a trace and see
an ISAKMP packet from the Linux box to the firewall (Identity protection,
main mode according to Ethereal) The IP header length field is 1500 bytes.
The ISAKMP decode shows a length of 1644. Immediately after this is an IP
fragment packet with 62 bytes of data. So, it looks like FreeS/WAN is
fragmenting the packet. I thought you couldn't do that with encrypted
packets.

Why is this acting differently? Because of my change of the email field
from Email to E, or because of the fragmented packets?

Thanks,

Fred

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen_at_zhwin.ch]
Sent: Monday, August 19, 2002 11:11 AM
To: Reimer, Fred
Cc: users_at_freeswan.org
Subject: Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2

Three of my students at the Zurich University of Applied Sciences in
Winterthur wrote a HOWTO describing step-by-step the configuration
of a tunnel connection between a FreeS/WAN gateway and Check Point
VPN-1 NG on a Windows 2000 box. The documentation can be downloaded
from

   http://http://home.zhwin.ch/~sna/PA/PAK2_2002_Sna01_A.pdf

The size of the PDF file is 1.5 Mbytes since it contains a lot of
screen snapshots. As an alternative AERAsec has a HTML-based HOWTO
under the link

   http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html

Important: Check Point VPN-1 sends as its ID an IPV4_ADDR_ID.
Therefore the IP address of the Check Point box must be contained
as a subjectAltName in the certificate. We were not able to coax
VPN-1 into sending its Distinguished Name or a FQDN.

Regards

Andreas

Reimer, Fred wrote:
> Hello all,
>
> I've made some progress on getting FreeS/WAN with the x509 patch (Linux)
to
> work with a Check Point VPN-1 NG FP-2 (Solaris) box. It was not working
> with shared secrets because there was NAT between the Linux and Solaris
> boxes. Without the match up in the IP address there was no way for the
> Solaris box to know what VPN device out on the Internet to match up and
> compare shared secrets with. So, I decide to go all the way and
incorporate
> x509 certificates.
>
> On NG FP-2 Check Point totally redid the way you setup VPNs. They now
have
> an "interoperable device" section where you can setup -- interoperable
> devices. I thought this was a perfect fit for the FreeS/WAN Linux box, so
> that's where I set it up. I also create a separate CA on our RSA SecurID
> ACE/Server (thinking that it's a security server so would be the perfect
> place to put it). I added a new certificate authority in the VPN-1 GUI
and
> imported the caCert.pem file that openssl produced. On the interoperable
> device object I setup the authentication method to be certificates, and
they
> have a dialog that allows you to accept certificates from "any" CA, the
> internal CA that comes with NG (but can't create certs for devices, only
> "users" hence the separate openssl CA), or a specific other CA that you
> created. Also, you can specify a match requirement for the cert as the
> username, IP address (which is taken from the interoperable device object
I
> suppose), or "DN".
>
> On the Linux FreeS/WAN box (running Debian 3.0 /w a custom kernel), the
> patching and compile went fine. I imported the caCert.pem CA certificate
> from the RSA CA I created into /etc/ipsec.d/cacerts, the host certificate
I
> created into /etc/ipsec.d, and the host key into /etc/ipsec.d/private.
>
> When I attempted to connect I kept getting a "no proposal chosen" back
from
> the Check Point box. Looking at the firewall logs it was saying that it
> couldn't find a matching user for the CA (The scheme IKE is not defined
for
> user scheme). It listed as the username the complete certificate ID, such
> as "Email=fwr_at_ga.prestige.net,CN=Fred Reimer,..." I attempted to change
the
> cert match to the IP address of the device. When I did this the firewall
> then said that it "peer gateway 68.67.126.98 scheme: IKE IKE: Main Mode
> Cannot construct a valid certificate chain from peer certificates" and "
> scheme: IKE IKE: Main Mode Sent Notification: invalid certificate." On
the
> Linux box I get a "invalid certificate" notification in the barf.
>
> So, can anyone educate me on how to setup the Check Point box to recognize
> the certificate from the Linux FreeS/WAN box, or otherwise give any
pointers
> on how to get these two boxes to cooperate???
>
> Thanks,
>
> Fred Reimer
> Eclipsys Corporation

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Wed Aug 21 2002 - 16:20:22 CEST