RE: [VF][Users] Checkpoint FW1 and FreeSwan 1.99

From: Doug Leece (dleece_at_newnet21.com)
Date: Fri Dec 27 2002 - 00:34:58 CET

HI all,

I have Freeswan running in a few places but have never been able to get
it to hook up to Checkpoint. We run checkpoint at my office and one of
the options that was proposed by checkpoint was a site to site vpn, most
security officers are pretty down on this one. The secure remote client
provides some of the user authentication functionality which is missing
from a site to site setup. The secure remote clients that Checkpoint
uses are only really for roadwarriors, there isn't an equivilant
Unix/Linux product. We solved this problem for our unix guys with an
static natted SSH portal and used FW-1 to restrict what sites could
actaully even initiate a connection. This solved our unix client
problem, it's a little work but it does not have the complexity of
multipl site to site vpns.

There may be other options, if so I would love to hear them, this one
works for sure though if you need an interim solution.

Doug Leece
Calgary Alberta

-----Original Message-----
From: jsa62_at_tid.es [mailto:jsa62_at_tid.es]
Sent: Thursday, December 26, 2002 2:51 PM
To: users_at_lists.freeswan.org
Subject: Re: [VF][Users] Checkpoint FW1 and FreeSwan 1.99

Hello Shyamal..

let me see if i have understood well..

you dont really have that ip 192.168.168.168 so you have created an ip
alias on the interface.. isnt it?? i do ip alias on interfaces by doing
ifconfig eth0:1 12.12.12.12 netmask 255.255.255.252 up for example...

It also seems, looking at the ipsec verify output, it seems that you
have locally closed udp port number 500, because is puts BLOCKED ..
maybe you have iptables rules for denying or better not accept udp
traffic on that port .. needed for ike interchange..

i dont really know if freeswan accepts interface alias .. but the output
 when you try to enable the connection seems to be a problem of that
kind seems to be a problem with left or right directives.

Hope it helps.

Cheers
-------------
Julio Saura Alejandre
Servicios Ip de Banda Ancha
Telefónica I+D (913374993)

----- Original Message -----
From: Shyamal Thatte <sthatte_at_madasafish.com>
Date: Thursday, December 26, 2002 4:38 pm
Subject: [VF][Users] Checkpoint FW1 and FreeSwan 1.99

> Hello,
>
> Am trying to create a tunnel between my home machine and the office
> network which has a Checkpoint firewall. All other users use
> Windows
> laptops which seem to work fine with the SecuRemote client. I am
> the
> only one with a Linux machine :(
>
> I have Redhat 7.2, have upgraded the kernel to 2.4.18-18.7.x and
> installed both
> freeswan-1.99_2.4.18_18.7.x-0
> freeswan-module-1.99_2.4.18_18.7.x-0
>
> my problem is the security adminstrator has asked me to use a
> static IP
> address which my ISP says they cannot allocate.
>
> Was trawling through the net for any information about a
> workaround,
> found some information on the freeswan list about iptables and NAT,
> also
> there is an article about using iproute2 to use an alias but that
> too fails.
>
> ipsec verify (after ipsec start shows the following)
>
> Checking your system to see if IPsec got installed and started
> correctlyVersion check and ipsec on-path
> [OK]
> Checking for KLIPS support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Checking if IPchains has port 500 hole (all) [BLOCKED]
> Checking if IPchains has port 500 hole (default) [BLOCKED]
> Checking if IPchains has port 500 hole (ipsec0) [BLOCKED]
> Checking if IPchains has port 500 hole (lo) [BLOCKED]
> Checking if IPchains has port 500 hole (ppp0) [BLOCKED]
> DNS checks.
> Looking for forward key for localhost.localdomain [OK]
> Looking for KEY in reverse map: 215.31.1.213.in-addr.arpa [FAILED]
> Does the machine have at least one non-private address [OK]
>
>
> my ipsec.conf is
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> #interfaces=%defaultroute
> interfaces="ipsec0=ppp0"
> # Debug-logging controls: "none" for (almost) none, "all"
> for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control
> startup
> actions. plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID
> shows up.
> uniqueids=yes
>
>
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> disablearrivalcheck=no
> keyingtries=2
> keylife=120m
> ikelifetime=120m
> rekeymargin=1m
> rekeyfuzz=50%
> # keyingtries=1
> # authby=rsasig
> # leftrsasigkey=%dnsondemand
> # rightrsasigkey=%dnsondemand
>
>
> conn me-to-office-net
> type=tunnel
> left=194.75.37.251 -- my office gateway
> leftsubnet=172.24.0.0/16 -- the internal network
> right=192.168.168.168 -- this is the ip which I have
> aliased
> using ip addr add
> keyexchange=ike
> authby=secret
> auth=esp
> pfs=no
> auto=add
>
> Nothing seems to work as when I try
> ipsec auto --up me-to-office-net
>
> 022 "me-to-office-net": we have no ipsecN interface for either end
> of
> this connection
>
> how do I alias my machine to have a static IP for the office
> connection
> ?? The shared secret on the firewall has been set for 192.168.168.168
>
> I can ping my office gateway machine but a traceroute fails ...
> would
> that be a reason ?
>
> If I can get this working can standardize a build for all Road
> Warriors
> who want to use Linux from their laptops.
>
> Regards
> Shyamal
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users 

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002
 
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.431 / Virus Database: 242 - Release Date: 12/17/2002
 
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Dec 27 2002 - 05:21:18 CET