Scribd
Upload
253 views

Connect To SecureClient VPN From Linux

This document provides instructions for connecting to a CheckPoint VPN using Hybrid Authentication with OpenSwan on Linux. It involves: 1) Downloading and patching OpenSwan, compiling and installing it. 2) Obtaining the firewall certificate from the CheckPoint management server and converting it. 3) Extracting the RSA key and constructing an ipsec.conf file with the key, VPN addresses, and authentication settings. 4) Starting the OpenSwan VPN with some limitations around reauthentication timing and lack of support for Office Mode.

Uploaded by

raufthegreat
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
253 views

Connect To SecureClient VPN From Linux

This document provides instructions for connecting to a CheckPoint VPN using Hybrid Authentication with OpenSwan on Linux. It involves: 1) Downloading and patching OpenSwan, compiling and installing it. 2) Obtaining the firewall certificate from the CheckPoint management server and converting it. 3) Extracting the RSA key and constructing an ipsec.conf file with the key, VPN addresses, and authentication settings. 4) Starting the OpenSwan VPN with some limitations around reauthentication timing and lack of support for Office Mode.

Uploaded by

raufthegreat
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

This document describes how to connect to 

CheckPoint VPN using Hybrid Authentication i.e. the same way


SecureClient does.

1. Download OpenSwan
2. Download the patch openswan-2.4.0-SecureClient.diff section and apply it
3. Compile and install software following OpenSwan documentation
4. Obtain firewall certificate using following procedure:

XXX: following has been tested for VPN-1 on UNIX only, please report if it's different for other
platforms

a. Log to your firewall console and export certificate:


b. fwm exportcert -obj FW-OBJECT-NAME -cert default_cert -file cacert.pkcs7 -pem
-withroot
where FW-OBJECT-NAME is the dashboard firewall object name and default_cert if either
firewall object name or literally: default_cert or defaultCert depending on your
configuration. If you have problem finding its name see into $FWDIR/conf/objects_5_0.C for
section:
:certificates (
: (zorro
:AdminInfo (
(...)
)
)
)
where zorro is the name of the certificate.

c. Copy the file cacert.pkcs7 to your linux box and convert it to PEM:
d. openssl pkcs7 -in cacert.pkcs7 -print_certs > certs.pem
Yes, openssl is required.

5. Once you have firewall certificates in PEM format pick out the RSA key:
a. Edit the resulting certs.pem file, there should be two certificates in it. Save them to
separate file, the first one (root CA) to /etc/ipsec.d/cacerts/rootca.pem and the second
one (firewall cert) under firewall.pem in your working directory. (I'm not absolutely sure
that the first cert is CA cert always, so you may verify the header, which for root CA should
look like this:
b. subject=/O=checkpoint.intranet.example.com..p9bkhs
and for firewall one like this:
subject=/O=checkpoint.intranet.example.com..p9bkhs/CN=rhl7 VPN Certificate
Note the CN= part)

c. Now go to your openswan source directory then follow to debian/fswcert and type:
d. make
e. make install
.

f. Construct the remote rightrsasigkey part for ipsec.conf picking the key


from firewall.pem certificate file:
g. ipsec fswcert --cert --right firewall.pem
Yes, rightrsasigkey is our firewall RSA key :)

6. Construct ipsec.conf file using acquired rightrsasigkey, be sure to use rightid=@! not the output
of above command. The sample ipsec.conf is here:
7.
8. conn sc
9. leftid=@!
10. left=1.1.1.MyIP(it might be %defaultroute too ;)
11. leftxauthclient=yes
12. right=50.50.50.CheckPoint-IP
13. rightsubnet=192.168.0.0/16
14. rightrsasigkey=0x2E6A0CC18077BEB56462C62DB4BC9C... <= we got it earlier
15. rightxauthserver=yes
16. ikelifetime=8h
17. rekey=no
18. cpsc=yes
19.
Check twice for errors!!!

20. Now follow usual procedure to start openswan VPN.

Please note, that there are certain things that don't work!:

1. There is is a timing issue. If your CP side requests reauthentication it doesn't work (yet?). You
have to shut down the tunnel and brig it up again reauthenticating (it's specially true for SecureID
authentication). We encourage you to set rekey=no and ikelifetime=8h so the Linux side does not
requests for rekeying.
2. CP Office Mode is not supported. That would require some serious OpenSwan modifications. If you
figure out how to deal with it send us a patch :)

You might also like