Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Using Linux FreeS/WAN as IPsec (IKE) SecuRemote client

To: [email protected]
Subject: [FW1] Using Linux FreeS/WAN as IPsec (IKE) SecuRemote client
From: Roy Hills <[email protected]>
Date: Wed, 18 Jul 2001 09:42:34 +0100
Sender: [email protected]

I want to use Linux with FreeS/WAN as a SecuRemote client.

I can get Linux FreeS/WAN v1.9 working with Firewall-1 v4.1 SP1 [3DES]
for "normal" VPN (i.e. with action of "Encrypt" and source as a network
object).  This works flawlessly.  However, I've not been able to get it
fully working with SecuRemote (i.e. with action as "Client Encrypt"
and source as user object).

The Linux FreeS/WAN setup "half works" with SecuRemote - when I start
the VPN on the Linux system, the IKE handshake works, and packets sent
from the Linux system through the Firewall get decrypted by the Firewall and
passed to the destination system.  However, return packets from the destination
system are passed back to the Linux system unencrypted and therefore don't
make it back to the app on the Linux system.

I've verified that the SecuRemote setup does work OK on the Firewall with
the Win-95 SecuRemote client v4.1 SP1 [3DES].

It seems that the problem is that FreeS/WAN does not understand the concept of a "username", so the SecuRemote authentication phase is not working correctly. Looking at a packet trace for the Win-95 SecuRemote client shows that this authentication is all IKE traffic (UDP port 500), so I guess that the user/secret authentication must be part of IKE. Is this a standard part of IKE or a Checkpoint "enhancement"?

The setup is:

Checkpoint Firewall-1 v4.1 [3DES] SP1 on Windows NT 4.0 SP6a
FreeS/WAN v1.9 on Debian Linux 2.2 with 2.2.17 kernel

Using IPsec encryption: ESP (3DES), aggressive mode off, PFS off, IKE key exchange with shared secret.

Does anyone have any ideas or thoughts?

Regards,

Roy Hills
--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: [email protected]
Rochester, Kent ME2 4FA, UK                  WWW:   http://www.nta-monitor.com/

================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] NAt many to many
Next by Date: [FW1] Multi PIX, single rulebase
Previous by thread: [FW1] NAt many to many
Next by thread: [FW1] Multi PIX, single rulebase
Index(es):
- Date
- Thread