[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Using Linux FreeS/WAN as IPsec (IKE) SecuRemote client
I want to use Linux with FreeS/WAN as a SecuRemote client. I can get Linux FreeS/WAN v1.9 working with Firewall-1 v4.1 SP1 [3DES] for "normal" VPN (i.e. with action of "Encrypt" and source as a network object). This works flawlessly. However, I've not been able to get it fully working with SecuRemote (i.e. with action as "Client Encrypt" and source as user object). The Linux FreeS/WAN setup "half works" with SecuRemote - when I start the VPN on the Linux system, the IKE handshake works, and packets sent from the Linux system through the Firewall get decrypted by the Firewall and passed to the destination system. However, return packets from the destination system are passed back to the Linux system unencrypted and therefore don't make it back to the app on the Linux system. I've verified that the SecuRemote setup does work OK on the Firewall with the Win-95 SecuRemote client v4.1 SP1 [3DES]. It seems that the problem is that FreeS/WAN does not understand the concept of a "username", so the SecuRemote authentication phase is not working correctly. Looking at a packet trace for the Win-95 SecuRemote client shows that this authentication is all IKE traffic (UDP port 500), so I guess that the user/secret authentication must be part of IKE. Is this a standard part of IKE or a Checkpoint "enhancement"? The setup is: Checkpoint Firewall-1 v4.1 [3DES] SP1 on Windows NT 4.0 SP6a FreeS/WAN v1.9 on Debian Linux 2.2 with 2.2.17 kernel Using IPsec encryption: ESP (3DES), aggressive mode off, PFS off, IKE key exchange with shared secret. Does anyone have any ideas or thoughts? Regards, Roy Hills -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [email protected] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|