[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FreeS/WAN as a Linux "SecureClient"
i was able to pull this off with a remote linux user. not sure what hoops he went through so i dare not attempt the linux-side explanation. took some doing but the doc helped a little bit. as it stands now, it works. the tunnel breaks if you push a policy but aside from that it works fine... On Thu, 2001-10-18 at 15:51, Brian Noecker wrote: > For those of you who have setup FreeS/WAN and Checkpoint VPN-1, did the > document "Linux as a VPN Client to FireWall-1" help in setting this up? Its > seems to be the right document for the task, except that it asks you to > setup the linux vpn box as a workstation object, then select the IKE / > Shared Secret/ SHA/ properties from the VPN tab. These options are only > available for FW Gateway objects (i.e. when you select VPN FW-1 and > version). The ordinary Workstation object only allows for Manual IPSec and > SKIP. you're right here.. you have to define the linuxVPNgateway as a VPN-1 FW object. that should let you select IKE and setup a shared secret. if the linuxVPNgateway has some encryption domains of its own you have to define those as a network object AND as part of the linuxVPNgateways encryption domain. you should also setup a few rules to allow for traffic from linuxVPNgateway and linuxVPNencryptiondomain to your office encryption domain, encrypt. also add the reverse in a separate rule; from your office encryption domain back to linux(stuff) encrypt. took a while to figure out... big pain but its doable and it works. > I can setup the Linux FW as a FW module, but it is inconvenient as a > replacement for a windows SecureClient user becuase you have all these FW > modules hanging around when installing, etc. Plus it then allows for the > Linux gateway to have encryption domains behind it and act as a FW itself, > rather than just a VPN client. never tried to setup the secureclient piece... i didn't know there that FreeS/WAN allowed you use that CP feature. i'm not well verse in secureclient as it is. why can't you just use iptables as your firewall and FreeS/WAN as your VPN client? i thought secureclient allowed you to setup a FW-like policy for remote users on their own machines... kinda like a mini firewall? are you saying that there is a FreeS/WAN module that accomplishes this? interesting... i imagine you can just use iptables and be done with it. its a pain... gl john. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|