[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1/VPN-1 with IKE and dynamic passwords how-to?
What the problem is that I need IKE (NAT), but IKE with CheckPoint by defaut doesn't allow s/key (only two options are passwords and cert keys). So is IKE with CP client and s/key possible at all? --- Iztok Umek Elogex, Inc. 212 S Tryon Street Charlotte, NC 28281 Phone:Fax:URL: http://www.elogex.com/ > -----Original Message----- > From: Chris Arnold [mailto:[email protected]] > Sent: Thursday, November 08, 2001 12:03 > To: 'Mailing list for discussion of Firewall-1'; Iztok Umek > Subject: RE: [FW-1] FW-1/VPN-1 with IKE and dynamic passwords how-to? > > > You can most certainly use S/KEY for one-time "passwords" > with SecuRemote. You can also use RSA's SecureID which > provides a one-time "password" as well. Additionally, you > can use LDAP to store user credentials and have VPN-1 > authenticate users against a directory is you purchase and > install the LDAP Account Management license. > > That covers the user side. > > Using dynamic credentials for site-to-site tunnels can not be > done and doesn't make much sense anyway. Pre-shared secrets > or digital certs are the only methods available to you (both > in the encryption tab of a FW object in the policy editor as > well as, I _believe_, in the IETF standard specification for IKE). > > Chris > > -----Original Message----- > From: Iztok Umek [mailto:[email protected]] > Sent: Thursday, November 08, 2001 10:57 AM > To: [email protected] > Subject: [FW-1] FW-1/VPN-1 with IKE and dynamic passwords how-to? > > > Is there any how-to to make VPN-1 (and CP vpn clients) use > dynamic passwords with IKE encryption? > > As far as I figured out you have to define > usernames/passwords within product itself (static) and can't > use LDAP or s/key or OPIE or something like that. > > Any "how-to's"? > > Regards, > Iztok > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.htm> l > > =============================================== > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|